Skip to Content

Jitterbit Security Alert Agent

Overview

The Jitterbit Security Alert Agent (Security Alert Agent) is an AI agent provided through Jitterbit Marketplace that is designed to reduce the volume of redundant security alerts, accelerate threat response, and improve decision quality across your organization's security stack. This agent acts as an assistive security control plane: it receives security events from Wazuh and Tenable via API webhooks, uses AI to analyze and classify each event, and delivers structured notifications through Slack and email.

When a security event is detected, the agent parses the incoming payload, routes it to the appropriate handler, and sends the event to an LLM for analysis. The LLM normalizes severity, masks sensitive data, classifies the event as an incident report, alert, or digest, and produces formatted notification content. The agent then checks Jitterbit Cloud Datastore to deduplicate events before posting a Slack notification and sending an email alert to configured recipients. A scheduled workflow automatically removes Cloud Datastore records older than seven days to maintain clean state.

The agent performs the following tasks:

  • Receives security event payloads from Wazuh and Tenable via API webhook endpoints.
  • Routes events to the appropriate handler based on the source system.
  • Uses AI to normalize event severity, mask sensitive data, and classify events as incident reports, alerts, or digests.
  • Deduplicates events using Cloud Datastore to reduce repeated notifications for the same event.
  • Sends structured security alerts via Slack and email.
  • Automatically removes Cloud Datastore records older than seven days.

This document explains how to set up and operate this AI agent. It covers architecture, prerequisites, and steps to install, configure, and operate the AI agent.

AI agent architecture

This AI agent operates as a headless security event processor triggered by external security monitoring platforms. A typical security event is handled as follows:

  1. A security event in Wazuh or Tenable triggers a POST request to the agent's Jitterbit custom API service (/wazuh or /tenable).
  2. The API Request Handler operation parses the event source from the request's eventresource query parameter, and an Event Trigger operation routes the request to either the Wazuh or Tenable event handler.
  3. The AI Manager operation coordinates with the Main - AI Agent Logic workflow to prepare the event payload and send it to an LLM.
  4. The LLM analyzes the event, normalizes its severity (Low, Medium, High, or Critical), applies sensitive data masking, classifies the event type, and returns a structured response containing formatted content for both the Slack notification and email alert.
  5. The Main Workflow checks Cloud Datastore to determine whether this event has already been recorded.
  6. If the event is new, a record is inserted into Cloud Datastore. If the event already exists, its deduplication count is incremented.
  7. A Slack notification and an email alert are sent to configured recipients.
  8. On a daily schedule, a cleanup workflow removes Cloud Datastore records older than seven days.

Workflow diagram

The following diagram shows the main request-handling workflow for the Security Alert Agent.

--- config: flowchart: padding: 20 nodeSpacing: 80 --- flowchart LR classDef default fill:white, stroke:black, stroke-width:3px, rx:15px, ry:15px WAZUH[Wazuh] TENABLE[Tenable] JSP@{ shape: hex, label: "
Security Alert
Agent" } LLM[fas:fa-brain
LLM] CDS@{ shape: hex, label: "fas:fa-database
Cloud Datastore" } SLACK[fab:fa-slack
Slack] EMAIL[fas:fa-envelope
Email] SCHED@{ shape: delay, label: "Operation schedule
(daily)" } WAZUH -->|1. Security event| JSP TENABLE -->|1. Security event| JSP JSP <-->|2. Analyze event| LLM JSP <-->|3. Deduplicate event| CDS JSP -->|4. Post notification| SLACK JSP -->|5. Send alert| EMAIL SCHED -->|6. Cleanup trigger| JSP

Prerequisites

You need the following components to use this AI agent.

Harmony components

You must have a Jitterbit Harmony license with access to the following components:

Supported endpoints

The AI agent connects to the following endpoints. You can accommodate other systems by modifying the project's endpoint configurations and workflows.

Large language model (LLM)

The AI agent uses OpenAI as the LLM provider for security event analysis and notification generation. To use OpenAI, you must have an OpenAI account with an API key.

Tip

To select pricing tiers based on your specific requirements and anticipated usage, see OpenAI pricing.

