Guides
Start typing to search…

Network Activity Agent

Overview

The Network Activity Agent is a mission-specific AI agent designed to provide rapid, unbiased, and factual context about network activity. In today's decentralized environments, security data is scattered across cloud VPCs, endpoints, SaaS applications, and on-premises infrastructure. This distribution creates a crisis of context, making it difficult for analysts to understand the full story behind an IP address.

This agent solves this problem by automating the time-consuming process of data gathering and enrichment. It answers the fundamental questions an analyst has: "What is this IP?", "What has it communicated with?", and "Who owns it?" The agent's purpose is not to label activity as "malicious," but to deliver the comprehensive, factual context needed for a human analyst to make an informed and accurate security judgment.

How it Works

The Network Activity Agent operates on the Query Security Data Mesh, allowing it to query all connected data sources in place and in real-time. This provides a complete, 360-degree view of an IP's behavior without the need to move or centralize data.

The agent follows a methodical, transparent workflow:

  1. Receive Input: An analyst provides one or more IP addresses for investigation.
  2. Internal Network Analysis: The agent uses its get_network_activity_by_ip tool to execute a live, federated query across all connected data sources (e.g., EDR, firewall, NetFlow). It gathers all connection events associated with the IP, including source/destination IPs and ports, protocols, and data transfer volumes. It also retrieves associated asset metadata like hostnames and MAC addresses from systems like CMDBs or EDRs.
  3. External Enrichment:
    1. The agent uses the is_public_ip tool to determine if the IP is public or private (RFC 1918).
    2. If the IP is public, the agent uses the retrieve_ip_geolocation_data tool to perform external enrichment, fetching vital context such as geolocation, ISP, ASN ownership, reverse DNS records, and full WHOIS data.
  4. Contextual Reporting: The agent compiles all the internal and external data into a single, structured, human-readable report. It can also reference its internal knowledge of the MITRE ATT&CK® framework to provide descriptive context for observed activity (e.g., noting traffic on a port commonly used for a specific technique) without inferring malicious intent.

Use Cases

This agent is designed to accelerate core Security Operations Center (SOC) workflows, dramatically reducing the time required for initial investigation and triage.

Use Case 1: Triage a Firewall Alert

  • Scenario: A firewall alerts on an unusual outbound connection from an internal server to a public IP address on a non-standard port.
  • With the Agent: An analyst provides both the source and destination IPs to the agent. Within minutes, the agent returns a consolidated report showing:
    • The internal process that initiated the connection (from EDR data).
    • The total data transferred (from network flow data).
    • The owner, geolocation, and reverse DNS of the destination IP (from enrichment data).
  • Outcome: The analyst can immediately determine if the activity is related to a legitimate service (e.g., a cloud backup provider) and close the alert, saving significant manual investigation time.

Use Case 2: Investigate Potential Lateral Movement

  • Scenario: An EDR system flags a suspicious PowerShell command on a user's workstation. The analyst needs to know if the machine attempted to contact other internal systems.
  • With the Agent: The analyst asks the agent to summarize all network activity for the workstation's IP address over the last few hours.
  • Outcome: The agent returns a clear summary of all internal connections, instantly highlighting any attempts to connect to other servers via RDP, SMB, or other protocols, providing clear evidence to escalate the incident.

Use Case 3: Enrich Threat Intelligence

  • Scenario: A new threat intelligence report lists an IP range used by a threat actor for command and control (C2).
  • With the Agent: An analyst provides the IP range to the agent. The agent queries the entire data mesh for any historical connections to or from that range.
  • Outcome: The agent can quickly identify if any internal systems have communicated with the malicious infrastructure, providing a critical lead for a proactive threat hunt.

Recommended Connectors

To achieve the most comprehensive results, the Network Activity Agent should be connected to a variety of data sources that provide network and asset context. The following types of connectors are highly recommended:

  • Endpoint Detection & Response (EDR): Provides crucial process and asset context, linking network connections to specific applications and hostnames (e.g., CrowdStrike Falcon, Microsoft Defender for Endpoint).
  • Network Telemetry: Delivers detailed flow and session data, including bytes transferred and connection duration (e.g., Cisco Stealthwatch, Gigamon).
  • Firewall & Web Proxy: Offers logs of allowed and blocked connections at the network perimeter (e.g., Palo Alto Networks, Zscaler).
  • Cloud Infrastructure: Provides VPC flow logs and network security group information from cloud environments (e.g., AWS, Microsoft Azure, Google Cloud).
  • Configuration Management Database (CMDB): Enriches IP addresses with asset ownership, criticality, and business context (e.g., ServiceNow).

Updated 22 days ago