About Insights Agent
Insights Agent is a persona-based AI agent that accelerates threat detection by helping you spot malicious threats, tactics, and techniques in multi-cloud environments. It maps to the MITRE ATT&CK framework to highlight areas in your environment(s) that warrant immediate attention, enabling you to proceed quickly through an analysis of the activities occurring across all of your environments.
Focus
The Insights Agent page is designed to answer three key questions for security teams:
What is happening in my environment right now? The page presents an automatically generated report summarizing all current findings detected during the latest scan.
How serious is it? Highlights the most urgent risks by categorizing findings by severity, type, and impacted assets.
What should I do next? Recommended actions guide teams toward the most effective and timely remediation steps.
Features
In-depth, AI-driven investigative report: Based on the selected Persona, provides information about resources, workloads, and policies across all of your environments with recommended actions and their severity.
Recommendations: Proposes recommended actions based on the severity of detected threats.
Threat detection: Leverages AI to continuously monitor real-time network activity and surface anomalous activities such as lateral movement and data exfiltration threats.
Adaptive: Adapts to new techniques and feedback provided to Insights Agent leveraging AI.
Integrated ticketing feature: Launches with an option to create ServiceNow IT Service Management( ITSM) tickets, fostering collaboration across teams to resolve issues quickly.
Investigative Reports
Within 8 to 24 hours of onboarding Insights Agent, an initial investigative report is generated automatically. New reports are generated automatically every 24 hours.
The Latest Report section summarizes the most-recently run Insights Agent report, including when it was generated and key totals such as findings, recommended actions, relevant workflows, tags, and comments. It provides immediate visibility into the scope and freshness of the analysis.
To learn more about Threat Hunter Investigative Report, see About Threat Hunter Investigative Report.
To launch and work with an Investigative Report, see Launch a Threat Hunter Investigative Report.
Findings
The Findings widgets organize information into clear groups so you can understand their distribution and significance.
Findings by Severity – Categorizes findings as Critical, High, Medium, or Low.
Findings by Type – Groups issues by their technical domains, such as misconfigurations or exposures.
Top 3 Findings – Highlights the most relevant or high-impact findings, including affected assets.
Recommendations
The Recommendations widgets focus on the next steps required to reduce risk efficiently and effectively.
Recommendations by Severity – Indicates which actions are the most urgent.
Recommendations by Type – Groups remediations by categories such as configuration updates or access adjustments.
Top 3 Recommended Actions – Highlights the actions likely to provide the greatest reduction in risk.
Findings Table
The table at the bottom of the Insights Agent page lists each individual finding along with fields such as use case, summary, file identifiers, tags, associated assets, and recommended actions. The table allows analysts to move from high-level insights to more detailed technical review.
Insights Agent Personas
After you select a Persona, specific insights display in the left navigation pane to help you focus on critical insights and quickly take action.
All Insights: This is the default view that allows you to see all insights.
Compliance Monitoring: View regulatory requirements related to resource traffic, shadow LLMs, and DORA compliance.
Threat Hunting: View suspicious activity using insights from resource traffic, risky traffic, malicious IP threats, and external data transfer. You'll see a comprehensive view of the Insights analysis for this persona.
Incident Response: View to contain, investigate, and recover from security incidents using insights from resource traffic, risky traffic, and malicious IP threats.
Data Security: Monitor and protect your data from unauthorized access using insights from resource traffic, shadow LLMs, external data transfer, and DORA compliance.
Executive Dashboard: View high-level security trends for decision-making using insights from resource traffic, risky traffic, malicious IP threats, shadow LLMs, external data transfer, and DORA compliance.
Malware Defense: Detect, analyze, and block malware threats using insights from resource traffic, risky traffic, and malicious IP threats.
IT Manager: Oversee your IT systems and manage teams using insights from resource traffic, risky traffic, external data transfer, and DORA compliance.