# Overview

> **SCU Cost Estimate** 
>
> This agent typically consumes **0,2-3 SCUs** per incident analysis, depending on incident complexity, number of entities involved, and depth of threat intelligence enrichment.

### Introduction

Forensic Agent Core is your automated incident analyst. If you've ever looked at a Defender XDR incident and thought "I need the full story, not just scattered alerts", this agent is for you. It takes an incident ID, pulls together everything related, enriches it with threat intelligence, builds a minute-by-minute timeline, and delivers a comprehensive forensic report that would normally take hours of manual investigation.

<figure><img src="/files/bVpp51Q20rTgOLfWdul1" alt=""><figcaption></figcaption></figure>

<div><figure><img src="/files/jwTfID0VNLMhbvdw2jYw" alt=""><figcaption></figcaption></figure> <figure><img src="/files/zBTGEKx1MS0GmheS9MBq" alt=""><figcaption></figcaption></figure> <figure><img src="/files/Foe8dJBpVsCKM7gSSUW2" alt=""><figcaption></figcaption></figure></div>

### What It Does

* **Reconstructs incident timelines** minute by minute from scattered alerts and events
* **Extracts and maps entities** (devices, users, IPs, domains, files, hashes) and their relationships
* **Enriches with threat intelligence** using multiple sources (Shodan, SSL certs, WHOIS, CIRCL, reputation services)
* **Analyzes device security posture** showing vulnerabilities, software, and configuration
* **Tracks identity activity** with risk events and authentication patterns
* **Correlates analyst comments** to provide investigation context
* **Classifies incidents** as True Positive, False Positive, or needs escalation with malicious intent scoring
* **Recommends remediation** with prioritized, actionable steps
* **Generates standardized reports** ready for handoffs, audits, or escalation

### Use Cases

#### 1. Incident Triage and Initial Assessment

You have a new high-severity incident and need to quickly understand what happened. Forensic Agent Core analyzes the incident, builds a timeline, identifies key entities, and provides a classification (True/False Positive) with confidence scoring. Instead of spending 30-60 minutes gathering context, you get a complete picture in minutes.

#### 2. Preparing Incident Reports for Management

Leadership wants a clear explanation of a security incident. The agent generates a comprehensive forensic report with an executive summary, timeline, entity map, threat intel findings, and remediation recommendations. Everything is standardized and ready to present, no manual report writing needed.

#### 3. Threat Intelligence Enrichment

An incident involves external IPs and domains, but you don't know if they're malicious. Forensic Agent Core enriches all indicators with open-source and commercial threat intelligence (Shodan port scans, SSL certificate analysis, WHOIS data, malware associations, reputation scores). You get curated intel that highlights what actually matters.

#### 4. Deep-Dive Forensic Analysis

A critical incident requires detailed investigation before response. The agent performs advanced hunting queries, extracts all related entities, analyzes device and identity posture, correlates events into a precise timeline, and provides forensic-level detail about what happened, when, and how. Save hours of manual correlation work.

#### 5. SOC Team Handoffs and Escalations

You need to escalate an incident to Tier 2 or external forensics team. The agent's standardized report provides complete context, timeline, entity relationships, threat intel, and initial analysis. The receiving team can pick up immediately without asking for clarification or redoing research.

### Why Forensic Agent Core?

| The Problem You're Dealing With                                                                 | How This Helps                                                                             |
| ----------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ |
| **Fragmented alerts everywhere**: Incident has dozens of alerts, unclear how they relate        | **Complete timeline**: Minute-by-minute reconstruction showing how events connect          |
| **Missing context**: Alerts show what happened but not why or what it means                     | **Entity mapping**: Full picture of devices, users, IPs, domains, and their relationships  |
| **Manual threat intel lookups**: Copying indicators into multiple tools takes forever           | **Automated enrichment**: All indicators enriched with curated intel from multiple sources |
| **Device and identity data disconnected**: Can't see how user activity relates to device events | **Integrated analysis**: Device posture and identity activity correlated in one view       |
| **Time pressure for reports**: Management wants detailed analysis but you have 30 minutes       | **Ready-made reports**: Comprehensive forensic report generated automatically              |
| **Noisy intel feeds**: Too much information, unclear what's actually important                  | **Curated findings**: Agent highlights what matters, filters out noise                     |

### How It Works

**What goes in:**

* Incident ID from Microsoft Defender XDR
* Associated alerts, entities, and evidence
* Analyst comments and investigation notes
* Device and user activity data
* Threat intelligence feeds (Shodan, CIRCL, reputation services)

**What it does:**

* Retrieves complete incident data including all alerts and entities
* Performs advanced hunting queries to find related activity
* Extracts all entities (devices, users, IPs, domains, files, hashes)
* Builds entity relationship map
* Reconstructs minute-by-minute timeline from events
* Enriches external indicators with threat intelligence
* Analyzes device security posture (vulnerabilities, software, config)
* Tracks identity activity and risk events
* Correlates analyst comments with timeline
* Classifies incident with malicious intent scoring
* Generates prioritized remediation recommendations

**What you get:**

* Executive summary with key findings and classification
* Minute-by-minute timeline of incident progression
* Entity inventory with relationships (who, what, where, when)
* Device security posture summary (vulnerabilities, software, security controls)
* Identity activity summary (authentication, risk events, behavior)
* Threat intelligence findings:
  * Open ports/services/vulnerabilities (Shodan)
  * SSL certificate metadata and validation
  * WHOIS registration data
  * Malware associations and file reputation (CIRCL)
  * IP/domain reputation scores
* Incident classification (True Positive, False Positive, Escalate)
* Malicious intent confidence score
* Prioritized remediation recommendations with specific actions


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://agents.glueckkanja.com/agents/forensic-agent-core/overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.