Skip to content
@Automatic-Case-Investigator

Automatic Case Investigator

README.md

An on-premise software stack aimed to automate common SOC investigation tasks with AI agents, specifically by performing automated investigations in Security Information and Event Management (SIEM) systems. This software stack ingests security case information, generates investigation tasks, and automatically perform relevant investigations in SIEM. Models used including LLM for generation tasks and custom-designed classifier model for security event correlation.

The Problem

  • A single attacker can trigger a security incident, but incident response often requires many SOC analysts.
  • Analysts must review and investigate large volumes of security logs, which leads to:
    • Information fatigue: risking missed evidence and reduced effectiveness
    • Limited specialization: analysts may not have expertise across all areas
    • High effort: correlating security logs is a labor-intensive task

Features

Investigation Procedures Generation

Automatic Investigation

  • Analyzes case data to generate SIEM queries
  • Iteratively queries the SIEM and evaluates potential Indicators of Compromise (IoC)
  • Helps SOC analysts quickly locate pertinent logs, minimizing manual effort
  • Acts as a knowledge base, potentially uncovering missed evidence

Supported platforms

SOAR

SIEM

Tentative Goals

  • Training reasoning models with cybersecurity knowledge, adapting them to SOC tasks.
  • Training SIEM query generation with GRPO.

Demo

cases

Figure 1. List of security cases retrieved from the SOAR platform (e.g., TheHive).

case

Figure 2. Detailed information for a selected case retrieved from the SOAR platform (e.g., TheHive).

automations

Figure 3. Available automation workflows that can be executed for the selected case.

tasks

Figure 4. Investigation tasks automatically generated for the case.

rev_shell

Figure 5. Automated investigation identifying a potential implanted reverse shell.

rev_shell_log

Figure 6. Evidence log retrieved by the automated investigation showing the reverse shell activity.

Popular repositories Loading

  1. SOC-Stack SOC-Stack Public

    The SOC technology stack used for testing

    Dockerfile

  2. .github .github Public

  3. Jupyterhub_Stack Jupyterhub_Stack Public

    Jupyterhub stack for AI development with tensorflow and cuda preconfigured

    Python

  4. ACI_Dashboard ACI_Dashboard Public

    The main on-premise frontend of the automatic case investigator

    TypeScript

  5. ACI_Home_Page ACI_Home_Page Public

    Public facing home page of ACI

    TypeScript

  6. ACI_Training_Experiment ACI_Training_Experiment Public

    An experiment examining ACI_Cyber_Base_GPT_OSS_20B's capability in SOC investigation planning applications.

    Python

Repositories

Showing 6 of 6 repositories

People

This organization has no public members. You must be a member to see who’s a part of this organization.

Top languages

Loading…

Most used topics

Loading…