Overview

The Threat Research Agent is a specialized AI analyst designed to automate the collection, extraction, and contextualization of threat intelligence. It empowers security teams, particularly Cyber Threat Intelligence (CTI) analysts and Threat Hunters, to rapidly process unstructured data from various sources—such as security advisories, news articles, and threat reports—and transform it into actionable intelligence.

This agent acts as a force multiplier, meticulously parsing documents and URLs to identify and categorize Indicators of Compromise (IOCs), map adversary behaviors to the MITRE ATT&CK® framework, and enrich findings with critical context, saving analysts hours of manual work.

How It Works

The Threat Research Agent operates through a sophisticated workflow that begins the moment you provide it with data, such as a URL to a security advisory or the text of a report.

1. Data Ingestion and Parsing: The agent first ingests the provided content. It can process raw text or fetch and parse content directly from URLs, including HTML, PDFs, and structured formats like JSON and XML.
2. IOC Extraction and Categorization: It meticulously scans the content to identify and extract a comprehensive range of IOCs. Each IOC is then categorized by type (e.g., IP Address, Domain, File Hash, CVE) and presented in clear, organized markdown tables. The agent is trained to disambiguate between actual IOCs and non-threatening data, such as example IP addresses in documentation.
3. Recursive Enrichment from Linked Sources: The agent doesn't stop at the initial document. It automatically identifies hyperlinks within the source content and intelligently selects the most relevant ones (up to three) for further analysis. It prioritizes links to structured data (JSON/XML) or detailed reports (PDFs), extracting additional IOCs and context from these nested sources.
4. Threat Analysis and Framework Mapping:
   1. MITRE ATT&CK®: The agent analyzes the tactics, techniques, and procedures (TTPs) described in the content and maps them to the MITRE ATT&CK® framework, providing the specific Technique ID and Name.
   2. STIX™: If the source material contains data in the STIX™ format, the agent can interpret and summarize the intelligence, including STIX Domain Objects (SDOs) and Relationship Objects (SROs).
   3. CVE Enrichment: When CVE identifiers are found, the agent automatically enriches them with details from the National Vulnerability Database (NVD) and exploitability context from the Exploit Prediction Scoring System (EPSS). This helps prioritize vulnerabilities based on their real-world likelihood of being used in an attack.
5. Actionable Recommendations: Finally, the agent provides a summary of its key findings and suggests concrete, actionable next steps for the analyst, such as searching for a specific file hash across the enterprise or reviewing firewall logs for a malicious IP address.

Use Cases

This agent is designed to support critical CTI and threat hunting workflows.

Adversary Research and Reporting

Quickly analyze a new threat actor or malware report. Provide the agent with a URL to a security blog or a PDF report.

• Input: "Analyze this threat report for IOCs and TTPs: https://m.dict.cc/englisch-deutsch/to+report.html"
• Output: A full breakdown of all IOCs (IPs, domains, hashes), a list of MITRE ATT&CK® techniques used by the adversary, enriched details for any mentioned CVEs, and a summary of the threat.

Security Advisory Triage

Instantly understand the impact of a new vendor security advisory.

• Input: "What are the key IOCs and vulnerabilities in this advisory? https://dictionary.cambridge.org/us/dictionary/english/advisory"
• Output: A prioritized list of CVEs with their EPSS scores, extracted file hashes or other IOCs needed for hunting, and a summary of the threat context.

Proactive Threat Hunting

Generate actionable intelligence from raw or unstructured data. Paste text from an intelligence feed or an email into the agent.

• Input: "Extract indicators from this text: [Pasted text from a raw intel feed]"
• Output: A clean, categorized list of IOCs that can be immediately used to create search queries in your security tools or other Query Agents.

Recommended Connectors

While the Threat Research Agent primarily works with external data provided by the user (URLs and text), its output becomes significantly more powerful when used in conjunction with data sources connected to the Query Security Data Mesh. The IOCs and TTPs uncovered by the agent can be used to search for related activity across your entire environment.

To get the most out of the intelligence generated by this agent, we recommend having the following data sources connected:

• Endpoint Detection & Response (EDR) (e.g., CrowdStrike, Microsoft Defender for Endpoint, SentinelOne): To search for file hashes, process names, and host-based indicators.
• SIEM & Log Management (e.g., Splunk, Microsoft Sentinel, Sumo Logic): To hunt for network IOCs like IP addresses and domains in firewall, proxy, and DNS logs.
• Email Security Gateways (e.g., Proofpoint, Mimecast): To search for malicious email addresses, subjects, or attachment hashes.
• Cloud Infrastructure (e.g., AWS, Azure, GCP): To check for connections to or from malicious infrastructure in cloud trail and flow logs.

By leveraging these connectors, you can immediately pivot from the intelligence provided by the Threat Research Agent to active threat hunting within your environment.