Modern Security Operations Centers are not short on tools. They are short on continuity. Analysts jump from alert consoles to data exploration, from enrichment to investigation, and from evidence gathering to response—often across multiple interfaces and disconnected workflows.
A single malware incident may begin in Microsoft Sentinel, require enrichment in Defender, depend on targeted KQL hunting, and end with manual response actions somewhere else. Every handoff adds friction. Every context switch slows triage. And every inconsistency increases the risk of missed signals or delayed containment.
To explore what an Agentic SOC could look like in practice, I built a portable, autonomous malware investigation agent: a user-invocable workflow that takes an incident from investigation to evidence correlation to verdict and, when appropriate, to action.
The goal is simple: one prompt, one workflow, and a full incident lifecycle that moves cleanly from Investigate to Decide to Act.
The Real Problem: SOC Work Is Still Too Fragmented
In a conventional malware investigation, even experienced analysts spend too much time stitching the workflow together:
- Pivoting across Sentinel and Defender
- Manually extracting entities
- Writing and optimizing multiple KQL queries
- Context switching between tools
- Making decisions with incomplete evidence
The operational impact is familiar to every SOC team:
- Increased MTTR
- Analyst fatigue
- Inconsistent investigation quality
This fragmentation is exactly what a unified Microsoft Sentinel and Defender experience is built to solve, and it is where such an investigation agent demonstrates its value.
The Approach: A Portable Agent for End-to-End Malware Investigations
The agent is designed to handle the full investigation loop—not just enrichment, not just summarization, and not just response orchestration.
- End-to-end malware investigation
- Evidence-based verdicting
- SOC-ready summarization
- Optional automated response
Because it is defined as a portable agent, the same investigation pattern can be reused across environments with consistent logic, standardized outputs, and controlled automation boundaries.
- Standardized investigations
- Repeatable execution
- Controlled automation
- Cross-environment portability
Architecture Overview (End-to-End Flow)
Visual 1: Agentic SOC Investigation Workflow
|
User / Analyst Input |
|
↓ |
|
SOC AI Agent |
|
↓ |
|
Microsoft Sentinel |
|
↓ |
|
Entity-Driven Queries |
|
↓ |
|
Evidence Correlation |
|
↓ |
|
Verdict + Summary |
|
↓ |
|
Optional Actions |
How the Agent Works: A Practical Deep Dive
Prerequisites
- VS Code with GitHub Copilot
- Microsoft Sentinel MCP server (provides the Triage and Data Lake exploration tools the agent runs on)
- Microsoft Defender for Endpoint data (for the Device* hunting tables)
- API permissions for any response action (e.g. endpoint isolation)
1. Input & Trigger
The workflow starts with a simple natural-language prompt, for example:
Investigate Defender incident 1939
The input includes:
- Defender Incident ID
- Optional Sentinel workspace
2. Sentinel-First Investigation
The first design choice is deliberate: the agent starts from Sentinel as the investigation plane, within the Unified Defender Portal, where incidents are correlated across Sentinel and Defender, using it to retrieve incident structure, alert context, severity, timelines, and alert relationships before moving deeper.
- Queries:
- SecurityIncident
- SecurityAlert
- Extracts:
- Severity
- Timeline
- Alert relationships
This ensures:
- Consistent data plane
- Reduced dependency on multiple APIs
3. Entity-Driven Correlation
Instead of launching broad hunts across the environment, the agent narrows the scope using the entities already present in the incident. That makes the investigation faster, cheaper, and more precise.
- Extracts entities:
- Device
- User
- File hash
- IP/URL
- Runs targeted queries only
Example tables:
- DeviceProcessEvents
- DeviceFileEvents
- DeviceNetworkEvents
This is critical for:
- Performance
- Cost control
- Precision
Visual 2: From Incident to Correlated Evidence
|
Incident |
Alerts |
Entities |
Targeted Queries |
Evidence |
|
Incident 1939 |
Malware detection |
device123 |
DeviceProcessEvents |
Correlated execution, origin, and network signals |
4. Evidence-Based Verdict
Once the signals are correlated, the agent produces one of three explicit outcomes—grounded in evidence rather than guesswork.
- True Positive
- False Positive
- Benign True Positive
The verdict is:
- Based on evidence only
- Not guess-driven
- Not heuristic overreach
5. SOC-Ready Output Standardization
The final output is intentionally standardized so an analyst can review the outcome quickly, understand the reasoning, and decide what happens next.
- One-line verdict
- ASCII findings table
- Analyst summary
- Actions taken
- Optional containment recommendation
Visual 3: Standardized Investigation Output
|
Verdict: True Positive | |
|
Category |
Findings |
|
Incident Details |
Severity: High |
|
Malware Details |
Trojan X detected |
|
Device Posture |
Real-time protection enabled |
|
User Context |
Standard user |
|
Observed Activity |
Suspicious process tree |
|
Recommendation |
Isolation recommended |
Summary
- Malware execution confirmed.
- Blocked by Defender.
- No lateral movement observed.
Actions Taken
- Comment added.
- Tag applied.
- Awaiting isolation decision.
Optional Response & Containment
If permissions are available, the agent can:
- Add incident comments
- Tag incidents
- Update classification
- Close incidents
- Perform endpoint isolation (gated with human in the loop)
With strict safeguards:
- Evidence-backed decisions
- Permission validation
- Audit traceability
Visual 4: Workspace Portability Logic
|
Decision Point |
Outcome |
|
Workspace provided? |
Yes → Use the specified workspace. |
|
Workspace provided? |
No → Detect available workspaces. |
|
Only one workspace available? |
Yes → Use it automatically. |
|
Multiple workspaces available? |
Ask the user to select one. |
|
Missing permissions? |
Fall back to read-only behavior. |
Security & Operational Rigor
The agent enforces:
- No secret storage
- Use of existing authentication context
- Clear reports of missing permissions
- Minimized unnecessary queries
Why This Matters for the Agentic SOC Journey
This solution demonstrates three core pillars of agentic SOC:
1. Deterministic AI Execution
- Standardized workflow
- Repeatable outcomes
- Consistent investigation depth
2. Human-in-the-Loop Control
- Analyst decides final actions
- No blind automation
- Clear explainability
3. End-to-End Closure Capability
This is the most important:
- Not just detection
- Not just enrichment
Full lifecycle:
- Investigate
- Decide
- Act
What’s Next
This pattern can be extended to:
- Identity investigations
- Insider risk
- Multi-cloud threat correlation
- Security Copilot-driven SOC agents
Final Thoughts
Most SOC automation still stops too early—at playbooks, enrichment, or isolated workflow steps. What is still missing in many environments is a cohesive execution model that can carry an investigation from signal to decision without losing context along the way.
- Playbooks
- Alert enrichment
- Partial workflows
This pattern points to something more powerful: composable, intelligent SOC agents that can operate across the full incident lifecycle while keeping humans firmly in control of high-impact actions.
If an agentic SOC is the destination, portable investigation agents are a practical and credible way to start building toward it today.
Get the agent, setup steps, and instructions on GitHub:
SOC Malware Investigator (Portable)SOC Malware Investigator (Portable)
Learn more
- Microsoft Sentinel MCP server: https://learn.microsoft.com/azure/sentinel/datalake/sentinel-mcp-overview
- Microsoft Sentinel data lake: https://learn.microsoft.com/azure/sentinel/datalake/sentinel-lake-overview
- Advanced hunting (Defender device tables): https://learn.microsoft.com/microsoft-365/security/defender/advanced-hunting-overview
Microsoft Sentinel is an industry-leading SIEM & AI-first platform powering agentic defense across the entire security ecosystem.