Open the Agent Builder
Basic Information
Roles and Responsibilities
Abilities
Publish your Agent
Navigate to Workflow Page
Add the Agent to the Workflow
Define the Agent's Task
Output Example
JSON
output to illustrate the expected structure the response of the agent’s output. This helps with downstream step configuration and validation. If you prefer the response to be plain text, simply leave this section blank.
JSON
output example should be provided. The JSON
output can support up to three levels of nesting, meaning it can include objects or array nested inside each other, but only up to three layers deep.JSON Output Format- Phishing Email Example
JSON Output Format- Security Alert Summary Example
JSON
output example provides a structured, human-readable summary of a security alert. It captures what occurred (alert_summary
), who was involved (user_summary
), the behavior of the device (device_summary
), and any suspicious indicators like external IPs
, file hashes
, and URLs
. It concludes with recommended_actions
—specific steps an analyst should take to investigate or remediate the incident. This format is typically used to enrich alerts and support triage decisions.JSON Output Format- Alert Mapping to MITRE ATT&CK Example
JSON
output example maps alert details to the MITRE ATT&CK framework, offering standardized fields like alert_name
, alert_title
, source
, and severity
. Most importantly, it includes a mitre_mapping
field that ties observed behavior to known adversary tactics and techniques. This format helps analysts quickly understand the nature of the threat and align it with industry-recognized classifications for faster, more informed response.Advanced-Timeout in Minutes
Enable 'Use Draft Version in Edit Mode'
Publish your Workflow