[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-11369":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":16,"forks30d":16,"starsTrendScore":16,"compositeScore":19,"rankGlobal":10,"rankLanguage":10,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":23,"hasPages":21,"topics":24,"createdAt":10,"pushedAt":10,"updatedAt":45,"readmeContent":46,"aiSummary":47,"trendingCount":16,"starSnapshotCount":16,"syncStatus":48,"lastSyncTime":49,"discoverSource":50},11369,"AiSOC","beenuar\u002FAiSOC","beenuar","Open-source AI-powered Security Operations Center — alert fusion, purple-team drills, agent-assisted triage, MITRE ATT&CK investigation. MIT-licensed, self-hostable.","https:\u002F\u002Ftryaisoc.com",null,"Python",1354,137,32,1,0,129,954,19.42,"MIT License",false,"main",true,[25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44],"ai-security","alert-triage","cybersecurity","detection-engineering","docker","fastapi","incident-response","mit-license","mitre-attack","nextjs","open-source","purple-team","python","security-operations","self-hosted","siem","soar","soc","threat-detection","threat-intelligence","2026-06-12 02:02:31","\u003Cdiv align=\"center\">\n\n\u003Cimg src=\"apps\u002Fweb\u002Fpublic\u002Flogo-mark.svg\" alt=\"AiSOC\" width=\"120\" \u002F>\n\n# AiSOC\n\nAn open-source, self-hostable AI SOC. The agent's prompts, tool calls, and rationale are logged step-by-step and replayable. MIT-licensed.\n\n[![License: MIT](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-MIT-22c55e.svg?style=flat-square)](https:\u002F\u002Fopensource.org\u002Flicenses\u002FMIT)\n[![Public eval harness: CI-gated](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Feval%20harness-CI--gated-2563eb?style=flat-square)](apps\u002Fdocs\u002Fdocs\u002Fbenchmark.md)\n[![PRs welcome](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FPRs-welcome-8b5cf6?style=flat-square)](CONTRIBUTING.md)\n[![Version](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fversion-7.1.0-f59e0b?style=flat-square)](CHANGELOG.md)\n[![Live demo on Fly.io (v8.0 launch)](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLive%20demo-Fly.io-7b2bbe?style=flat-square&logo=fly-dot-io&logoColor=white)](https:\u002F\u002Ftryaisoc.com)\n[![Render demo (one-click)](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FRender%20demo-one%20click-46e3b7?style=flat-square&logo=render&logoColor=white)](https:\u002F\u002Frender.com\u002Fdeploy?repo=https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC)\n\n[Live demo](https:\u002F\u002Ftryaisoc.com) · [How AiSOC compares](#how-aisoc-compares) · [Public eval harness](apps\u002Fdocs\u002Fdocs\u002Fbenchmark.md) · [Deploy in 60 seconds](#deploy-in-60-seconds) · [Deployment options](#deployment-options) · [Architecture](#architecture) · [Docs](apps\u002Fdocs\u002F)\n\n\u003Csub>The demo at \u003Ca href=\"https:\u002F\u002Ftryaisoc.com\">tryaisoc.com\u003C\u002Fa> is a self-hosted instance fronted by a Cloudflare Tunnel — when it's reachable, the stack is running locally on a maintainer's box. It can therefore go offline at any time. To run your own (in 3.5 min, with seeded data), see \u003Ca href=\"#one-shot-demo\">One-shot demo\u003C\u002Fa>; to expose your own instance on your own domain via Cloudflare Tunnel, see \u003Ca href=\"#public-demo-on-your-own-domain\">Public demo on your own domain\u003C\u002Fa>. \u003Cstrong>The Fly.io demo at \u003Ca href=\"https:\u002F\u002Ftryaisoc.com\">tryaisoc.com\u003C\u002Fa> is the canonical AiSOC instance — the badge above links there.\u003C\u002Fstrong>\u003C\u002Fsub>\n\n[![GitHub topics](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Ftopics-soc%20%7C%20siem%20%7C%20ai--security%20%7C%20mitre--attack-0ea5e9?style=flat-square)](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Ftopics)\n\n\u003C\u002Fdiv>\n\n---\n\n## What AiSOC is\n\nAiSOC is a single self-hostable stack that ingests security events, correlates them, runs AI-driven investigation, and surfaces the result in a SOC console. The agent and the substrate are MIT-licensed, so you can read, fork, or replace either of them.\n\nThree properties distinguish it from closed-source AI SOC vendors:\n\n1. **Agent decisions are logged.** The Investigation Ledger stores the LLM prompt, the response, the evidence cited, and the downstream tool calls for every step of every run. Replays are available later.