FindAgent

The cross-LLM AI agent marketplace. Discover, connect, and publish agents for Claude, ChatGPT, Gemini, or any MCP-compatible app. New to MCP? See how it works →

Product

  • Browse agents
  • Collections
  • Departments
  • MCP / API
  • Blog
  • Docs

Company

  • About
  • Pricing
  • Status
  • Contact

Legal

  • Privacy
  • Terms
  • Refund Policy
  • Prohibited Agents

© 2026 FindAgent. All rights reserved.

Skip to content
FindAgent
Browse agentsCollectionsHow it worksBlogDocsMCP / APIAbout
Sign in
Cybersecurity
Cybersecurityv0.1.0Code agent · Hosted

SIEM Alert Narrator

Read-only SIEM alert triage: deterministic correlation, noise suppression, and priority scoring, with an LLM-written analyst narrative.

@farukceylandagNewUpdated today
Works with
ClaudeChatGPTGeminiCursor
CybersecurityIncident ResponseSOC Automation
overviewsetupreviewscommentsQ&Achangelog

What it does

SIEM Alert Narrator is a read-only SOC/SecOps triage agent. It pulls security alerts from a SIEM (Datadog or a generic read API) READ-ONLY, runs a deterministic triage core — normalize, map severity, correlate and group by signature + source, suppress noise/flapping, and priority-score — then uses an LLM ONLY to synthesize an analyst-friendly narrative (what happened / why it matters / suggested next step). Every count, severity, and source is code-derived; the model never invents numbers and never asserts a definitive cause. Without an API key (and no host sampling) it degrades gracefully to a deterministic template. Read-only by construction (GET-only; no mute/close/action endpoints). Gated: live SIEM access needs credentials (Datadog API + app key, or a generic SIEM bearer token); with none provided it runs entirely on mock alert fixtures or your own caller-provided alerts — so you can try it offline with zero setup. Guardrails: read-only, egress allowlisted to the SIEM host, PII/source masking, API-key non-leak, prompt-injection defang on all alert text, no fabrication (no alerts ⇒ empty triage), and advisory-only recommendations. Tools: - run_full — end-to-end: fetch (read-only), normalize, correlate/triage, narrate, return the full result JSON. - fetch_alerts — fetch raw alerts from the connector (read-only; mock/provided offline), no triage. - normalize_alerts — deterministic normalization: severity mapping, PII masking, text sanitization, severity_min filter (no LLM). - correlate_and_triage — deterministic correlation/grouping by signature+source, counts, noise suppression, priority scoring (no LLM). - narrate_findings — deterministic template narrative + summary for triaged groups (no LLM, no network). - list_capabilities — static capabilities: tools, guardrails, credential slots, triage knobs. - plan_inputs — interview helper returning questions, JSON schema, and a ready-to-edit example for a tool. Array/object arguments may be passed as JSON or a JSON string. Missing required inputs return a structured needs_input payload (questions + schema + example) instead of erroring, and upgrade to a native elicitation form on clients that support it.

Example prompts

  • Run run_full on the mock alerts for last_24h with severity_min medium and summarize the critical groups.
  • Here are my own alerts — normalize_alerts then correlate_and_triage this array and show the priority-scored groups.
  • I have triaged groups already — use narrate_findings to write the analyst summary, no LLM, no network.
  • Call list_capabilities: which credential slots, guardrails, and triage knobs does this agent expose?
  • Use plan_inputs for correlate_and_triage and show me the questions, schema, and a ready-to-edit example.

Tools (7)

Tools the agent exposes — your AI client calls them automatically when it needs them.

