Can an AI agent triage cyber security incidents end-to-end?

Added: 2026-05-23

[00:00:00]What if every cybersecurity ticket that hits your team automatically got investigated, [music] analyzed, and answered before a human even opened it?

[00:00:08]Secret Agent A here. Today, we're building exactly that. I have with me Anca, cybersecurity analyst. Hello, Anca. Hello, Agent [music] A. Thank you for having me. I've been waiting for this collab for so long because every day a new cybersecurity [music] attack rises and also another vulnerability rises, so I really need your help on this one >> [music] >> because the triage process for those becomes harder and harder each day.

[00:00:33]Okay. So, tell me exactly what is hard for your [music] work. What does a security analyst does on a day-to-day basis? So, basically, what we do as security analysts is we have ServiceNow ticketing queue with a lot of tickets. I choose the one that has [music] the highest priority and after that I correlate the logs, do some querying in Databricks to get the relevant data, also use some web browsing for relevant information on the attack pattern.

[00:01:07]And after that, I will do summarization on everything that I've done on my investigation [music] and determine if it's malicious or not.

[00:01:18]So, essentially, at the end you're going to have an email with your investigation, correct? From Databricks triggered by a ServiceNow ticket. Yeah.

[00:01:27]Great. I think I have all the intel that I need. I'll come back with your agent in a few minutes. Okay. So, we're building the agent now. The first step is to create the agent in UiPath Studio.

[00:01:38]We head over to cloud.uipath.com and navigate into Studio and create a new [music] project.

[00:01:46]Select new agent.

[00:01:48]Now, here's where it gets interesting.

[00:01:50][music] UiPath has an autopilot feature that can actually generate a starting point for your agent just from plain language.

[00:02:00]So, I paste in my use case. Create an agent that is a cybersecurity [music] analyst. It should trigger on a new service now request. The input is the ticket ID. It will extract [music] data from the ticket, search Databricks for relevant logs, and search the internet for a solution. The output is an email for the impacted person. And then I click generate agent >> [music] >> and watch what happens.

[00:02:24]Autopilot generates skeleton.

[00:02:27]Essentially, it kicks off and starts building the agent structure automatically.

[00:02:32]I switch to the form view so we can [music] see what's being generated in real time. And it's already suggesting integration service activities, a web search and a web summary tool.

[00:02:44]Those will be how the agent pulls the solution from the internet.

[00:02:50]It also resolves the input and output schema automatically. [music] The input would be the ticket ID and the output email body, recipient, and ticket summary.

[00:03:00]Then it generates [music] the system prompt, the agent's operating instructions, and the user prompt that [music] drives each execution.

[00:03:09]This is the foundation.

[00:03:11]Autopilot gave us maybe 70% of what we actually need. Now we go [music] on and finish the job manually. The agent needs three tools to complete its mission.

[00:03:21]Let's [music] configure them.

[00:03:22]The first tool is related to Databricks.

[00:03:27]Search for Databricks in the activity library [music] and you'll find a query activity that lets the agent [music] hit your Databricks endpoint and pull relevant security logs based on the ticket context.

[00:03:40]Add it to [music] your agent. Then for ServiceNow to get the incidents, we are going to search for ServiceNow activity.

[00:03:48]We're using get incident.

[00:03:50]And this will allow the agent to pull the ticket data from ServiceNow using the incoming ticket [music] ID.

[00:03:57]Add it to your agent as well. Then web summary. For internet research, I'm going with [music] the web summary tool.

[00:04:05]It handles finding and distilling relevant information from the web.

[00:04:09]I'll skip the raw web search activity to keep things clean. Now configure the connection for web [music] summary.

[00:04:16]You'll need to create or select an existing connection here. And I've got one ready to go.

[00:04:22]Three tools connected and ready. Time to see things in action.

[00:04:27]I pull up my ServiceNow [music] instance and grab a real ticket ID.

[00:04:33]I'm picking one that is interesting.

[00:04:35][music] A system that cannot reach certain websites.

[00:04:39]Classic network cybersecurity [music] incident.

[00:04:43]I paste in the ticket ID and [music] hit save and debug and let it run. While the agent is working, let me tell you what's happening under [music] the hood.

[00:04:53]It's going to ServiceNow first to get the full incident context. Then it's hitting Databricks to pull relevant logs for the system.

[00:05:01]Then it's surfacing solutions from web.

[00:05:04]And finally, it's drafting an email.

[00:05:06]All of that automatically. [music] Here we go. The execution log tells us the full story.

[00:05:13]Step one, the agent called the ServiceNow tool, pulled the ticket title, description, affected user, priority, everything that we need.

[00:05:22]Step two, it ran a query in Databricks, surfaced the relevant logs for the system and time window.

[00:05:29]And step three, it called the web summary tool, found known solutions for this type of connectivity [music] issue from internet.

[00:05:37]And essentially, here's the final output. A complete structured email [music] ready to go to the impacted person.

[00:05:45]It summarizes what happened, what the logs show, and what recommended remediation steps [music] are.

[00:05:52]This is what a trained cybersecurity analyst would have spent 30-45 minutes producing. The agent did it in seconds.

[00:05:59][music] Okay, Anka, your agent is ready.

[00:06:01]You can check the output out here.

[00:06:05]So, essentially, what this agent does [music] is [clears throat] whenever there is a ServiceNow ticket, it gets triggered, and then it searches [music] relevant logs in Databricks, does a web search to identify relevant information, and composes an email to [music] the user informing exactly what happened. Okay, so, this agent really does all the heavy lifting like it investigates [music] the ticket automatically and delivers a complete analysis like an analyst does.

[00:06:33]Exactly. Okay, that's 30 to 45 minutes of repetitive work. That's great.

[00:06:38]That's awesome. I'm glad that it really helps [music] you. You can focus on the meaningful. Yeah, on the investigation part. Thank you, Agent A.

[00:06:46]>> [music] >> You're welcome. Now, imagine this running 24/7 on every ticket that comes in across your entire security queue.

[00:06:53]That's not science fiction.

[00:06:55]>> [music] >> That's what agents do. If you want to see how to take this further, add rag for internal knowledge, route different ticket types to different workflows, or build a full escalation logic. Drop a comment and let me know. Subscribe because we're just [music] getting started. Secret Agent A out.