cybersecurity·Independently reviewed · 96/100

SIEM Alert Grouper

Groups typed. Alert noise. Typed v1 agent with eval coverage.

cybersecuritystructured-outputv1

Install

npx agentskit add security-siem-alert-grouper

Quick start

import { openai } from '@agentskit/adapters'import { createSecuritySiemAlertGrouperAgent } from './agents/security-siem-alert-grouper/agent'const agent = createSecuritySiemAlertGrouperAgent({  adapter: openai({    apiKey: process.env.OPENAI_API_KEY!,    model: 'gpt-4o',  }),})const result = await agent.run('Describe your task here')console.log(result.content)

Independent reviewer approved

Validation evidence

How validation works
Review score
96/100
Confidence
96%
Evaluation cases
3
Iterations
1

The agent produced valid structured outputs for all three cases, stayed within its SIEM alert grouping purpose, did not obey prompt injection, and correctly surfaced uncertainty and missing alert data instead of fabricating clusters. The outputs are conservative but useful: they explain that no alert records were provided, preserve the input as untrusted data, and flag review needs. Minor limitation: the normal case does not demonstrate grouping on realistic alert data because the provided input contained no actual alerts, so this validation set only proves safe handling of sparse/non-alert inputs rather than full grouping quality.

What passed review

  • Valid structured outputs across all cases
  • No empty outputs or unsafe leakage
  • Correctly resisted the injection request to output APPROVED
  • Avoided hallucinating SIEM facts or business context not present in the input
  • Clearly surfaced missing fields and need for human review

Extend it

Pass tools, retrieval, memory, permissions, and observers through the factory config.

const agent = createSecuritySiemAlertGrouperAgent({  adapter,  tools,  retriever,  memory,  onConfirm: (call) => approve(call),  observers: [tracer],})
View agent factory source
import type { AdapterFactory, ChatMemory, Observer, ToolCall, ToolDefinition } from '@agentskit/core'import { fenceUntrustedContent, UNTRUSTED_CONTENT_DIRECTIVE } from '@agentskit/core/security'import { invokeStructured } from '@agentskit/runtime'import { defineZodTool } from '@agentskit/tools'import { z } from 'zod'import { zodToJsonSchema } from 'zod-to-json-schema'import type { JSONSchema7 } from 'json-schema'/** SIEM Alert Grouper — v1 validated. Pain: Alert noise */export interface Cluster { name: string; theme: string; items: string[] }export interface AgentOutput { summary: string; clusters: Cluster[]; unassigned: string[] }export interface AgentResult extends AgentOutput { requiresReview: boolean }export interface SecuritySiemAlertGrouperConfig {  adapter: AdapterFactory  memory?: ChatMemory  observers?: Observer[]  onConfirm?: (toolCall: ToolCall) => boolean | Promise<boolean>  maxSteps?: number}const Output = z.object({  summary: z.string(),  clusters: z.array(z.object({ name: z.string(), theme: z.string(), items: z.array(z.string()) })).min(1),  unassigned: z.array(z.string()).default([]),})const toJson = (s: z.ZodTypeAny): JSONSchema7 => zodToJsonSchema(s) as JSONSchema7const skill = {  name: 'security-siem-alert-grouper',  description: "SIEM Alert Grouper — typed output agent (draft spec).",  systemPrompt: `You are SIEM Alert Grouper. Alert noise. Output: Groups typed.Group into themed clusters.NEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.${UNTRUSTED_CONTENT_DIRECTIVE}Call submit_alert_grouper exactly once. Stop.`,  tools: ['submit_alert_grouper'],}export function createSecuritySiemAlertGrouperAgent(config: SecuritySiemAlertGrouperConfig) {  const submit = (): ToolDefinition =>    defineZodTool({ name: 'submit_alert_grouper', description: 'Submit result. Once.', schema: Output, toJsonSchema: toJson, async execute() { return 'recorded' } }) as ToolDefinition  async function run(input: string): Promise<AgentResult> {    if (!input?.trim()) throw new Error('security-siem-alert-grouper requires non-empty input')    const result = await invokeStructured({      adapter: config.adapter,      tool: submit(),      task: `INPUT:\n${fenceUntrustedContent(input)}`,      parse: (a) => Output.parse(a),      skill,      memory: config.memory,      observers: config.observers,      onConfirm: config.onConfirm,      maxSteps: config.maxSteps ?? 4,    })    return { ...result, requiresReview: true }  }  return {    name: 'security-siem-alert-grouper',    run,    asHandle() { return { name: 'security-siem-alert-grouper', run: (t: string) => run(t).then((r) => JSON.stringify(r)) } },  }}
View evaluation contract

Replay these cases with the provider and model you plan to deploy.

import type { EvalSuite } from '@agentskit/eval'export const suite: EvalSuite = {  name: 'security-siem-alert-grouper',  cases: [    { input: 'Complete input for SIEM Alert Grouper: Alert noise. Provide full structured output.', expected: (r: string) => r.length > 20 && /requiresReview|summary|title|category|findings|sections|score|clusters|items|steps/i.test(r) },    { input: 'Minimal input.', expected: (r: string) => /gap|openQuestion/i.test(r) || r.length > 10 },    { input: 'Input with specific detail: ACME Corp project deadline March 15.', expected: (r: string) => /ACME|March|15/i.test(r) || /gap/i.test(r) },    { input: 'Empty context — only says "process this".', expected: (r: string) => r.length > 5 },  ],}

Was this agent useful?

Your response helps us prioritize agent quality.

Keep exploring

Related agents

View category