Skip to main content
Agent outputs let you define a JSON schema that your agent returns at the end of every run. This ensures consistent output that can be displayed visually for easy verification, integrated with downstream systems, or used for reporting.

What Are Agent Outputs?

Instead of relying on freeform text responses, agent outputs enforce a specific structured data format:

Consistent Format

Every run produces the same shape of data, making it easy to verify outcomes, compare results, and build reports.

Rich Visualization

Output is rendered with markdown formatting, classification badges, and organized sections—not raw JSON.

Template Library

Start with pre-built templates for investigations, reports, enrichments, and more.

AI-Powered Generation

Generate a schema automatically from your agent’s system prompt.
Agent outputs are in addition to the standard run timeline. You can always view the full execution history, tool calls, and agent reasoning alongside the structured output.

When to Use Agent Outputs

  • You need consistent, parseable output from every run
  • You want classification labels (True Positive, False Positive, etc.)
  • Output includes formatted reports with multiple sections
  • You want to surface evidence behind agent decisions in an easier-to-read format
  • Results will be displayed in a UI or dashboard
  • Results will be aggregated for reporting
  • Agent output is conversational (e.g., Slack assistant)
  • Every run produces fundamentally different types of output
  • You don’t need to parse or store the results

Getting Started

Enabling Agent Outputs

1

Open Agent Configuration

Navigate to your agent’s configuration page and scroll to Agent Output Schema
2

Enable the Feature

Toggle the schema to Enabled
3

Choose a Starting Point

Select from:
  • Generate Schema: AI analyzes your system prompt and creates a relevant schema
  • Template: Start with a pre-built template for common use cases
  • Blank: Build from scratch with full control
4

Customize and Preview

Edit the schema to match your needs and preview how output will look
5

Save and Test

Save your agent and observe structured outputs for all future runs

Templates

Templates provide pre-built schemas for common agent patterns. They’re great starting points that can either be used as-is or easily customized:
Best for: Alert triage, threat hunting, incident analysisIncludes:
  • Classification: True Positive / False Positive verdict
  • Confidence: High / Medium / Low confidence level
  • Report: Structured sections for summary, evidence, and next steps
{
  "classification": "True Positive",
  "confidence": "High",
  "report": {
    "summary": "Executive summary of findings",
    "evidence": "Key evidence and artifacts",
    "nextSteps": "Recommended actions"
  }
}

Schema Building

Available Types

The schema builder supports standard JSON types:
TypeIconDescription
Object{}Container for named properties
Array[]List of items
StringTText values
Number#Numeric values
BooleanTrue/false values
NullNull/empty value

Presets

Presets are special field configurations with built-in rendering:
A string field with predefined enum values for categorization.Default values: “True Positive”, “False Positive”Rendered as: Styled badge/chipUse for: Verdicts, severity levels, status values
{
  "classification": "True Positive"
}
A string field rendered with full markdown formatting.Supports: Headings, lists, tables, code blocks, bold/italic, linksUse for: Reports, summaries, detailed analysis
{
  "report": "# Investigation Summary\n\nThis is a **critical** finding..."
}
An object with predefined sections: summary, evidence, and next steps.Structure:
  • Summary (markdown)
  • Evidence (markdown)
  • Next Steps (markdown)
Use for: Structured investigation reports
{
  "report": {
    "summary": "# Summary\n...",
    "evidence": "## Evidence\n...",
    "nextSteps": "## Recommendations\n..."
  }
}

Enum Values

For string fields, you can restrict values to a predefined list:
1

Create String Field

Add a new string field to your schema
2

Enable Enum

Click the options menu (⋮) and select “Restrict to enum values”
3

Add Values

Type values separated by commas or press Enter after each value
Example enum values:
  • Severity: Critical, High, Medium, Low, Info
  • Status: Open, In Progress, Resolved, Closed
  • Confidence: High, Medium, Low

Required vs Optional Fields

By default, all fields are required. To make a field optional:
  1. Click the options menu (⋮) next to the field
  2. Select “Optional”
Optional fields can be omitted or set to null in the output.