\n2. **The substrate has a public eval harness in CI.** Five suites gate every PR targeting `main` \u002F `develop`: a 200-incident synthetic dataset drawn from 55 distinct templates drives the MITRE-tactic, investigation-completeness, and response-quality gates (each reporting both a per-case mean and a per-template macro so a single broken template can't hide behind 199 working duplicates); a separately generated 1,000-alert noisy stream drives the alert-reduction gate; and a schema\u002Fcoverage gate validates `synthetic_telemetry.jsonl` — the companion corpus of ~360 backing events across 14 log sources (Sysmon, Windows Security, M365 audit, Azure sign-in, CloudTrail, Linux auditd, journald, EDR, DNS, web access, Kubernetes audit, GitHub audit, VPN, DB audit) that connector and Sigma PRs can wire against. Alert reduction is a real measurement against the fixed alert stream; the three rubric-based suites are substrate self-consistency gates over deterministic templates. The [benchmark page](apps\u002Fdocs\u002Fdocs\u002Fbenchmark.md) explains exactly which is which.\n3. **It runs entirely on your infrastructure.** No callbacks to a vendor cloud and no data exfiltration for \"model improvement.\"\n\nThe orchestrator is a ~600-line LangGraph in [`services\u002Fagents\u002F`](services\u002Fagents\u002F). It is small enough to read end-to-end, swap models in, and patch.\n\n---\n\n## What's new (last 48 hours)\n\nA high-velocity wave of v1.5 console + v8.0 architectural + security changes landed on `main` over the last two days. `VERSION` is still `7.3.1`; everything below is captured under `[Unreleased]` in [`CHANGELOG.md`](CHANGELOG.md) and will tag with the v8.0 cut.\n\n**Console workbenches (v1.5 PR-1 → PR-6)** — the SOC operator surface is now a workbench, not a list.\n- **Global time-window selector + topbar context** — one selector at the top of the console drives every page (Alerts, Cases, Hunts, Funnel KPIs, Pipeline Health). Persists across reloads, deep-linkable as a URL param.\n- **Tenant switcher + role badge** — MSSP operators flip tenants from the topbar; the role badge makes it impossible to confuse a `viewer` session with an `admin` session. New endpoint: `GET \u002Fapi\u002Fv1\u002Ftenants\u002Fme\u002Fidentity`.\n- **Critical severity tier** — the severity ladder is now `info | low | medium | high | critical`. Vendor-native criticals (Azure 5-tier, GCP SCC, GitHub `critical`, ServiceNow priority 1, GuardDuty ≥ 8.0, AuditD identity-destruction, K8s `cluster-admin`, Tailscale tailnet lockdown) map straight through instead of being collapsed into `high`. Confidence (`alert.confidence`, 0–100, band `low|medium|high`) is now decoupled from severity and emitted by `services\u002Ffusion` `ConfidenceScorer`.\n- **Operations funnel + pipeline health** — new `\u002Fmetrics\u002Ffunnel` and `\u002Fhealth\u002Fpipeline` endpoints feed the `FunnelKpiBar` (Detected → Triaged → Investigated → Resolved) and an Efficiency Report so SOC leads can answer \"where are we losing time?\" without a Grafana detour. Docs: [`apps\u002Fdocs\u002Fdocs\u002Fconsole\u002Ffunnel-kpis.md`](apps\u002Fdocs\u002Fdocs\u002Fconsole\u002Ffunnel-kpis.md).\n- **Investigation Rail (W6 \u002F PR-4)** — `\u002Falerts` is now a two-pane workbench with narrative, related entities (`pivotPath` deep links), 6-event mini-timeline, and structured recommended actions. Fusion writes a deterministic correlation narrative at fuse time. Docs: [`apps\u002Fdocs\u002Fdocs\u002Fconsole\u002Finvestigation-rail.md`](apps\u002Fdocs\u002Fdocs\u002Fconsole\u002Finvestigation-rail.md).\n- **Investigation Queue workbench (PR-5 \u002F W7)** — `\u002Fqueue` is the page a Tier-1 analyst lives on: server-anchored SLA countdowns, atomic claim semantics, one-click triage actions. Docs: [`apps\u002Fdocs\u002Fdocs\u002Fconsole\u002Fqueue.md`](apps\u002Fdocs\u002Fdocs\u002Fconsole\u002Fqueue.md).\n- **Rule Tuning workbench (PR-6 \u002F W8)** — `\u002Fdetection\u002Ftuning` ranks noisy rules by precision impact and ships one-click suppression + allow-list edits with full audit trail. Docs: [`apps\u002Fdocs\u002Fdocs\u002Fconsole\u002Frule-tuning.md`](apps\u002Fdocs\u002Fdocs\u002Fconsole\u002Frule-tuning.md).