Asset Information Agent

Overview

The Asset Info Agent is an AI-powered analyst dedicated to one of the most fundamental tasks in security: locating, identifying, and contextualizing assets within your environment. It serves as an on-demand source of truth for any device, server, or resource an analyst might encounter during an investigation.

How It Works

The Asset Info Agent combines a powerful Large Language Model (LLM) with a suite of specialized tools and a curated knowledge base to deliver comprehensive asset intelligence.

  • Natural Language Understanding: At its core, the agent uses an LLM as its reasoning engine. This allows it to understand plain-English questions from security analysts, ranging from simple requests like, "Tell me about this IP," to more complex queries like, "Find all unhardened Linux servers in our cloud environment."
  • Federated Search Integration: The agent's primary power comes from its integration with the Query Federated Search platform. Unlike tools that query a static or stale Configuration Management Database (CMDB), the Asset Info Agent pulls information live from all connected sources. When you ask about an asset, the agent can simultaneously query your Endpoint Detection and Response (EDR) platform, cloud provider APIs, vulnerability scanner, and other asset data sources. This provides a real-time, 360-degree view of the asset's current state.
  • Specialized Tools: The agent translates natural language questions into precise queries using a set of purpose-built tools designed to filter and find assets by almost any attribute, including:
    • Operating System (e.g., Windows, Linux, macOS)
    • Device Type (e.g., server, laptop, firewall, IoT)
    • Owner or Logged-in User
    • Physical or Logical Location
    • Specific Identifiers (IP address, MAC address, device ID, hostname)
  • Curated Security Knowledge: The agent's analysis is enriched by an embedded knowledge base of security best practices, including the Cimcor System Hardening Checklist and NIST SP 800-123 (Guide to General Server Security). This allows the agent not only to report on an asset's configuration but also to compare it against industry standards to instantly highlight potential security gaps.

Supported Use Cases

The Asset Info Agent is designed to add immediate value to several core security workflows, moving analysts from hunting for information to having context delivered on demand.

Use Case 1: Instant Incident Enrichment

  • Scenario: A SOC analyst receives a critical alert: "Multiple failed login attempts from 10.50.2.101 to server 192.168.1.5."
  • Without the Agent: The analyst begins a manual investigation, checking DHCP logs to identify the source IP and consulting a CMDB to identify the destination server, wasting valuable time just to understand the entities involved.
  • With the Agent: The analyst asks, "Tell me about assets 10.50.2.101 and 192.168.1.5." Within seconds, the agent returns a full profile for both:
    • 10.50.2.101: A Windows 11 laptop assigned to user 'jdoe' in the Marketing department.
    • 192.168.1.5: A production RHEL 8 server named 'PROD-FINANCE-DB' running a critical Oracle database.
  • Outcome: The analyst immediately understands the severity—a user's machine is potentially attempting to brute-force a critical financial database—and can escalate with full context in under two minutes.

Use Case 2: Proactive Security Posture Management

  • Scenario: A security architect wants to assess the organization's adherence to hardening standards for all internet-facing web servers.
  • Without the Agent: This is a multi-week project involving manually gathering server lists from different teams, scheduling configuration audits, and comparing results against a spreadsheet.
  • With the Agent: The architect asks, "Show me all assets with device type 'server' in group 'internet-facing'. Summarize their hardening status against NIST SP 800-123."
  • Outcome: The agent queries the data mesh, retrieves live configuration data, and provides a report detailing which servers are compliant and which have specific gaps (e.g., "Missing patch management," "Logging disabled"). What previously took weeks is now accomplished in minutes.

Recommended Connectors

The Asset Info Agent's effectiveness is directly proportional to the quality and breadth of the data it can access. To achieve a comprehensive, 360-degree view of your assets, we recommend connecting to a variety of sources across your security and IT infrastructure. The more context the agent has, the more intelligent and valuable its insights will be.

Key Connector Categories:

  • Endpoint Detection & Response (EDR) / Endpoint Protection Platform (EPP): Sources like CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint provide rich, real-time data on hostnames, operating systems, logged-in users, and agent versions.
  • Configuration Management Database (CMDB): Platforms like ServiceNow are crucial for providing business context, such as asset ownership, department, and criticality.
  • Cloud Service Providers (CSP): Connecting to AWS, Azure, and GCP APIs provides definitive information on cloud assets, including instance IDs, virtual machine configurations, and network settings.
  • Vulnerability Management Tools: Scanners like Tenable, Qualys, or Rapid7 offer vital data on an asset's patch level and known vulnerabilities, which the agent can use to assess its security posture.
  • Identity and Access Management (IAM): Systems like Active Directory or Okta can help correlate devices with the users who own or access them.
  • Network Infrastructure: Data from firewalls, switches, and routers can provide network-level context, such as an asset's location or VLAN.