From Insight to Action: How the Agent Layer Behind Our SIEM Creates Real Security Value

Section 1 — The Case for Correlation

AI in cybersecurity gets most of the attention right now, but intelligence only matters if the data beneath it makes sense. Before a model can reason, it has to see clearly—and most environments still feed their tools partial sight. Firewalls see flow, EDRs see behavior, and neither knows the other exists.

At Full Tilt Cyber, we treat correlation as the foundation for any future automation. When Zeek flags an unusual outbound connection and OpenEDR reports the process that spawned it, you have context—the beginning of situational awareness. Once those events align, you’re no longer watching random alerts; you’re observing a story unfold.

That’s where intelligence starts. Correlation isn’t theory—it’s the base layer of decision-making that allows automation, and eventually AI, to act with purpose.

Section 2 — How AI Agents Differ from SOAR Systems

It’s easy to confuse the agent layer behind a modern SIEM with a traditional SOAR platform, but they solve different problems. A SOAR is an orchestration toolkit—it moves alerts through playbooks and manages workflows across tools. It’s rule-based, process-heavy, and excellent at standardizing responses.

An AI-driven agent, by contrast, sits closer to the data. Instead of waiting for a human-defined playbook, it consumes correlated events directly from the SIEM and evaluates them through a combination of thresholds, contextual logic, and learned behavior. The SOAR executes what it’s told. The agent decides whether it should act at all.

This difference becomes visible in practice:

• A SOAR sees a Zeek alert and follows a static rule—open a ticket, isolate the host.
• An AI agent sees the same alert but weighs factors: confidence level, host sensitivity, past behavior, and human feedback from similar cases. It may choose to observe, escalate, or act instantly.

In short, SOAR automates workflow; the agent automates judgment.

For our customers, that distinction means agility. Full Tilt Cyber’s SOCaaS doesn’t just chain responses together—it learns from its own history. The agent layer gives you the reflexes of automation and the discernment of experience. Together, they turn a reactive SOC into an adaptive one.

Section 3 — Wiring the Foundation

The goal is straightforward: let your firewall, Zeek, and OpenEDR talk in a shared language. Zeek watches packets in motion; OpenEDR watches behavior on the host. The bridge between them is Filebeat, feeding everything into OpenSearch, where correlation and enrichment happen.

1 — Laying out the flow

[Firewall span port] → Zeek sensor
[Endpoints] → OpenEDR agents
       ↘
        Filebeat shippers  →  OpenSearch cluster
        

Each sensor writes structured logs locally. Filebeat tails those logs, adds metadata, and ships them upstream over HTTPS. In this setup, Filebeat becomes the connective tissue: it standardizes event delivery, maintains back-pressure when networks lag, and tags every record with host and source context.

2 — Preparing Zeek for export Zeek natively writes detailed TSV logs under /opt/zeek/logs/current/. To make them portable:

• Enable JSON output (LogAscii::use_json = T) so Filebeat can parse fields cleanly.
• Give each Zeek node a static hostname in the node.cfg file; this becomes a correlation key in OpenSearch.
• Point Filebeat at the Zeek log directory and attach custom fields such as source_type: zeek, sensor_zone: perimeter, and network_role: gateway.

This turns every connection, DNS query, and notice event into a structured, timestamped document ready for indexing.

3 — Streaming OpenEDR events OpenEDR agents already generate JSON telemetry covering process activity, registry writes, and detections. Filebeat simply needs read access to the agent’s log path or API export folder. The same tagging approach applies—source_type: openedr, endpoint_group: workstations, os_family: windows/linux.

Uniform tagging allows OpenSearch to later match src_ip, host_name, or user fields between Zeek’s network insight and OpenEDR’s local behavior.

4 — Normalization inside Filebeat Filebeat’s ingest pipeline performs lightweight field mapping before data ever hits OpenSearch. It trims redundant keys, converts timestamps to UTC, and aligns naming conventions. This keeps your SIEM queries simple: “show me all events where host.name equals X” works across both sources.

The outcome: you no longer need separate dashboards or manual joins. Zeek’s connection record and OpenEDR’s process event share a schema and a timeline.

5 — Feeding OpenSearch OpenSearch receives both streams under one index pattern—something like telemetry-*. From there, you can build correlation queries, dashboards, or rule engines that detect when endpoint behavior and network activity intersect suspiciously.

This is where the magic begins: you’ve turned two isolated sensors into a context engine.

• Zeek says “this host reached out to an unknown domain.”
• OpenEDR adds “and that host just spawned a new binary.”
• OpenSearch stores both under a single, searchable story.

6 — Why it matters By using Filebeat as the translator, you avoid heavy middleware and license creep. Everything stays open, auditable, and easily tuned. Most importantly, you’ve created structured, trustworthy telemetry—the raw material that an automation agent can act on later with confidence.

