FoundationaLLM can power solutions that can classify activity logs of user sessions to identify malicious cases. To do so the FoundationaLLM agent forwards the session activity log file to an external, pre-trained, machine learning model that can classify the session as normal or malicious. If the session is classified as malicious the session is further sent to another pre-trained machine learning model (an encoder API) to produce the vector embeddings for that activity session. Then the canonical similar session is retrieved by calculating the similarity between the session embedding and those embeddings in the malicious sessions database. The representative session log text and the original session classification is retrieved and returned as context to the agent who incorporates it into its analysis and explanation.