Clickagentic¶
Clickagentic is a built-in plugin that sends triggered alert data to an LLM for triage.
For every rule that fires, the agent produces a structured analysis:
- title: Short human-readable title summarizing the alert
- summary: This is the summary generated by the agent
- severity: The agent will generate a severity based on context of the alert
- confidence: This is the confidence percentage of the generated response
- false-positive score: This indicates the percentage chance the alert may be a false positive
- risk_score: Overall risk level considering potential impact and likelihood of threat
- explanation: Detailed explanation of the alerts
- mitigations: Mitigation list for the generated alert
- affected_entities: List of users, hosts, IPs, or services involved
- recommended_action: Single most important next action to take
And merges it into the template context so webhooks can include it in notifications.
Configuration¶
plugins:
clickagentic:
provider: <provider> # required - openai, anthropic, google, huggingface, ollama, openrouter, deepseek
model: <model_name> # required - model of your llm provider 'deepseek-chat'
token: <api_key> # required - your llm provider token
base_url: <url> # optional – custom endpoint (Ollama, OpenRouter, etc.)
false_positive: <text> # optional – known false-positive context for the agent
think: false # optional – enable extended thinking (supported providers only)
from_level: <rule_level> # optional - skip rule based on rule_level >= from_level
ids: [ <id1>, <id2> ] # optional - array of IDs to clickagentic skip
Install¶
You need to install clickagentic group
Fields¶
| Field | Required | Description |
|---|---|---|
provider | yes | LLM provider. See Supported providers below. |
model | yes | Model identifier as expected by the provider (e.g. gpt-4o-mini, claude-sonnet-4-5). |
token | yes | API key for the provider. |
base_url | no | Custom base URL. Required for Ollama; optional for OpenRouter. |
false_positive | no | Free-text context describing known benign patterns. The agent uses this to calibrate the false-positive score. |
think | no | Enables extended thinking mode. Default: false. |
from_level | no | Filter rule based on rule level, If the rule level is >= from_level the clickagentic will process. Default: None. |
ids | no | Filter rule based on rule ID, pass an array of rule IDs to be skipped. Default: None. |
Supported providers¶
| Provider | provider value | Notes |
|---|---|---|
| OpenAI | openai | — |
| Anthropic | anthropic | — |
google | — | |
| Hugging Face | huggingface | base_url can override the inference endpoint |
| Ollama | ollama | base_url defaults to http://localhost:11434/v1 |
| OpenRouter | openrouter | base_url sets the app URL |
| DeepSeek | deepseek | — |
Template data¶
When a rule triggers, clickagentic adds a clickagentic key to the template context with the following fields:
| Field | Type | Description |
|---|---|---|
title | string | Short human-readable title summarizing the alert context and main issue detected |
summary | string | Short summary of the alert |
severity | string | Assessed severity: Critical, High, Medium, or Low |
confidence | integer | Confidence score from 0 to 100 |
false_positive_score | integer | Likelihood of a false positive from 0 (unlikely) to 100 (certain) |
risk_score | integer | Overall risk level from 0 to 100 considering impact and likelihood of threat activity |
explanation | string | Detailed explanation of the assessment |
mitigations | string[] | List of recommended mitigation actions |
affected_entities | string[] | List of users, hosts, IP addresses, or services involved in the alert |
recommended_action | string | Single most important next action to take (e.g., isolate host, disable user, block IP) |
You can reference this data in any webhook template:
Alert: {{ clickagentic.title }}
Rule: {{ rule.name }}
Severity: {{ clickagentic.severity }} (confidence: {{ clickagentic.confidence }}%)
Risk score: {{ clickagentic.risk_score }}%
False-positive score: {{ clickagentic.false_positive_score }}%
{{ clickagentic.summary }}
{{ clickagentic.explanation }}
Affected entities:
{% for e in clickagentic.affected_entities %}- {{ e }}
{% endfor %}
Mitigations:
{% for m in clickagentic.mitigations %}- {{ m }}
{% endfor %}
Recommended action: {{ clickagentic.recommended_action }}
Examples¶
OpenAI¶
Anthropic¶
Ollama (local)¶
plugins:
clickagentic:
provider: ollama
model: llama3.2
token: ollama
base_url: http://localhost:11434/v1