Set up Threat Triage Agent

  • Latest Dynatrace
  • How-to guide
  • 3-min read
  • Published Jan 28, 2026
  • Preview
Table of contents (Preview)

Threat Triage Agent is a Dynatrace agentic workflow that automatically extracts indicators of compromise (IOCs) from threat alerts and analyzes the resulting exposure across your environment. By turning raw threat intelligence into actionable insights, it helps you quickly understand where you’re at risk and move efficiently toward remediation using the data already available in Dynatrace.

Prerequisites

Get started

1. Set up the integration workflow

  1. Download the AlienVault integration workflow template.
  2. Deploy it in Workflows Workflows and configure it as needed.

2. Set up the Threat Triage Agent workflow

  1. In Workflows Workflows, select Add Workflow.

  2. In the left-hand menu, select the Dynatrace Intelligence (Preview) app.

  3. Search for and select the Threat Triage Agent template.

  4. Follow the on-screen guidance to configure the workflow.

  5. After deployment, adjust the workflow as needed (for example, in the notify_in_slack task, choose the Slack channel).

What's next?

After you set up the workflows, the integration workflow begins querying alerts from your selected threat‑intelligence source (for example, AlienVault) for the latest emerging threats (such as React2Shell). When an alert report is received, it automatically triggers the Threat Triage Agent workflow.

The Threat Triage Agent workflow then:

  1. Extracts IOCs from the alert report using the Dynatrace Intelligence action.
  2. Runs multiple queries for vulnerabilities, detections, spans, and logs based on those IOCs.
  3. Generates a summary that includes the Threat Exposure Score, IOC details, affected and related entities, and the sample queries used during the investigation.
  4. Sends a notification to your selected Slack channel.

Sample report:

sample report

Related tags
Dynatrace PlatformThreat ObservabilityDynatrace AIGenerative AI for Workflows