Skip to main content

Prerequisites

Before creating an agent, you should:
1

Connect Integrations

Authenticate the tools your agent will use (Jira, Splunk, SentinelOne, etc.)Navigate to Settings > Integrations and connect relevant services
2

Define the Use Case

Be clear about what the agent should do:
  • What problem does it solve?
  • What triggers it?
  • What tools does it need?
  • What output should it produce?
3

(Optional) Prepare Context Docs

If your agent needs reference material (runbooks, policies, FP lists), have those ready in Google Docs or Notion

Creation Methods

You can create agents in three ways:

From Chat (Recommended)

Convert a successful chat session

From Scratch (Advanced)

Build a custom agent with full control

From Template

Start with a pre-built template

Method 1: Create From Scratch

1

Navigate to Agents

Click Agents in the sidebar, then Create Agent
2

Basic Information

Fill in the basics:Name: Short, descriptive name (e.g., “SentinelOne Alert Triage”)Description: What does this agent do? Who uses it?
3

Write System Prompt

This is the core of your agent. Write clear instructions about:
  • The agent’s role
  • What it should do
  • When to use which tools
  • How to format output

Prompt Engineering Guide → Learn how to write effective prompts
4

Select Tools

Choose which tools the agent can use:
  • Browse by category (SIEM, EDR, Ticketing, etc.)
  • Or search by name
  • Grant only what’s needed for the task
Tip: Start with fewer tools, add more as needed
5

Add Context Documents (Optional)

Link Google Docs or Notion pages that provide reference information:
  • Runbooks and procedures
  • Known false positive lists
  • Contact directories
  • Policy documents
The agent will have access to these during execution
6

Configure Settings

Planning Mode:
  • never: Agent acts immediately (faster, good for simple tasks)
  • auto: Agent decides if planning is needed
  • always: Agent always creates a plan first (better for complex tasks)
Max Tool Calls: Limit how many tools the agent can call (default: 25)Timeout: Maximum execution time (default: 5 minutes)
7

Save and Test

Click Create Agent. You’ll be taken to the agent detail page.Next, test it using the Builder interface!

Method 2: Create From Template

Templates are pre-built agents for common use cases:
1

Browse Templates

Click Agents > Create Agent > From Template
2

Choose Template

Select from templates
3

Customize

Templates come with:
  • Pre-written system prompt (edit to fit your needs)
  • Recommended tools (add/remove as needed)
  • Example context documents
Customize these for your environment
4

Configure Integrations

Ensure you have the required integrations connected (template will list them)
5

Test & Deploy

Use Builder to test with real data, then set up triggers

Browse Templates → See all available templates

Method 3: Create From Chat

If you’ve had a successful chat session, convert it to an agent:
1

Complete Chat Session

Use the Chat interface to work through your use case
2

Review the Session

Make sure the chat achieved the desired outcome with good tool usage
3

Click 'Create Agent'

In the chat interface, click Create Agent from Chat
4

Auto-Generated Prompt

Cotool analyzes the chat session and generates:
  • System prompt based on your conversation
  • Tool list from what was used
  • Planning mode based on complexity
5

Refine and Save

Review the generated prompt, make adjustments, and save

Learn More → Creating agents from chat sessions

What Happens After Creation?

Once you create an agent:
  • Test in Builder
  • Set Up Triggers
  • Monitor Performance
  • Iterate & Improve
Use the Builder to:
  • Test with sample inputs
  • Refine the system prompt
  • Verify tool usage
  • Check output format
Don’t skip this step! Testing before deploying prevents issues.

Common Patterns

Pattern: Alert Enrichment Agent

Goal: Automatically enrich security alerts

Tools Needed:
- get_sentinelone_alert
- search_splunk
- virustotal_check_hash
- update_jira_ticket

Trigger: Jira issue created (type=Security Alert)

Prompt Focus:
- Extract indicators from alert
- Search for related activity
- Check threat intelligence
- Summarize findings in ticket

Pattern: Scheduled Report Agent

Goal: Weekly access review report

Tools Needed:
- list_okta_users
- list_aws_iam_roles
- list_google_workspace_groups
- send_slack_message

Trigger: Cron (every Monday 9am)

Prompt Focus:
- Gather user/permission data
- Identify anomalies or stale accounts
- Generate formatted report
- Post to #security-reports

Pattern: On-Demand Research Agent

Goal: Ad-hoc investigations via chat

Tools Needed:
- search_splunk
- list_sentinelone_alerts
- get_okta_user
- virustotal_*

Trigger: Chat (no automatic trigger)

Prompt Focus:
- Help analyst investigate indicators
- Provide context and enrichment
- Suggest next steps
- Generate summary reports

Agent Configuration Options

When creating an agent, you can configure:
Choose which LLM powers your agent:
  • General-purpose hosted model: Strong reasoning, tool use, and instruction following
  • High-speed/cost-optimized hosted model: Good fit for simpler tasks or high volume
  • Custom or self-hosted: Bring your own fine-tuned or on-prem model
  • never: Agent acts immediately (faster, 1-2 tool calls)
  • auto: Agent decides if planning helps (balanced)
  • always: Agent creates detailed plan first (complex multi-step tasks)
Tip: Start with auto, adjust based on results
Grant only necessary tools. Over-granting tools:
  • Increases token usage (all tools described to LLM)
  • Can confuse the agent
  • Creates security risk
Best Practice: Start minimal, add tools as needed
Link up to 10 documents per agent. Documents are loaded into context at runtime.Size Limits:
  • 50KB per document (plain text equivalent)
  • Agent has ~200KB total context window
Tip: Keep docs focused and concise
Agents can create and access memories:
  • Enabled: Agent can save/retrieve memories
  • Disabled: Agent has no memory between runs
Use memories for: Tracking state, learning from past runs, remembering org-specific context
Define how this agent should be evaluated:
  • Accuracy of findings
  • Completeness of investigation
  • Clarity of output
  • Appropriate tool usage
Used for automated scoring and prompt optimization

Tips for Success

Start Small: Create a focused agent that does one thing well. It’s easier to expand scope than to debug an overly complex agent.
Test Extensively: Use Builder to test many scenarios before deploying triggers. This catches issues early.
Monitor Early: Check first 10-20 executions closely. This is when you’ll discover prompt issues or missing tools.
Iterate Quickly: Don’t aim for perfection on first try. Deploy, observe, improve. Agents get better over time.

Troubleshooting Common Issues

Fix: Make tool usage more explicit in system prompt:“Always start by calling get_sentinelone_alert to fetch full alert details”
Fix: Provide a template in the prompt:“Format your response exactly like this: [template]”
Fix:
  • Reduce number of granted tools
  • Set planning mode to never
  • Remove verbose context documents
  • Check if tools themselves are slow (API performance)
Fix:
  • Add decision criteria to prompt
  • Provide examples of good/bad decisions
  • Check if context documents have necessary info
  • Verify tool outputs are correct