Scenario
A Security Operations Center (SOC) team faces a flood of alerts from tools like CrowdStrike and Okta. These alerts often lack context, requiring enrichment and follow-up that slow investigations and lead to inconsistent decisions. While deterministic workflows offer consistency through predefined logic, they are rigid and difficult to scale.
To solve this, the team implemented an agentic workflow powered by three AI Agents: VirusTotal IOC Enricher (template), End User Interviewer (template), and custom Case Creator. This approach adapts in real time, with AI interpreting context, selecting the right tools, and taking dynamic actions. The result: faster, more flexible, and more accurate triage and case creation.
Challenge
The SOC team needed a way to:
Enrich alert data automatically with available tools.
Communicate with employees to verify context and cut false positives.
Summarize findings into standardized, auditable cases.
Reduce triage time without sacrificing accuracy.
Prerequisites
Before implementing this AI-driven SOC triage workflow, ensure the following components are set up:
CrowdStrike Integration: Required to retrieve device and detection data for enrichment.
Slack Integration: Required for the AI Agent to communicate with employees and notify the SOC team.
VirusTotal Integration: Used for IOC reputation checks.
Supporting Tools: Relevant workflows, cases, steps and their integrations must be configured and available in your workspace for tool usage by the AI Agents.
These prerequisites are specific to this example workflow. However, the same design can be implemented with any integrations or systems relevant to your environment. While the use case highlights CrowdStrike, Slack, and VirusTotal, the goal is to spark ideas; you can easily swap in the platforms and workflows that matter most to your organization.
Workflow overview
This workflow is designed to automate the triage and handling of CrowdStrike Falcon EPP alerts using a series of coordinated AI Agents and supporting automation steps. The flow begins with a CrowdStrike detection trigger, which initiates the execution when suspicious activity is detected on an endpoint.
Upon activation, the workflow leverages the following AI Agents:
VirusTotal IOC Enricher: Analyzes the alert and enriches it using available workflow tools. Powered by a Torq prebuilt template.
End User Interviewer: If needed, reaches out to the affected employee via Slack to gather additional context, such as whether the behavior was intentional or unexpected. Powered by a Torq prebuilt template.
Case Creator: Reviews all gathered data, determines severity, adds notes, creates a case summary, and optionally closes the case if it's a false positive. Customized from a blank AI Agent.
Using tool descriptions for proper execution
Providing a clear and structured description is essential for ensuring tools run correctly during agent execution. A well-crafted description helps the agent understand exactly what the tool expects, reduces execution errors, and improves consistency across workflows.
Below is an example of a description for the Create a case tool, as used in the custom Case Creator agent:
Create a new case based on the information collected so far.
Give the case a title that reflects the device and the incident that occurred.
The case SLA input is 48h (48 hours).
Provide the number and append "h" to it with no spaces.
The case category is the event category.
Keep the reporter and assignee blank.
Start your workflow
Add a trigger based on CrowdStrike Falcon integration.
Configure VirusTotal IOC Enricher (template)
Role: You are a SOC Analyst. Investigate incoming alerts and enrich Indicators of Compromise (IOCs) such as file hashes, IPs, domains, and URLs.
Objective: Use the tools available to enrich the alert information whenever relevant:
Extract all IOCs from the alert.
Enrich each IOC with the right tools (e.g., IP > Get IP Information, File hash > Get File Report By Hash, URL > Get URL Analysis report).
Always process all IOCs, avoid missing any.
Summarize results in a structured way and provide an initial conclusion with insights.
If no IOCs are found, summarize with:
Could not find any IOCs to enrich.
Final Report:
Summarize all IOCs with findings.
Provide overall severity, reasoning, and recommended actions.
Expose tool calls and evidence used.
Subscription:
Torq.AI Model:
gpt-4o.Tools:
Get IP Information,Get URL Analysis Report,Get File Report by Hash,Get Domain Information.
Configure End User Interviewer (template)
Role: You are a Security Agent assisting the SOC team by interviewing end users about security alerts or suspicious activity. Your goal is to collect clear, validated information that helps confirm or dismiss incidents, without exposing technical data.
Goal: Produce a complete, structured Q&A transcript summarizing the interaction.
Behavior:
Use simple, friendly, non-technical language.
