Setting up Investigation Agent

Overview

The Investigation Agent in Log360 uses the same AI configuration as Zia Insights. You can enable the capability using either Azure OpenAI or OpenAI. Only one provider can be active at a time, and all AI-driven investigation features will rely on the currently enabled model.

This page explains how to access the Investigation Agent and the configuration steps required to configure Azure OpenAI or OpenAI.

Accessing Investigation Agent

1. Log in to the product console.
2. Go to the Settings tab, and select Admin.
3. Navigate to Zia and select Configuration.

   

4. In the Zia page, choose either Azure OpenAI or OpenAI and click Configure Now.
   NOTE Only one provider can be enabled at a time.

   

5. A configuration window appears.
6. If you select Azure OpenAI, enter the following details obtained from your Azure Portal:
   • Endpoint URL
   • DeploymentName
   • API Key
   NOTE Refer to the following pages to configure Azure OpenAI:

   • Creating an Azure OpenAI resource
   • Steps to obtain Endpoint URL and API key
   • Deploying a model in Azure OpenAI

   

7. Click Save to complete the initial setup.
8. If you select OpenAI, select the Model from the dropdown.

   

9. Enter the API Key.
   NOTE Refer to this section to configure OpenAI.

   

10. Click Save to complete the initial setup.
11. After configuring Azure OpenAI or OpenAI:
    • Use the Insights toggle to enable or disable the Investigation Agent.
      NOTE You may enable both Insights and Investigation, or only one, based on your requirements.

      

12. When you enable Investigation Agent, a pop-up window appears displaying the data privacy notice. Read the notice carefully, select the checkbox to acknowledge the terms, and then click Proceed to continue.
    NOTE To generate AI-powered insights and investigation results, the processes contextual data associated with logs, alerts, and entities. This includes the following types of information:

    • User-related information: usernames, account names, email, phone number, department, group names, mailgroups, mailbox names, company names, user information, and security ID (SID).
    • Device and directory information: hostnames, computer names, domain, distinguished path of AD object, and AD object names.
    • Network and location information: IP address, region, and country.
    • Request and URL information: URL links, HTTP requests, and HTTP request parameters.
    • Application and database information: database name.

    This data is processed only to support contextual analysis, correlation, investigation workflows, and remediation guidance within the product.

    

    

13. To switch between Azure OpenAI and OpenAI, use the toggle to disable the currently active provider.

    

14. A confirmation pop-up will appear. Click Yes to disable, and then configure the other provider.

    

15. To delete a configuration, select Delete existing Azure/OpenAI configuration and click Yes to confirm your deletion.

    

    NOTE If you attempt to configure another provider while one is already enabled, the existing provider will be disabled automatically.

    

    In the confirmation pop-up that appears, click Proceed to continue with the new configuration.

    

Read also:

This page explained how to configure and enable the Investigation Agent. To learn how to invoke investigations within the product, refer to:

• Invoking Investigation Agent