Section 4 — The Agent as the Execution Engine

When the SIEM sees a pattern worth reacting to, the agent takes the next step. Correlation without action is just expensive observation.

At Full Tilt Cyber, our agent doesn’t sit idle waiting for alerts to appear in an inbox. It subscribes directly to the SIEM’s event stream, polling OpenSearch or receiving webhook notifications whenever a correlation rule fires. Each event arrives as a structured record containing all the data the SIEM used to reach its conclusion: host, user, process, IPs, rule ID, and confidence level.

This feed gives the agent a real-time map of the environment. It filters, ranks, and groups events, evaluating whether each one meets policy thresholds—checking suppression lists, isolation status, or previous actions on the same host.

Once an event passes those checks, the agent transitions from listening to acting through policy-defined authority. Each policy is explicit about:

1. Trigger conditions – when the policy applies (for example, confidence > 0.9 and severity = high).
2. Approved actions – what the agent is allowed to do (quarantine, connection block, process termination, notification).
3. Rollback steps – how to verify or reverse the action after execution.

When the SIEM generates a qualifying alert, the agent parses the policy and executes using integrated controls: API calls to the firewall, EDR commands on the endpoint, or orchestration workflows in the SOC platform. Each response returns a status message that the agent logs and feeds back into the SIEM.

The loop is continuous and disciplined:

1. Sense – Zeek and OpenEDR generate events.
2. Correlate – The SIEM identifies a verified pattern.
3. Decide – The agent consumes the event, checks policy, and confirms authorization.
4. Act – The agent executes the response and reports completion.

Nothing happens in the dark; every move leaves an entry. This architecture transforms raw correlation into controlled automation—a visible chain from detection to decision to defense. It’s not hype, it’s the framework of true, machine-assisted resilience.

Section 5 — Building Trust in the Loop

Speed means little without restraint. A useful agent acts quickly, but always within view. At Full Tilt Cyber, every automation loop rests on three principles: threshold, validation, and governance.

Threshold: Only high-confidence, high-impact correlations trigger automated response. Everything else routes to human review. Take a mid-confidence alert where Zeek logs repeated outbound connections to a new domain while OpenEDR notes a PowerShell script running from a temporary directory. The data points look suspicious, but context might reveal it’s an internal admin test. The correlation doesn’t reach the automation threshold, yet it isn’t noise either. An analyst investigates, validates the behavior, and if safe, whitelists that pattern for future recognition. This keeps the agent from overreacting while ensuring legitimate anomalies still get eyes on them.

Validation: Every automated action—quarantining a device, blocking a port, escalating an incident—is recorded and reviewed for accuracy. These reviews aren’t paperwork; they’re the feedback loop that shapes the next version of automation. On a routine basis, we analyze which agent-led interventions produced genuine containment, which created unnecessary disruption, and which required manual correction. Those results directly adjust correlation weights and policy thresholds, sharpening the agent’s confidence model.

Governance: Human override exists at every layer. Analysts can stop automation mid-flow, modify trigger logic, or retrain an agent’s behavioral model. Retraining means feeding the system curated examples of both correct and incorrect actions drawn from real incidents. When an analyst flags a misstep—say, a premature host isolation—the agent receives that case in its retraining dataset, adjusting future decision scoring to avoid repeating it. Likewise, when an intervention proves decisive, that evidence raises the agent’s trust in similar conditions. Over time, these micro-adjustments make automation less rigid and more intuitive.

Trust is earned through visibility. Every automated move leaves a trail of reasoning, evidence, and correction. Customers can see not just what happened, but why, and how that decision improved the system’s next response. Safe autonomy isn’t about replacing humans; it’s about letting them teach machines to act with better judgment.

Section 6 — Why the Agent Layer Matters

Modern SOC performance isn’t defined by how many alerts it collects—it’s defined by how quickly it can turn detection into response. The agent layer behind our SIEM is what makes that possible.

When a correlation fires, the agent validates, cross-checks Zeek and OpenEDR context, and executes the appropriate action without waiting for manual escalation. Each move is documented, scored for effectiveness, and recycled into the learning loop.

For customers, that architecture translates into measurable value:

• Rapid containment — seconds between identification and mitigation.
• Noise reduction — fewer false positives reaching analysts.
• Audit-ready records — every action logged and reviewable.
• Adaptive protection — each loop refines the next response.

That’s the difference in Full Tilt Cyber’s SOCaaS. It isn’t just a monitoring service—it’s a living system that connects analysis to action safely, transparently, and at machine speed. The agent layer ensures that every detection already comes with its next move planned, giving our clients something rare in cybersecurity: confidence that their defenses don’t just see threats—they respond.