Learn About Security Center with Agentforce
Learning Objectives
After completing this unit, you’ll be able to:
- Explain how Security Agent uses AI to simplify the detection, understanding, and response to security threats.
- Describe the three core steps of Security Agent’s workflow.
- Outline how Security Agent leverages Security Center and Event Monitoring capabilities.
The Agentforce Difference
The demands on modern security teams to protect customer data are immense. Gaining meaningful value from complex data requires specialized skills and time-consuming query writing just to identify one potential risk. Relying on manual processes to identify security threats slows response times and leaves organizations in a reactive state.
Security Center with Agentforce fundamentally changes this dynamic. Admins and security officers can use an AI-driven assistant, called Security Agent, to detect, understand, and respond to security threats faster than ever before.
Within minutes, Security Agent leverages the powerful capabilities of Security Center and Event Monitoring to guide you through every step of a security event workflow: event detection, risk investigation, and threat remediation. Security Agent acts as a trusted guide, leading security teams through every step of the incident response journey, using natural language conversation.
Start Your AI-Driven Security Workflow
The first step of any incident response journey is recognizing that a security event has occurred. When you ask Security Agent a question or give it a task, the agent translates your request into a targeted query against your Security Center and Event Monitoring metrics and alerts.
For example, start by asking, “Show me all the anomalous user activity from the past 48 hours.”
Security Agent processes this request and synthesizes a prioritized list of alerts. This list flags key anomalies, such as unusual login patterns, unexpected spikes in API calls, or mass report exports. From this list, you can select the security anomaly you want to address, which Agentforce helps you do. And just like that, you’ve kicked off a security workflow and already completed the first step in your incident response journey.
Investigate with Security Agent
After the anomaly is detected, the journey moves to its most crucial step: building context. This is where most investigations stall, as analysts must traditionally pivot across multiple tools to correlate logs and user activity.
Security Agent guides you through the data investigation using powerful, dedicated Agentforce actions. All you have to do is point the agent to a specific alert from the list it produced in the first step.
For example, enter, “Tell me more about that high-risk API anomaly.” Security Agent then executes a seamless, multistep investigation:
- Identifies the user: The agent determines the specific user associated with the event.
- Gathers evidence: The agent triggers the specialized Summarize User Activity action. This action pulls relevant log streams from Event Monitoring, like LoginData, ReportData, and ApiUsageData, for the user within a targeted timeframe.
- Generates the narrative: The agent distills this information into a concise, easily digestible summary. This report highlights key behavioral shifts, such as a sudden increase in data downloads, providing the full context needed to assess the risk.
If you need simple, raw data for context, the agent can also execute the Get Security Metric Data action. This action retrieves raw security metric data from Security Center, allowing the analyst to review detailed metric values and gain granular visibility into security trends and posture.
By automating this context-building, the agent accelerates the investigation step, allowing your team to quickly determine if the activity is malicious, legitimate, or indicative of a compromised account. Now that you fully understand what happened with the security event, you can decide on a solution.
Finish Your Journey with Remediation
The security workflow is only complete when a remediation plan is underway. After the contextual summary is delivered, the agent executes the Classify Security Risk action. This action uses AI to analyze the gathered data, assign an accurate risk classification, and propose a detailed plan to move forward.
The remediation plan is customized because the agent is grounded in your organization’s specific data, risk profiles, and preconfigured security policies. This ensures that the agent’s recommended actions, which are executed through secure, predefined flows or APIs, are both effective and compliant. Security Agent provides concrete steps, such as locking a user account, initiating multi-factor authentication requirements, or restricting specific report access, to mitigate the identified threat.
By integrating detection, investigation, and remediation into a seamless and conversational workflow, Security Agent transforms security operations from a reactive and complex process into a proactive and guided journey. Security Center with Agentforce lets your team leverage the full power of your existing Security Center and Event Monitoring setups with unmatched speed and clarity.
Implement Security Center with Agentforce
To get started with Security Agent, make sure you have Security Center and Event Monitoring set up in your org. You also need an Agentforce Platform add-on subscription.
Security Agent is built using the Einstein Trust Layer, which helps ensure that data is handled securely and privately. The system operates on a shared security model. While Salesforce provides platform security (like the Trust Layer), you’re responsible for configuring the agent’s permissions and access. These guardrails set the critical boundaries for what the autonomous agent can and can’t do, ensuring that its actions are executed safely and compliantly within your defined security policies.