Blog Post

Microsoft Sentinel Blog
5 MIN READ

Building toward an Agentic SOC: A Portable, Autonomous Malware Investigation Agent

absharan's avatar
absharan
Icon for Microsoft rankMicrosoft
Jul 13, 2026

Modern Security Operations Centers are not short on tools. They are short on continuity. Analysts jump from alert consoles to data exploration, from enrichment to investigation, and from evidence gathering to response—often across multiple interfaces and disconnected workflows.

A single malware incident may begin in Microsoft Sentinel, require enrichment in Defender, depend on targeted KQL hunting, and end with manual response actions somewhere else. Every handoff adds friction. Every context switch slows triage. And every inconsistency increases the risk of missed signals or delayed containment.

To explore what an Agentic SOC could look like in practice, I built a portable, autonomous malware investigation agent: a user-invocable workflow that takes an incident from investigation to evidence correlation to verdict and, when appropriate, to action.

The goal is simple: one prompt, one workflow, and a full incident lifecycle that moves cleanly from Investigate to Decide to Act.

The Real Problem: SOC Work Is Still Too Fragmented

In a conventional malware investigation, even experienced analysts spend too much time stitching the workflow together:

  • Pivoting across Sentinel and Defender
  • Manually extracting entities
  • Writing and optimizing multiple KQL queries
  • Context switching between tools
  • Making decisions with incomplete evidence

The operational impact is familiar to every SOC team:

  • Increased MTTR
  • Analyst fatigue
  • Inconsistent investigation quality

This fragmentation is exactly what a unified Microsoft Sentinel and Defender experience is built to solve, and it is where such an investigation agent demonstrates its value.

The Approach: A Portable Agent for End-to-End Malware Investigations

The agent is designed to handle the full investigation loop—not just enrichment, not just summarization, and not just response orchestration.

  • End-to-end malware investigation
  • Evidence-based verdicting
  • SOC-ready summarization
  • Optional automated response

Because it is defined as a portable agent, the same investigation pattern can be reused across environments with consistent logic, standardized outputs, and controlled automation boundaries.

  • Standardized investigations
  • Repeatable execution
  • Controlled automation
  • Cross-environment portability
Architecture Overview (End-to-End Flow)

Visual 1: Agentic SOC Investigation Workflow

User / Analyst Input
“Investigate Incident”

SOC AI Agent
Portable Investigator

Microsoft Sentinel
SecurityIncident • SecurityAlert • Data Lake (KQL)

Entity-Driven Queries
Device • User • File • IP

Evidence Correlation

Verdict + Summary
True Positive • False Positive • Benign True Positive

Optional Actions
Comment • Tag • Isolate

 

How the Agent Works: A Practical Deep Dive

Prerequisites

  • VS Code with GitHub Copilot
  • Microsoft Sentinel MCP server (provides the Triage and Data Lake exploration tools the agent runs on)
  • Microsoft Defender for Endpoint data (for the Device* hunting tables)
  • API permissions for any response action (e.g. endpoint isolation)
 1. Input & Trigger

The workflow starts with a simple natural-language prompt, for example:

Investigate Defender incident 1939

The input includes:

  • Defender Incident ID
  • Optional Sentinel workspace
2. Sentinel-First Investigation

The first design choice is deliberate: the agent starts from Sentinel as the investigation plane, within the Unified Defender Portal, where incidents are correlated across Sentinel and Defender, using it to retrieve incident structure, alert context, severity, timelines, and alert relationships before moving deeper.

  • Queries:
    • SecurityIncident
    • SecurityAlert
  • Extracts:
    • Severity
    • Timeline
    • Alert relationships

This ensures:

  • Consistent data plane
  • Reduced dependency on multiple APIs
3. Entity-Driven Correlation

Instead of launching broad hunts across the environment, the agent narrows the scope using the entities already present in the incident. That makes the investigation faster, cheaper, and more precise.

  • Extracts entities:
    • Device
    • User
    • File hash
    • IP/URL
  • Runs targeted queries only

Example tables:

  • DeviceProcessEvents
  • DeviceFileEvents
  • DeviceNetworkEvents

 

This is critical for:

  • Performance
  • Cost control
  • Precision

Visual 2: From Incident to Correlated Evidence

Incident

Alerts

Entities

Targeted Queries

Evidence

Incident 1939

Malware detection

device123
userA
file.exe

DeviceProcessEvents
DeviceFileEvents
DeviceNetworkEvents

Correlated execution, origin, and network signals

4. Evidence-Based Verdict

Once the signals are correlated, the agent produces one of three explicit outcomes—grounded in evidence rather than guesswork.

  • True Positive
  • False Positive
  • Benign True Positive

The verdict is:

  • Based on evidence only
  • Not guess-driven
  • Not heuristic overreach
5. SOC-Ready Output Standardization

The final output is intentionally standardized so an analyst can review the outcome quickly, understand the reasoning, and decide what happens next.

  • One-line verdict
  • ASCII findings table
  • Analyst summary
  • Actions taken
  • Optional containment recommendation

Visual 3: Standardized Investigation Output

Verdict: True Positive

Category

Findings

Incident Details

Severity: High

Malware Details

Trojan X detected

Device Posture

Real-time protection enabled

User Context

Standard user

Observed Activity

Suspicious process tree

Recommendation

Isolation recommended

Summary
  • Malware execution confirmed.
  • Blocked by Defender.
  • No lateral movement observed.
Actions Taken
  • Comment added.
  • Tag applied.
  • Awaiting isolation decision.
Optional Response & Containment

If permissions are available, the agent can:

  • Add incident comments
  • Tag incidents
  • Update classification
  • Close incidents
  • Perform endpoint isolation (gated with human in the loop)

With strict safeguards:

  • Evidence-backed decisions
  • Permission validation
  • Audit traceability

Visual 4: Workspace Portability Logic

Decision Point

Outcome

Workspace provided?

Yes → Use the specified workspace.

Workspace provided?

No → Detect available workspaces.

Only one workspace available?

Yes → Use it automatically.

Multiple workspaces available?

Ask the user to select one.

Missing permissions?

Fall back to read-only behavior.

 

Security & Operational Rigor

The agent enforces:

  • No secret storage
  • Use of existing authentication context
  • Clear reports of missing permissions
  • Minimized unnecessary queries

Why This Matters for the Agentic SOC Journey

This solution demonstrates three core pillars of agentic SOC:

1. Deterministic AI Execution

  • Standardized workflow
  • Repeatable outcomes
  • Consistent investigation depth
2. Human-in-the-Loop Control
  • Analyst decides final actions
  • No blind automation
  • Clear explainability
3. End-to-End Closure Capability

This is the most important:

  • Not just detection
  • Not just enrichment

Full lifecycle:

  • Investigate
  • Decide
  • Act

What’s Next

This pattern can be extended to:

  • Identity investigations
  • Insider risk
  • Multi-cloud threat correlation
  • Security Copilot-driven SOC agents

Final Thoughts

Most SOC automation still stops too early—at playbooks, enrichment, or isolated workflow steps. What is still missing in many environments is a cohesive execution model that can carry an investigation from signal to decision without losing context along the way.

  • Playbooks
  • Alert enrichment
  • Partial workflows

This pattern points to something more powerful: composable, intelligent SOC agents that can operate across the full incident lifecycle while keeping humans firmly in control of high-impact actions.

If an agentic SOC is the destination, portable investigation agents are a practical and credible way to start building toward it today.

Get the agent, setup steps, and instructions on GitHub:  

SOC Malware Investigator (Portable)SOC Malware Investigator (Portable)

Learn more

Updated Jul 10, 2026
Version 1.0