Merlin Investigate¶
Merlin Investigate is the agentic investigation mode of Merlin AI. It lets security analysts query historical session data using natural language, combining intent-aware contextual information with cross-session behavioral analysis.
What Merlin Investigate Does¶
Merlin Investigate operates on the cold-tier data layer, which contains the full history of session recordings, contextual bubbles, JIT access tickets, and session metadata for each user.
Unlike Merlin Detect — which evaluates individual actions as they happen — Merlin Investigate enables retrospective investigation across multiple sessions and time periods. Analysts interact through a conversational interface, asking questions in natural language.
Core capabilities:
- Natural language queries — ask questions about user behavior without writing database queries or filtering log files
- Cross-session analysis — correlate actions across multiple sessions to identify patterns, escalations, or repeated anomalies
- Rapid investigation — reduce investigation time from hours of manual recording review to minutes of directed conversation
- Intent-aware context — every response is enriched with the contextual bubbles captured during the original sessions
How to Use Merlin Investigate¶
Screenshot needed
Screenshots showing the Merlin Investigate conversation interface, including how to start a conversation and navigate the UI, will be added here.
Starting an Investigation¶
To start a Merlin Investigate session:
- Navigate to the Merlin section in the dashboard.
- Open the Merlin Investigate panel.
- Type your question in natural language.
Merlin Investigate retrieves only the data relevant to your question. It does not load entire session recordings — it pulls the specific contextual bubbles, metadata, and recording segments that match your query.
Example Queries¶
The following examples illustrate the types of questions Merlin Investigate can answer:
Investigate a specific user
Query: "Show me all anomalies detected for user jsmith in the last 30 days."
What Merlin returns: A chronological list of flagged actions across all of jsmith's sessions, with context bubbles explaining each detection.
Cross-session pattern analysis
Query: "Has any user repeatedly triggered anomalies on the finance application this quarter?"
What Merlin returns: A summary of recurring anomaly patterns grouped by user, with session links and severity trends.
Pre-investigation context
Query: "What did user admin_ops do during their SSH session on server prod-db-01 last Tuesday?"
What Merlin returns: A summary of the session's key actions, commands executed, and any flagged events — drawn from the session's contextual bubbles and recording metadata.
JIT access correlation
Query: "Were the actions in session #4521 consistent with the JIT ticket's stated purpose?"
What Merlin returns: A comparison of the JIT ticket description (task scope) against the actual actions performed during the session, highlighting any deviations.
Available Data Sources¶
Merlin Investigate draws on the following data from the cold tier:
| Data Source | Description |
|---|---|
| Session recordings | Full recordings for web (Vitro), SSH, and RDP sessions |
| Contextual bubbles | Intent-aware snapshots of individual user actions from the hot tier |
| JIT access tickets | Task descriptions and access justifications submitted during Just-in-Time access requests |
| Session metadata | Date/time, duration, session type, server hostname, user identity |
Supported Protocols¶
Supported | Not yet supported
Merlin Investigate vs Manual Investigation¶
| Aspect | Manual Review | Merlin Investigate |
|---|---|---|
| Time to investigate | Hours — watching recordings, reading logs | Minutes — targeted natural language queries |
| Cross-session visibility | Requires opening multiple recordings separately | Automatic correlation across all sessions |
| Context quality | Raw logs and video without interpretation | Intent-aware context bubbles with AI reasoning |
| Entry barrier | Requires knowledge of log formats and query syntax | Natural language — no technical query skills needed |
Next Steps¶
- Intent-aware architecture — understand the data layers Merlin Investigate operates on
- Merlin Detect — how anomalies are detected in real time before they reach the cold tier
- Deployment and infrastructure — hardware requirements for running Merlin AI