DCO Threat Triage Agent

1-dashboard.png Real-time security ops dashboard with alert stats, severity chart, event timeline, and MITRE ATT&CK kill chain visualization
02-agent-chat.png DCO Triage Agent returns a structured report: verdict, attack timeline, C2 infrastructure, and affected assets
02b-agent-tools.png Agent response showing containment actions, all 7 Elastic Agent Builder tool badges, and execution trace toggle
02c-agent-trace.png` | 16-step execution trace revealing the agent's autonomous reasoning chain across tool calls and analysis steps
03-alerts-critical.png Critical and high-severity alerts filtered from 105 security events — the needle-in-a-haystack the agent finds
04-threat-intel.png 18 MITRE ATT&CK-mapped IOCs (IPs, domains, hashes, tools) used by the agent's threat_intel_lookup tool
05-kill-chain.png MITRE ATT&CK kill chain visualization mapping the 5-stage attack: T1566 → T1059 → T1003 → T1021 → T1041
06-architecture.png SVG architecture diagram showing data flow from frontend through Agent Builder to Elasticsearch indices
07-alerts-all.png Full alert table with all 105 events — 5-stage attack chain buried in 80+ benign noise events
08-hunt-landing.png Threat hunting hub with links to four specialized ES
09-hunt-beaconing.png C2 beaconing detection: 66 beacons to 198.51.100.23 with 2155s avg interval and 735 MB total traffic
10-hunt-correlate.png Correlated event timeline: 96 events from attacker IP 10.10.15.42 with severity badges and MITRE tags
11-hunt-lateral.png Lateral movement detection: admin_svc authenticating to 3 internal servers (DC01, FILE01, DB01) — HIGH risk
12-hunt-process.png Process chain analysis: EXCEL.EXE → cmd.exe → powershell.exe → rundll32.exe (LSASS credential dump)
13-kibana-tools.png Elastic Agent Builder in Kibana showing all 7 custom tools wired to the DCO Triage Agent
14-kibana-chat.png Agent Builder chat interface in Kibana ready to accept natural language triage queries
15-incidents.png Agent-generated incident report with MITRE ATT&CK mapping, severity score, and containment steps

Security Operations Centers (SOCs) receive
thousands of alerts per day, and analysts spend 70% of their time on initial triage — deciding
which alerts are real threats and which are
noise. We wanted to build an AI agent that could perform that first-pass triage autonomously,
turning hours of manual work into seconds of
automated analysis.

What it does

The DCO Threat Triage Agent is a custom AI agent built on Elastic Agent Builder that performs
autonomous security alert triage. Give it an IP address, and it will:

Correlate all related events into a chronological timeline
Enrich findings with threat intelligence from a MITRE ATT&CK-mapped IOC database
Detect attack patterns — C2 beaconing,
lateral movement, privilege escalation
Analyze forensic process chains for malware
indicators
Score severity (P1 Critical through P4 Low)
with justification
Report a structured triage with MITRE ATT&CK mapping and containment recommendations

All orchestrated through 7 custom tools (5
ES|QL, 1 index_search, 1 workflow) wired to a
single Agent Builder agent.

Built With

nextjs
python

Submitted to

Elasticsearch Agent Builder Hackathon

Created by

Solo built everything. Backend agent harness in Python, 7 custom Elastic Agent Builder tools (5 ES|QL, 1 search, 1 workflow), simulated a full 5 stage MITRE ATT&CK attack chain buried in 80+ noise events, and built the Next.js frontend dashboard with live agent chat. I do cybersecurity for the military defending DoD networks so alert triage is literally my day to day. Wanted to see if I could automate the parts that eat up all our time. First time going deep with Elastic Agent Builder and ES|QL, learned a ton about wiring autonomous agents to

Timothy Vang

Updates

Timothy Vang started this project — Feb 27, 2026 12:34 PM EST

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.