How the AI Works -- The Pipeline
By the time something reaches your queue, a chain of AI agents has already run a full investigation. Understanding what each agent does helps you read the platform's output accurately and know which parts are AI conclusions versus raw data.
The chain at a glance: Raw log event → Normalize → Enrich with threat intel → Score and triage → Correlate with related alerts → Route (human or auto-close) → Generate incident report. That entire chain runs automatically for every event. You see the finished output.
1. Ingest
Your connected SIEM sends raw events to Jutsu/AgentSOC's Ingest API continuously. The Ingest API validates and accepts each one. Sources can include Wazuh, Google Workspace Email Logs, Syslog, and custom webhooks.
2. Normalize
The Normalizer reshapes every event into a consistent internal format. An SSH failed login from Wazuh and a failed email login from Google Workspace are different raw log formats -- after normalization, they look identical to every downstream agent. This is what makes cross-source correlation possible.
Normalized events are stored in OpenSearch in a per-organization, weekly index. This is the data store underlying every Events, Alerts, and Incidents view in the platform.
3. Enrich
The Enrichment agent queries all nine TI providers for every observable in the event: IPs, file hashes, domains. It also checks your asset inventory and identity data. After this step, the platform knows whether the source IP has a bad reputation, what country it is in, whether the target host is internet-facing, and more.
4. Triage
The Triage agent assigns a risk score (0-100), a verdict (True Positive, False Positive, or Not Sure), and maps the activity to MITRE ATT&CK techniques.
5. Correlate
The Incident Correlation engine looks across all recent enriched alerts for patterns -- same attacker, same target, same technique, overlapping time window. Related alerts get grouped into an Incident. A single campaign across multiple hosts might generate 50 individual alerts; correlation surfaces all of it as one event.
6. Respond
The Response agent decides what to do: escalate to your team as a Case (when confidence is insufficient), run an automated AgentSOAR playbook (when confident and automation is configured), or close automatically (when clearly benign). This decision is visible in the SOAR Response panel on every alert.
7. Report
For incidents, a Security Incident Report is generated automatically: campaign summary, executive summary, and recommended next steps.
What this means for you: When you open an alert, all seven steps have already run. The AI Verdict, enrichment results, MITRE mapping, risk score, and SOAR response are all pipeline outputs. You are reviewing a finished analysis and deciding whether to act, investigate further, or close.