{"slug": "building-an-agentic-soc-analyst-with-microsoft-sentinel-azure-log-analytics-and", "title": "Building an Agentic SOC Analyst with Microsoft Sentinel, Azure Log Analytics, and Gemini", "summary": "A developer built an Agentic SOC Analyst using Microsoft Sentinel, Azure Log Analytics, and Google's Gemini model to automate threat-hunting workflows. The system translates natural language requests into validated Kusto Query Language (KQL) queries, executes them against Azure Log Analytics, and maps findings to MITRE ATT&CK. It includes guardrails to prevent hallucinated tables or fields and uses synthetic datasets for safe testing.", "body_md": "Security Operations Centers generate an enormous amount of telemetry every day.\n\nFinding meaningful threats isn't usually limited by data.\n\nIt's limited by how quickly an analyst can ask the right questions.\n\nThat observation led me to build an **Agentic SOC Analyst**.\n\nThe goal wasn't to replace analysts.\n\nThe goal was to reduce the time between an investigation idea and actionable findings.\n\nA threat hunter often starts with a vague hypothesis.\n\nFor example:\n\n\"Something unusual happened with this user during the past two weeks.\"\n\nTurning that into an investigation usually requires:\n\nI wanted to automate as much of that workflow as possible while keeping humans in control.\n\nThe pipeline looks like this:\n\n```\nNatural Language Request\n            │\n            ▼\nGemini selects table, fields and filters\n            │\n            ▼\nGuardrails validate every selection\n            │\n            ▼\nGenerate scoped KQL\n            │\n            ▼\nQuery Azure Log Analytics\n            │\n            ▼\nGemini analyzes results\n            │\n            ▼\nStructured Findings + MITRE ATT&CK Mapping\n```\n\nEvery table and field selected by the model is validated against an allow-list before any query is executed.\n\nThis prevents hallucinated tables or unsupported fields from reaching Azure.\n\nThe current implementation includes:\n\nOne lesson I learned while building AI agents is that models shouldn't have unrestricted access to external systems.\n\nBefore any KQL query is executed, the agent validates:\n\nAnything outside the approved allow-list is discarded.\n\nThe model assists with decision-making, but deterministic code enforces safety.\n\nTesting SOC tooling against production logs isn't practical.\n\nTo solve this, I built utilities that generate synthetic Azure Activity, Entra ID sign-in, network, and device log datasets.\n\nThese datasets can be ingested into Azure Log Analytics, allowing the entire threat-hunting workflow to be tested safely without exposing sensitive information.\n\nThis project taught me that effective AI agents are more than prompt engineering.\n\nThey require:\n\nIt also gave me hands-on experience with Microsoft Sentinel, Azure Log Analytics, Kusto Query Language, and designing LLM-powered workflows for cybersecurity.\n\nI'm continuing to improve the agent by exploring:\n\nBuilding this project reinforced something I've come to believe about AI engineering.\n\nThe most valuable AI systems don't replace experts.\n\nThey help experts investigate faster while remaining transparent, predictable, and safe.", "url": "https://wpnews.pro/news/building-an-agentic-soc-analyst-with-microsoft-sentinel-azure-log-analytics-and", "canonical_source": "https://dev.to/waterbottle/building-an-agentic-soc-analyst-with-microsoft-sentinel-azure-log-analytics-and-gemini-3h35", "published_at": "2026-06-29 16:10:50+00:00", "updated_at": "2026-06-29 16:19:30.371809+00:00", "lang": "en", "topics": ["artificial-intelligence", "large-language-models", "ai-agents", "ai-safety", "ai-tools"], "entities": ["Microsoft Sentinel", "Azure Log Analytics", "Gemini", "Kusto Query Language", "MITRE ATT&CK", "Google", "Azure", "Entra ID"], "alternates": {"html": "https://wpnews.pro/news/building-an-agentic-soc-analyst-with-microsoft-sentinel-azure-log-analytics-and", "markdown": "https://wpnews.pro/news/building-an-agentic-soc-analyst-with-microsoft-sentinel-azure-log-analytics-and.md", "text": "https://wpnews.pro/news/building-an-agentic-soc-analyst-with-microsoft-sentinel-azure-log-analytics-and.txt", "jsonld": "https://wpnews.pro/news/building-an-agentic-soc-analyst-with-microsoft-sentinel-azure-log-analytics-and.jsonld"}}