AI Assistant

Your SOC,
on speed dial.

Ask in plain English. Get answers backed by your live telemetry — alerts, compliance posture, threat intel, Intune policies. Every answer cites its sources. Every destructive action goes through HITL.

Try the assistant See sample prompts ↓
SG
SocSage Assistant
Connected to contoso.co.uk · M365 E3
Online
What happened with j.patel's account last night?
Incident INC-2026-04817 — impossible-travel detection at 02:14 UTC.

Login from 41.203.64.12 (Lagos, NG) · 92% malicious confidence. Session revoked at 02:15:42 after you approved it in Slack. Account re-enabled on 02:47 after passcode reset and MFA re-enrolment.
SentinelEntra IDVirusTotalSlack audit
Was anything exfiltrated?
No. Full session duration was 4m 18s. Activity: 2 SharePoint document views, both internal. 0 downloads, 0 external shares, 0 mailbox rules created. Full timeline attached.
PurviewGraph activityTimeline agent
What it can do

Three interfaces. One brain.

Query your environment

Ask natural-language questions against live telemetry. The assistant translates them into KQL, UDM, or Graph queries and cites every source.

"How many failed logins for finance@?"

Drive remediation

Request policy changes, session revocations or device quarantines. The AI prepares the action and routes it through HITL — Slack, Teams or PagerDuty.

"Disable legacy auth tenant-wide."

Generate reports

Draft client-facing reports, compliance summaries and incident write-ups. Branded with your MSP logo, ready to send.

"Monthly posture report for contoso."
Try these

Prompts our customers actually use.

Show me every CIS L1 failure for Contoso and a Terraform plan to fix them.
Who logged into SharePoint from outside the UK in the last 7 days?
Any users still on legacy authentication? Draft a Conditional Access policy to block it.
Summarise all HIGH severity incidents this week for my Monday client report.
Run a DMARC audit on every tenant with misaligned SPF records.
Which devices failed Intune compliance in the last 24 hours and why?
Revoke all active sessions for j.patel@contoso and disable the account.
Compare our MFA posture against EIDSCA and list the top 5 gaps.
No hallucinations

Grounded in your telemetry.
Answers that cite.

Every answer references the exact logs, agent runs or configuration sources it pulled from. If the data isn't there, the assistant tells you — it won't invent it.

  • Retrieval-augmented generation over your live tenant data
  • Zep-powered memory of past incidents and decisions
  • Citations on every factual claim
  • Abstains when confidence is low
[assistant.response]
claim: "92% malicious confidence on IP 41.203.64.12"
sources:
→ virustotal.lookup() → 72/89 vendors
→ abuseipdb.score() → 96 confidence
→ shodan.host() → known botnet C2
claim: "No data exfil occurred"
sources:
→ purview.activity() → 0 downloads
→ graph.driveActivity() → 0 external shares
confidence: 0.94
abstained on: [attacker attribution, motive]

Give your team a senior analyst on Slack.

24/7 availability. Zero onboarding. Ask it anything — it cites its sources.

Start free trial See how it works