Security Incident Response AI agent collection Resolve security incident agentic workflow
Chat with an AI agent in the Now Assist panel to help you create a resolution plan for a security incident and to resolve it.
Resolve security incident agentic workflow overview
Use the Resolve security incident agentic workflow to fetch the incident details, fetch the knowledge articles and similar closed security incidents, get a resolution plan, and resolve the security incident.
If you want to modify this agentic workflow, you can duplicate it, adjust the settings to suit your specific needs, and activate the duplicated version of the agentic workflow instead.
Agents used in the Resolve security incident agentic workflow
The Resolve security incident agentic workflow contains the following AI agents:
- Endpoint Detection and Response AI agent
- Exchange online integration handling AI agent
- Observable analysis AI agent
- Security incident resolution AI agent
- Security incident wrap up generator AI agent
- Security incident activities handling AI agent
Tools mapped to the Resolve security incident plan generator AI agent
All tools are of script type.
| Name | Execution mode | Description |
|---|---|---|
| Fetch security incident details | Autonomous | Fetches the security incident details from the security incident number. |
| Fetch knowledge and similar incidents | Autonomous | Fetches relevant knowledge articles and similar closed security incidents with a search query. |
Tools mapped to the Security incident wrap-up generator AI agent
| Tool type | Execution mode | Name | Description |
|---|---|---|---|
| Scripts | Autonomous | Fetches security incident details | Fetches the security incident details from the security incident number. |
| Scripts | Autonomous | Gets close code values | Tool to get available close code values for the security incident. |
| Scripts | Autonomous | Closes the security incident as false positive | Tool used when the incident is being closed as a false positive. |
| Scripts | Autonomous | Updates the security incident | Updates a field of the security incident. |
| Subflow | Autonomous | Generates close notes | Generates closure notes for the security incident. |
| Subflow | Autonomous | Generates post incident analysis | Generates post incident analysis for the security incident. |
Tools mapped to the Security incident observable analyzer AI agent
All tools are of script type.
| Name | Execution mode | Description |
|---|---|---|
| Retrieve capability execution results | Autonomous | Retrieves threat lookup and provides observable enrichment results. |
| Run Threat lookup | Autonomous | Performs threat lookup on observables. |
| Run Observable enrichment | Autonomous | Fetches additional context related to the observables. |
| Fetch Observable Associated to Security Incident | Autonomous | Retrieves observables associated to a security incident. |
Tools mapped to the Security incident core activities handler AI agent
All tools are of script type.
| Name | Execution mode | Description |
|---|---|---|
| Update incident state | Autonomous | Updates the state field of a security incident. |
| Send email | Autonomous | Sends emails. |
| Create related record | Autonomous | Creates incidents, problems, change requests, or response tasks. short_description, description, security_incident_sys_id input parameters are mandatory to invoke this tool. |
Triggers for the Resolve security incident agentic workflow
There are no triggers for this use case. If required, you can add a trigger to invoke the use case automatically.