AI Diagnostics
How AI Analysis Works
- Your natural language query is sent to the agent
- Agent collects relevant ETW events based on query context
- Local correlation engine processes events, filtering out PII and proprietary information
- Correlated findings are packaged into a structured prompt with system context
- Prompt sent to Claude AI via CloudAPI
- AI responds with diagnostics, root cause, and recommendations
Example Queries
- “Why is the SQL Server service failing to start?”
- “What processes are accessing C:\ProgramData?”
- “Show me all failed authentication attempts in the last hour”
- “Why is the system slow right now?”
- “What changed before the application started crashing?”
Query Pool System
| Tier | Monthly Queries | Cost |
|---|---|---|
| Data Retention | Configurable duration that cloud-stored data (events, metrics, correlations, sessions) is kept before automatic purge. Free tier: 14 days. Paid add-on tiers extend to 90, 365, or 730 days. Billed per managed agent per month. | |
| BYOK | Unlimited | Free (your Anthropic key) |
| Professional | 1,000 | $39/mo |
| Business | 5,000 | $99/mo |
| Enterprise | 50,000 | $249/mo |
What Consumes Queries
- Live Session Question: 1 query
- Multi-Agent Question: 1 per agent per question
- Cross-Correlation: 1 additional per device
- Alert AI Analysis: 1 per alert (cached 24 hours)
Shared across all org members. Unused queries do not roll over.
Inflection Root-Cause Analysis (RCA)
Every agent’s heartbeat is scanned for inflections — sudden metric movements like CPU spikes, memory drops, or disk-time surges. The dashboard surfaces unacknowledged inflections as Anomalies on each agent row. Clicking View anomalies opens a per-agent drawer where you can select one or more anomalies and click Analyze (RCA) to launch a focused AI investigation.
What RCA does
- Brackets the timeline. The cloud takes the min/max timestamps of the selected inflections and pads ±60 seconds, then queries every captured event in that window from the agent’s event store.
- Builds a focused prompt. The model receives the inflection list (metric, direction, before/after values, percentage change) plus events grouped by ProviderName, severity-tagged, and message-truncated. Up to 500 events are included to stay within token budgets.
- Returns structured output. The response is split into three sections — Root Cause, Evidence, Recommendations — rendered as collapsible panels in a modal overlay. OS-tagged commands are suggested where evidence supports them (PowerShell on Windows, bash/systemctl/journalctl on Linux).
When evidence is thin
If the bracket contains zero captured events — for example, the inflection happened before the agent started shipping events, or capture was disabled during the spike — the model is told to reason from the inflection metric alone and to be explicit about the uncertainty. You’ll see a “Zero events in bracket” note in the Evidence section.
Cost & provider
Each RCA consumes 1 AI query from your workspace pool, just like a live-session question. The call routes through the same BYOK / platform-key resolver as the rest of the AI surface — if you’ve set a custom provider key in Settings → AI Settings, RCA uses it; otherwise the platform default is used. Token cost and elapsed time are surfaced in the modal footer.