  • run_full — Run the full SIEM triage pipeline end-to-end: fetch alerts (read-only), normalize, correlate/triage deterministically, synthesize an analyst narrative (LLM with template fallback), return the full result JSON.
  • fetch_alerts — Fetch raw alerts from the SIEM connector (READ-ONLY; mock/provided data offline). Returns the raw alert envelope without triage.
  • normalize_alerts — Deterministically normalize raw alerts: map severity, mask PII sources, sanitize free text, apply severity_min filter. No LLM.
  • correlate_and_triage — Deterministically correlate/group normalized alerts by signature+source, count, suppress noise/flapping, and priority-score. No LLM.
  • narrate_findings — Produce the deterministic template narrative + summary for already-triaged groups (no LLM, no network; grounded only in provided data).
  • list_capabilities — List the agent's static capabilities: tools, guardrails, credential slots, and triage knobs.
  • plan_inputs — Plan/brainstorm the inputs for a tool: returns the questions, schema and a ready-to-edit example.

What you'll need to connect

This agent will ask you for the following. You enter them when you connect — they're encrypted and never shared with the creator.

  • Datadog API Key · optionalOptional. Datadog API key for READ-ONLY security signals access (DD-API-KEY). Leave blank for offline/mock runs.Get this from datadoghq.com's account or API settings.Paste the value as a single line.Only sent to: api.datadoghq.com
  • Datadog Application Key · optionalOptional. Datadog application key paired with the API key (DD-APPLICATION-KEY). Leave blank for offline/mock runs.Get this from datadoghq.com's account or API settings.Paste the value as a single line.Only sent to: api.datadoghq.com
  • Generic SIEM API Token · optionalOptional. Alternative to Datadog keys: a bearer token for a generic read-only SIEM API. Leave blank for offline/mock runs.Get this from datadoghq.com's account or API settings.Paste the value as a single line.Only sent to: api.datadoghq.com
  • Anthropic API Key · optionalOptional. Enables the LLM-written analyst narrative via Anthropic. Without a key (and no host sampling) the agent falls back to a deterministic template.Create a key on the Anthropic Console API keys page (console.anthropic.com → API keys).Paste the value as a single line.Only sent to: api.anthropic.com
  • OpenAI API Key · optionalOptional. Enables the LLM-written analyst narrative via OpenAI instead of Anthropic.Create a secret key on the OpenAI API keys page (platform.openai.com → API keys).Paste the value as a single line.Only sent to: api.openai.com

How you're protected

FindAgent runs these safety checks on every agent automatically. They're always on and can't be turned off.

  • Prompt-injection scanning

    Every request is checked for known prompt-injection and jailbreak attempts before the agent runs. This is always on.

  • Secret-leak scanning

    Every response is scanned for leaked API keys, tokens, and other secrets before it reaches you. This is always on.

Stats
Connections
New
Reviews
0
Rating
—
Updated
today
Engagement
Views
0
Install rate
Not tracked yet
Review rate
No reviews yet
Creator
Ömer Faruk CEYLANDAĞ
Ömer Faruk CEYLANDAĞ
@farukceylandag
View profile
At a glance
Price
free
Version
v0.1.0
Updated
today
Author
@farukceylandag
Category
Cybersecurity
Code provenance
Source
Private repository
Commit
f8b0605

Runs on FindAgent's hosted execution gateway from this exact commit.

Related agents

+1

Phishing Email Analyzer

Code agent

Static read-only phishing email analysis: deterministic 0-100 risk score, header + URL indicators, and an LLM-written explanation.

ÖFÖmer Faruk CEYLANDAĞ
New
free

More from @farukceylandag

+1

Funnel Cohort Analyst

Code agent

Deterministic funnel conversion + cohort retention from your own event data, narrated by an LLM. Account-free, no warehouse connector.

ÖFÖmer Faruk CEYLANDAĞ
New
free
+1

GA4 Anomaly Detector

Code agent

Deterministic z-score/IQR anomaly detection on GA4 time-series, LLM-narrated alerts. Runs on mock or your own data; connector-ready.

ÖFÖmer Faruk CEYLANDAĞ
New
free
+1

GA4 Site Blood Test

Code agent

GA4 site-health blood test: a 0-100 score, critical findings by device, an LLM-written prescription, and B2B SaaS vendor matches.

ÖFÖmer Faruk CEYLANDAĞ
New
free