Building an Agentic SOC Analyst with Microsoft Sentinel, Azure Log Analytics, and Gemini

A developer built an Agentic SOC Analyst using Microsoft Sentinel, Azure Log Analytics, and Google's Gemini model to automate threat-hunting workflows. The system translates natural language requests into validated Kusto Query Language (KQL) queries, executes them against Azure Log Analytics, and maps findings to MITRE ATT&CK. It includes guardrails to prevent hallucinated tables or fields and uses synthetic datasets for safe testing.

Security Operations Centers generate an enormous amount of telemetry every day. Finding meaningful threats isn't usually limited by data. It's limited by how quickly an analyst can ask the right questions. That observation led me to build an Agentic SOC Analyst . The goal wasn't to replace analysts. The goal was to reduce the time between an investigation idea and actionable findings. A threat hunter often starts with a vague hypothesis. For example: "Something unusual happened with this user during the past two weeks." Turning that into an investigation usually requires: I wanted to automate as much of that workflow as possible while keeping humans in control. The pipeline looks like this: Natural Language Request │ ▼ Gemini selects table, fields and filters │ ▼ Guardrails validate every selection │ ▼ Generate scoped KQL │ ▼ Query Azure Log Analytics │ ▼ Gemini analyzes results │ ▼ Structured Findings + MITRE ATT&CK Mapping Every table and field selected by the model is validated against an allow-list before any query is executed. This prevents hallucinated tables or unsupported fields from reaching Azure. The current implementation includes: One lesson I learned while building AI agents is that models shouldn't have unrestricted access to external systems. Before any KQL query is executed, the agent validates: Anything outside the approved allow-list is discarded. The model assists with decision-making, but deterministic code enforces safety. Testing SOC tooling against production logs isn't practical. To solve this, I built utilities that generate synthetic Azure Activity, Entra ID sign-in, network, and device log datasets. These datasets can be ingested into Azure Log Analytics, allowing the entire threat-hunting workflow to be tested safely without exposing sensitive information. This project taught me that effective AI agents are more than prompt engineering. They require: It also gave me hands-on experience with Microsoft Sentinel, Azure Log Analytics, Kusto Query Language, and designing LLM-powered workflows for cybersecurity. I'm continuing to improve the agent by exploring: Building this project reinforced something I've come to believe about AI engineering. The most valuable AI systems don't replace experts. They help experts investigate faster while remaining transparent, predictable, and safe.