Security Delivery Agents follow a three-phase adoption model: manual execution, automatic execution based on severity, and automatic gamebook execution. This progressive approach helps you build confidence in agent behavior before enabling full automation.
What Can You Do Here?
Run Manual Investigations
Trigger agent analysis on individual incidents
Automate by Severity
Configure agents to run automatically based on incident status
Enable Gamebook Execution
Allow agents to execute response playbooks automatically
Set Confidence Thresholds
Control when automated actions are permitted
Prerequisites
Before configuring Security Delivery Agents, ensure you meet the following requirements.| Requirement | Description |
|---|---|
| Agent Center Deployed | Azure AI Foundry infrastructure must be provisioned |
| ContraForce Roles | Organizational Admin and Workspace Owner roles required |
Phase 1: Manual Agent Execution
In this initial phase, you manually select individual incidents and trigger the agent to run investigations. This allows you to evaluate agent performance before enabling automation.Running Agent Investigation
Choose Investigation Type
Select one of the following options:
- Run Agent Investigation — Agent analyzes the incident and provides findings without taking remediation actions
- Run Agent Investigation and Response — Agent analyzes the incident and executes recommended response actions
Investigation Options
| Option | Description | When to Use |
|---|---|---|
| Run Agent Investigation | Analysis only, no response actions | When you want to review findings before taking action |
| Run Agent Investigation and Response | Analysis plus automated response | When you trust the agent to execute appropriate responses |
Phase 2: Automatic Execution Based on Severity
Once you’re comfortable with agent behavior, configure automatic execution based on incident severity and status.Configuring Automatic Execution
Configure Status Filters
Select which incident statuses trigger automatic agent execution:
- New — Agent runs on newly created incidents
- Active — Agent runs on incidents currently being worked
- Closed — Agent runs on closed incidents for retrospective analysis
Status Filter Options
- New
- Active
- Closed
Process new incidents automatically:
- Agent triggers immediately when incidents are created
- Provides rapid initial triage and analysis
- Recommended for high-volume environments
Phase 3: Automatic Gamebook Execution
In this advanced phase, you enable the agent to automatically execute gamebooks based on confidence thresholds.Enabling Automatic Gamebook Execution
Set Confidence Level
Configure the confidence threshold that determines when the agent automatically executes gamebook actions
Understanding Confidence Levels
| Confidence Level | Behavior | Recommended For |
|---|---|---|
| High | Agent requires strong evidence before taking action | Production environments, sensitive systems |
| Medium | Balanced approach between automation and caution | Most standard deployments |
| Low | Agent takes action with less certainty | Test environments, high-volume low-risk scenarios |
Configuration Summary
- Phase 1
- Phase 2
- Phase 3
Manual Execution:
- User selects individual incidents
- User triggers agent via Actions menu
- User reviews results before any response
- Best for: Initial evaluation and building trust
Best Practices
Progress through phases sequentially
Progress through phases sequentially
Start with Phase 1 to understand agent behavior before enabling automation. Each phase builds on the previous one.
Review agent outputs during manual execution
Review agent outputs during manual execution
Use Phase 1 to validate that agent analysis aligns with your expectations and incident handling procedures.
Set conservative confidence levels initially
Set conservative confidence levels initially
Begin with higher confidence thresholds and lower them gradually based on observed accuracy.
Monitor automated actions regularly
Monitor automated actions regularly
Even with full automation enabled, periodically review agent actions to ensure expected behavior.
Document your configuration choices
Document your configuration choices
Keep records of which phases are enabled and your confidence threshold settings for troubleshooting and auditing.
Troubleshooting
Common Issues
| Issue | Possible Cause | Solution |
|---|---|---|
| Agent not processing incidents | Mode not set to On Queue | Verify Mode is set to On Queue in Agent Center |
| Gamebooks not executing | Feature not enabled | Confirm “Allow Agent to run gamebooks” is toggled on |
| Too many automated actions | Confidence threshold too low | Increase confidence level setting |
| Agent missing incidents | Status filters misconfigured | Review and adjust status filter selections |
| Investigation not starting | Missing permissions | Verify Organizational Admin and Workspace Owner roles |
If you encounter persistent issues with Security Delivery Agent configuration, contact [email protected] with your configuration details and observed behavior.
Related Guides
Deploying Agent Center
Deploy Microsoft Foundry infrastructure to manage your AI agents
Understanding Gamebooks
Learn about automated SOP-driven response actions
Incident Management
Overview of incident handling in ContraForce
User Roles and Permissions
Understanding ContraForce role requirements
Questions about Security Delivery Agent configuration? Contact us at [email protected].