Security event sources

The agent accepts security event payloads via POST from the following platforms:

  • Wazuh: The agent exposes a /wazuh API endpoint. Wazuh must be configured to POST security events to this endpoint's service URL.
  • Tenable: The agent exposes a /tenable API endpoint. Tenable must be configured to POST security events to this endpoint's service URL.

Both APIs are created in Create the Jitterbit custom APIs.

Slack

The agent delivers security notifications to a Slack channel. You must have a Slack workspace and a Slack bot with a valid Bot User OAuth Token.

Email

The agent delivers security alerts via email using SMTP. You must have access to an SMTP server and valid credentials for the account used to send notifications.

Cloud Datastore

The agent uses Jitterbit Cloud Datastore to maintain event deduplication state and store response payloads for future reference. Cloud Datastore is part of the Jitterbit Harmony platform and does not require a separate service account.

Installation, configuration, and operation

Follow these steps to install, configure, and operate this AI agent:

  1. Download and install the project
  2. Obtain OpenAI credentials
  3. Prepare Cloud Datastore
  4. Configure the Slack bot
  5. Configure project variables
  6. Test connections
  7. Deploy the project
  8. Create the Jitterbit custom APIs
  9. Review project workflows
  10. Trigger the project workflows

For troubleshooting guidance, see Troubleshooting.

Download and install the project

Follow these steps to install the Studio project for the AI agent:

  1. Log in to the Harmony portal at https://login.jitterbit.com and open Marketplace.

  2. Locate the AI agent named Jitterbit Security Alert Agent. To locate the agent, use the search bar or, in the Filters pane under Type, select AI Agent to limit the display to AI agents.

  3. Click the agent's Documentation link to open its documentation in a separate tab. Keep the tab open to refer back to after starting the project.

  4. Click Start Project to open a configuration dialog.

    Note

    If you have not yet purchased the AI agent, Get agent is displayed instead. Click it to open an informational dialog, then click Submit to have a representative contact you about purchasing the AI agent.

  5. In the Create a New Project dialog, select an environment where the Studio project will be created, then click Create Project.

  6. After the progress dialog indicates the project is created, use the dialog link Go to Studio or open the project directly from the Studio Projects page.

Obtain OpenAI credentials

To use OpenAI as the LLM provider, you must have an OpenAI account with an active API key:

  1. Log in to OpenAI and navigate to API keys.
  2. Create a new API key and retain it for use in the OpenAI project variables.
  3. Note the base URL for the OpenAI API (typically https://api.openai.com/v1) and the model you intend to use for security event analysis (for example, gpt-4o).

Prepare Cloud Datastore

Create a key storage in Jitterbit Cloud Datastore named AI Security with the following custom fields:

Field name Type Required
count Text No
message Big Text No

The Key, AlternativeKey, and Value fields are present by default and do not need to be added.

Retain the Cloud Datastore access token for use in the Cloud Datastore project variables.

Configure the Slack bot

Follow these steps configure Slack for security notifications:

  1. In your Slack workspace, create or identify a Slack app to use for posting notifications. To create a new app, see the Slack API documentation.

  2. Ensure the app has the chat:write OAuth scope to post messages to channels.

  3. Install the app to your workspace.

  4. Obtain the bot token and retain it for the slack.oauth.access.token project variable.

  5. Identify or create the Slack channel where security notifications should be posted and note the channel name.

Configure project variables

In the Studio project installed from Marketplace, set values for the following project variables.

To configure project variables, use the project's actions menu and select Project Variables to open the configuration drawer.

OpenAI

Variable name Description
openai.apiKey API key for authenticating with the OpenAI service.
openai.base.url Base URL for the OpenAI API (for example, https://api.openai.com/v1).
gpt.model The OpenAI model to use for security event analysis (for example, gpt-5).

Slack

Variable name Description
slack.channel.name The name of the Slack channel where security notifications are posted.
slack.oauth.access.token The Bot User OAuth Token for the Slack app used to post notifications.

Email

Variable name Description
email.to Recipient email address for security alert notifications.
email.from Sender email address used in outgoing security notifications.
email.smtp.host Hostname of the SMTP server used to send notifications (for example, smtp.gmail.com).
email.smtp.username Username for the SMTP account used to send notifications.
email.smtp.password Password for the SMTP account used to send notifications.