Schema Generation

If you have a system prompt written, you can generate a schema tailored to your task automatically:
1

Write System Prompt First

Ensure your agent has a clear system prompt describing what it does
2

Click Generate Schema

In the schema builder, click “Generate Schema”
3

Review Generated Schema

AI analyzes your prompt and creates a relevant schema with:
  • Appropriate fields for your use case
  • Sensible presets (markdown, classification, etc.)
  • Semantically relevant example output preview
4

Customize

Modify the generated schema as needed
Schema generation requires a system prompt. If your agent doesn’t have one yet, write it first before generating a schema.

Viewing Agent Output

When an agent run completes, the structured output is displayed in two ways:
The default view renders output with rich formatting:
  • Classifications appear as styled badges
  • Markdown is rendered with headings, lists, code blocks
  • Numbers display prominently with labels
  • Nested objects show as organized sections
  • Arrays render as lists or grids
This view is designed for human consumption.

Real-World Examples

Example 1: Alert Triage Agent

Use case: Automatically triage SentinelOne alerts Schema (using Investigator template): 
{
  "type": "object",
  "properties": {
    "classification": {
      "type": "string",
      "enum": ["True Positive", "False Positive", "Suspicious", "Inconclusive"],
      "description": "Verdict for this alert"
    },
    "confidence": {
      "type": "string",
      "enum": ["High", "Medium", "Low"],
      "description": "Confidence in the classification"
    },
    "severity": {
      "type": "string",
      "enum": ["Critical", "High", "Medium", "Low"],
      "description": "Assessed severity if true positive"
    },
    "report": {
      "type": "object",
      "properties": {
        "summary": {
          "type": "string",
          "description": "Executive summary of findings"
        },
        "evidence": {
          "type": "string",
          "description": "Key evidence supporting the classification"
        },
        "nextSteps": {
          "type": "string",
          "description": "Recommended actions for the analyst"
        }
      }
    }
  }
}
Example output: 
{
  "classification": "True Positive",
  "confidence": "High",
  "severity": "Critical",
  "report": {
    "summary": "Confirmed ransomware execution on endpoint WORKSTATION-42...",
    "evidence": "- File hash matches known LockBit variant\n- Encryption behavior observed\n- Ransom note dropped in multiple directories",
    "nextSteps": "1. Isolate endpoint immediately\n2. Page on-call security\n3. Preserve forensic evidence"
  }
}

Example 2: Weekly Report Agent

Use case: Generate weekly security metrics Schema (custom): 
{
  "type": "object",
  "properties": {
    "reportDate": {
      "type": "string",
      "description": "Date range for this report"
    },
    "alertsTotal": {
      "type": "number",
      "description": "Total alerts in period"
    },
    "truePositives": {
      "type": "number",
      "description": "Confirmed true positives"
    },
    "falsePositives": {
      "type": "number",
      "description": "Confirmed false positives"
    },
    "report": {
      "type": "string",
      "description": "Detailed markdown report"
    }
  }
}
Example output: 
{
  "reportDate": "2025-01-08 to 2025-01-15",
  "alertsTotal": 247,
  "truePositives": 12,
  "falsePositives": 198,
  "report": "# Weekly Security Report\n\n## Key Metrics\n- **Total Alerts**: 247\n- **True Positive Rate**: 4.9%\n- **MTTD**: 12 minutes\n\n## Notable Incidents\n..."
}

Schema Builder Reference

Field Options

Each field supports these options:
OptionDescription
TypeData type (string, number, boolean, object, array, null)
NameProperty name in JSON (alphanumeric, hyphens, underscores)
DescriptionGuides the LLM on what to put in this field
RequiredWhether the field must be present (default: yes)
EnumFor strings, restrict to specific values
PresetApply special rendering (classification, markdown, etc.)

Property Name Rules

Property names must:
  • Contain only letters, numbers, hyphens, and underscores
  • Be unique within their parent object
Valid: classification, risk-score, next_steps, reportV2 Invalid: my field (spaces), report@v2 (special characters)
Hyphenated names render nicely: Property names with hyphens are automatically formatted for display. For example, executive-summary renders as Executive Summary in the visual output view.