Home Features AI alert investigation agent

Investigate alerts with AI, respond with confidence

Log360 Alert Investigation Agent autonomously analyzes alerts, correlates entities and threat intelligence, and reconstructs attack chains so your SOC team can act faster and have the full context of what they're dealing with.

Get a free trial  Sign up 
Advanced threat detection in Log360

Security analysts sort through hundreds of alerts daily. Each one demands context: Which entities are involved? Are there related alerts? What does the log trail reveal? Manually piecing this together takes time, and most alerts never get a thorough investigation.

Log360 Zia Alert Investigation Agent changes this. It takes your selected alert and runs a full, multi-step investigation automatically. It identifies entities, checks threat intelligence, finds related alerts and logs, and builds a timeline of events. The result is a structured investigation report, complete with MITRE ATT&CK mapping and clear next steps—delivered in minutes instead of hours.

  • A built-in AI agent that works like your best analyst
  • AI-driven reasoning, analyst-guided control
  • Everything you need to act in one report

A built-in AI agent that works like your best analyst

When you initiate the Alert Investigation Agent on any alert, the agent uses LLM-driven reasoning to determine which actions to take based on the alert type and available data. It works through a defined set of investigation steps, with the sequence and depth tailored to each alert.

  • Entity identification and data enrichment: The agent extracts all entities from the alert: users, IP addresses, domains, hosts, processes, and files. It then queries VirusTotal, Log360's integrated Advanced Threat Analytics, and user and entity behavior analytics (UEBA) to assess each entity's risk level.
  • Related alert and log analysis: The agent searches for other alerts linked to the same entities, finding recurring patterns or coordinated activity across alert types. When alert data alone isn't enough, it queries log data using targeted searches to find additional events of interest.
  • Timeline construction and suggestions: Related findings are arranged chronologically to show how the attack played out. The agent then presents suggested immediate actions and future risks of the identified threat.
  • Investigation report: The agent creates a detailed report of the investigation trail that can be exported as a PDF and added to an existing or new incident as evidence.
  • Human in the loop: At key decision points, the agent pauses for user input. Users can select from the given options, and also manually enter queries in natural language to guide the investigation.
A built-in AI agent that works like your best analyst

AI-driven reasoning, analyst-guided control

  • Pause and resume: Pause the investigation at any point. When you resume, the agent picks up from exactly where it stopped.
  • Redirect the investigation: After pausing, you can choose to continue analysis with a different entity or alert profile. The agent provides suggestions, or you can enter one manually. Use the Ask Zia text box to ask follow-up questions about specific entities or processes within the same investigation context.
  • Extend the search window: If no relevant alerts or logs are found in the initial time range, the agent offers to extend the search to previous days.

Everything you need to act in one report

  • Investigation report The completed investigation includes a summary of findings, a chronological attack chain mapped to MITRE ATT&CK techniques, affected entities, recommended remediation actions, and the supporting event evidence.
  • Export as PDF: Download the complete investigation report for offline review, sharing with stakeholders, or compliance documentation.
  • Add to incident: Link the investigation to an existing incident or create a new one directly from the investigation window. The investigation details are attached as evidence to the Incident.
Everything you need to act in one report

Zia Insights + Alert Investigation Agent

From quick context to deep investigation

Zia Insights and the Alert Investigation Agent are designed to work together. When both are enabled, the system generates Insights first, giving you a quick contextual summary of the alert. From there, a single click on Start Investigation launches the full investigation workflow.

Category Zia Insights Alert Investigation Agent
Purpose Quick contextual summary of alerts, logs, and incidents Deep investigation to uncover root cause and the entire attack chain.
Data Enrichment MITRE TTPs mapping Queries VirusTotal, Advanced Threat Analytics, and UEBA to assess risk for users, IPs, and domains.
Depth Single-event analysis Digs through related logs, alerts, and threat intelligence sources.
Availability Logs, Alerts, and Incidents Alerts only.
Interaction Read-only Interactive: pause, resume, select options, or ask questions in natural language.
Output Summary, MITRE mapping, remediation suggestions Full investigation report with entity risk, attack timeline, associated alerts and logs, immediate remediation actions, and future risk assessment. Option to export and add the investigation trail to incident.

Ready to transform your alert investigations?

Move from manual to AI-driven investigations that surface the full story behind every alert.

Start your free trial   Schedule a demo 
Home »

Awards & recognition

ManageEngine named in 2025 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

  Editor's choice  
  8th time in the MQ in 2025  
  Major player in 2024  
  Integrated cloud security Innovator  
  Technical excellence in SIEM  
  Market leader most innovative  

Gartner® Magic Quadrant™ for SIEM 2024

Features

Support

Secure your IT infrastructure with a cloud SIEM solution

Solutions by industry

Related solutions

One-stop solution to all Log Management and Active Directory Auditing

Free Trial Get Quote
Email Download Link