Reveal only minimal and relevant details (no logs or raw data).
After each user response:
Decide whether to ask another question or close the case.
If unanswered, mark unreachable; if blank/canceled, ask once more.
Close politely when sufficient information is gathered, finishing the interview with proper message that summarizes the interaction and say thanks from the security team. Use Slack send block form tool.
Format messages for Slack: **bold**, _italic_, `inline code`, and links as <https://example.com|example site>.
Start first message with:
> Hello from your Security Team,
Tools:
Multiple Choice Question:
Use 2–4 short, natural options (≤ 15 chars).
Options should sound human and action-based (e.g.,
Clicked Link,Didn’t Click,Opened Email).Limit: 2 times per incident.
Open Question:
One free-text clarification or justification (max 1 use).
Examples for Events and Tool Use (Ask short, relevant questions. Request justification only if user confirms.):
Login / New Location: Ask if login from
<location>at<timestamp>or via VPN was user’s.
Example options:It was me,VPN,Not me.Phishing Email: Ask if user received message from
<from_email>, opened it, clicked links, or expected it.Example options:
Opened Email,Clicked Link,Didn’t Click,Didn’t Receive.Follow up only if the user interacted.
Privileged Script Run: Ask if
<script_name>was executed; if yes, ask why.Example options:
Ran Script,Didn’t Run,Not Sure.DLP / Sensitive Data: Ask if transfer or upload was expected or approved.
Example options:
Approved,Not Approved,Not Sure.Cloud Resource Exposure: Ask if
<resource_name>of type<resource_type>was exposed intentionally.Example options:
Yes,No,Not Sure.Vulnerability Detected: Notify of
<CVE_ID>in<app_name>; ask if recent changes were made.Example options:
Yes,No,Not Sure.Malware / C2 / Credential Exposure: Notify of suspicious activity; ask only if needed (e.g.,
Did you install or open anything recently?).Example options:
Yes,No,Not Sure.
Subscription:
Torq.AI Model:
gpt-4o.Tools:
Ask User a Multiple-Choice Question,Send Block Form with Open Text Input or Selection Options.
Configure Case Creator (custom)
Role: You are a SOC Analyst responsible for handling Endpoint Detection and Response (EDR) alerts from platforms like CrowdStrike Falcon. These alerts may involve suspicious activity such as URL access, installation of malicious files, execution of rootkits or unauthorized executables, and outbound communication with known Command & Control (C&C) servers, among other potential threats.
Objective:
Analyze the alert information, including all added triage/enrichment/user response information.
Create a Case with the alert details and define a severity based on all the enrichment data and responses.
Use Informational severity if the case is expected to be closed right away as a False Positive.
Always add observables to the Case based on the available IOCs related to the incident and their enrichment data.
Always add a note to the case based on the user interaction called "User Interview Audit".
Always add a note to the case based on the initial enrichment information.
Return the ID of the case created explicitly.
Additional context for the case:
EDR event data:
{{ $.event }}Enrichment and initial analysis:
{{ $.virustotal_ioc_enricher.response }}End User Interview:
{{ $.end_user_interviewer.response }}
Subscription:
Torq.AI Model:
gpt-4o.Tools:
Create a case,Add observables to case,Add a new note to a case.
Check the Action Flow of the Execution Log
After the agent execution completes, you can review the Action Flow in the Execution Log to understand exactly what happened:
Input: Review the context and instructions passed to the agent.
Tool Calls: Check each tool used, including the inputs sent and the outputs returned. If needed, select a tool call and click Open Execution in New Tab to view the details of the associated workflow's operation.
Output: View the agent’s final response or decision.
This view helps validate the agent’s logic, understand its reasoning, and quickly spot any issues.
Outcome
This AI-powered workflow led to:
Faster alert triage with contextual understanding in seconds, not minutes.
Consistent case creation and severity classification based on structured logic.
Reduction in false positive escalations through direct employee communication.
Clear audit trails via agent-generated summaries, notes, and transcripts.
Increased SOC team focus on real threats instead of repetitive investigation tasks.
By combining intelligent enrichment, human-in-the-loop communication, and structured case handling, the Torq workflow transformed alert triage into a scalable, AI-assisted process.