Cloud Datastore

Variable name Description
cloud.datastore.access.token Access token for Jitterbit Cloud Datastore, used for event deduplication and payload storage.

Test connections

Test the endpoint configurations to verify connectivity using the defined project variable values.

To test connections, go to the design component palette's Project endpoints and connectors tab, hover over each endpoint, and click Test.

Deploy the project

Deploy the Studio project.

To deploy the project, use the project's actions menu and select Deploy.

Create the Jitterbit custom APIs

Create two custom APIs using API Manager to expose the agent's event-handling entry points to Wazuh and Tenable. Both APIs trigger the same API Request Handler operation; the eventresource query parameter in each request determines which security platform's handler runs.

Wazuh custom API

Configure and publish a custom API for Wazuh with the following parameters:

Setting Value
Path /wazuh
Operation API Request Handler
Method POST
Response type System Variable

After publishing, retain the service URL. Configure Wazuh to POST security events to this URL, including the query parameter eventresource=wazuh.

Tenable custom API

Configure and publish a custom API for Tenable with the following parameters:

Setting Value
Path /tenable
Operation API Request Handler
Method POST
Response type System Variable

After publishing, retain the service URL. Configure Tenable to POST security events to this URL, including the query parameter eventresource=tenable.

Review project workflows

The Studio project contains four workflows that implement the Security Alert Agent functionality, organized into two functional groups.

Event processing

Workflow Description
Main Entry Workflow - API Request Receives incoming API requests from Wazuh and Tenable and routes them to the appropriate event handler.
Main - AI Agent Logic Orchestrates LLM interaction for security event analysis.
Main Workflow Processes routed security events, performs deduplication, and sends notifications.

Maintenance

Workflow Description
Delete 7 Days Older Key Removes Cloud Datastore records older than seven days.
Main Entry Workflow - API Request

This workflow handles all incoming API requests from external security platforms. The API Request Handler operation parses the event payload and extracts the event source from the request's eventresource query parameter. An Event Trigger operation then routes execution to the appropriate handler: Wazuh events are forwarded to Wazuh Event Execution and Tenable events are forwarded to Tenable Event Execution. The AI Manager operation coordinates subsequent calls to the Main - AI Agent Logic workflow.

Main - AI Agent Logic

This workflow manages the complete LLM interaction lifecycle for a security event. The AI Logic Controller operation delegates to the OpenAI prompt controller script, which builds a structured system prompt and user prompt that instruct the LLM on severity normalization, sensitive data masking, and output format requirements. Prep OpenAI Payload and Send OpenAI Payload prepare and submit the request. Parse OpenAI Response extracts the LLM's structured JSON output, and Parse AI Response post-processes the result into the final content used for both the Slack notification and email alert.

Main Workflow

This workflow processes a security event after it has been analyzed by the LLM. The Check If EventID Exist in Cloud Datastore operation queries Cloud Datastore to look up the current event ID. The EventID Exists operation then evaluates the result using the Decision EventID Exists step: if the event ID is found (Y), Update EventID increments the deduplication count via Update EventID Count in Cloud Datastore; if it is not found (N), Insert EventID adds a new record via Insert EventID to Cloud Datastore. After deduplication, Post Response to Slack sends the formatted Slack notification and Post Notification Email sends the email alert.

Delete 7 Days Older Key

This workflow runs on a daily schedule to maintain Cloud Datastore hygiene. The Delete 7 Days Older key operation uses the Delete Key script to calculate the date seven days prior and iterates through Cloud Datastore keys page by page via the Query all Key operation. The Parse Key Response operation identifies records older than seven days, and the Delete Key script removes them.

Trigger the project workflows

The Security Alert Agent is event-driven. The main event-processing workflows are triggered automatically when Wazuh or Tenable POST security events to the Jitterbit custom APIs created in Create the Jitterbit custom APIs.

Note

Operation schedule are not included in the project export and must be configured manually in Studio after deployment. The Delete 7 Days Older key operation must be scheduled to run once per day.

All other workflows are triggered by upstream operations and are not intended to be run independently.

Troubleshooting

If you encounter issues, review the following logs for detailed troubleshooting information:

For additional assistance, contact Jitterbit support.