\n- **Zero-prerequisite installer** — `install.sh` \u002F `install.ps1` now bootstrap from a clean machine (Docker, Compose, Node, pnpm, Python) with idempotency and a graduated `uninstall.sh`. Documented in [`apps\u002Fdocs\u002Fdocs\u002Finstallation.md`](apps\u002Fdocs\u002Fdocs\u002Finstallation.md), surfaced as **Path 0** in the [quickstart](apps\u002Fdocs\u002Fdocs\u002Fquickstart.md).\n\n**v8.0 wave-1 (architectural foundation, PR [#125](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F125))** — the foundation for the v8.0 line.\n- **Graph at ingest** — Neo4j entity graph (17 node labels, 14 edge types) written inline with Kafka consumption. Batched UNWIND upserts + fire-and-forget retry queue keep ingest latency budget intact. Schema doc: [`apps\u002Fdocs\u002Fdocs\u002Farchitecture\u002Fgraph-schema.md`](apps\u002Fdocs\u002Fdocs\u002Farchitecture\u002Fgraph-schema.md).\n- **Four-agent rebrand** — `DetectAgent`, `TriageAgent`, `HuntAgent`, `RespondAgent` are now the public façade; back-compat aliases preserve existing imports. Funnel KPI doc: [`apps\u002Fdocs\u002Fdocs\u002Fconsole\u002Ffunnel-kpis.md`](apps\u002Fdocs\u002Fdocs\u002Fconsole\u002Ffunnel-kpis.md).\n- **`\u002Fhunt` natural-language surface** — type a hypothesis in English, get ES|QL \u002F SPL \u002F KQL templates back, save and schedule the hunt. HuntAgent never writes raw queries. Saved hunts deep-link into the Investigation Rail via `pivotPath`.\n- **Sixteen first-party connectors** — wave-1 (`tines`, `torq`, `falco`, `pagerduty`, `opsgenie`, `confluence_audit`) and wave-2 fixtures (`cloudflare_zt`, `sysdig`, `vault`, `snowflake`). Five severity tiers preserved end-to-end.\n- **L0–L4 automation maturity model** — [`apps\u002Fdocs\u002Fdocs\u002Fconcepts\u002Fautomation-maturity.md`](apps\u002Fdocs\u002Fdocs\u002Fconcepts\u002Fautomation-maturity.md) plus the marketing surfaces. Ladder: L0 manual → L4 fully autonomous closure with human sign-off.\n- **Public weekly benchmark scoreboard** — [`apps\u002Fdocs\u002Fdocs\u002Fbenchmark-scoreboard.mdx`](apps\u002Fdocs\u002Fdocs\u002Fbenchmark-scoreboard.mdx) reads `apps\u002Fdocs\u002Fstatic\u002Fdata\u002Fscoreboard.json`, refreshed weekly by `.github\u002Fworkflows\u002Fwet-eval.yml`. Substrate rows are visually separated from wet-eval rows — substrate numbers can never be quoted as live agent performance.\n\n**Security & correctness wave** — 12 critical\u002Fhigh CVE-class fixes shipped before the v8.0 cut. See [`apps\u002Fdocs\u002Fdocs\u002Foperations\u002Fsecurity.md`](apps\u002Fdocs\u002Fdocs\u002Foperations\u002Fsecurity.md) for the full inventory.\n- Rule-engine `eval()` RCE eliminated — conditions are parsed to a whitelisted AST in [`services\u002Fapi\u002Fapp\u002Fservices\u002Frules_engine.py`](services\u002Fapi\u002Fapp\u002Fservices\u002Frules_engine.py) ([#116](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F116)).\n- `\u002Fhunts` and `\u002Fcases` tenant isolation enforced at the **query layer** (`WHERE tenant_id = …`), not via RLS alone ([#117](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F117), [#118](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F118)).\n- CORS lockdown — a shared `cors.py` is vendored byte-identical into every Python service and refuses to start with `*` + credentials in production ([#119](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F119)).\n- Playbook SSRF guard — every outbound `http_request` \u002F `notify` runs through [`services\u002Fagents\u002Fapp\u002Fplaybook\u002Fssrf_guard.py`](services\u002Fagents\u002Fapp\u002Fplaybook\u002Fssrf_guard.py) with a cloud-metadata block list ([#120](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F120)).\n- Plugin-manager OCI install hardening — signed manifests verified against an allow-list, image digests pinned and re-verified on every load ([#121](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F121)).\n- Audit-log integrity (H-4 + M-12) — `actor_ip` spoofing closed via the new `TRUSTED_PROXIES` allow-list, secrets stripped from `changes`, hash-chain tamper-proofing ([#122](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F122)).\n- `\u002Falerts\u002Fsubmit` abuse + replay hardening — payload caps (events \u002F per-event bytes \u002F total bytes), `Idempotency-Key` header, recursive `raw_event` redaction, timestamp clamping ([#123](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F123)).\n- Pydantic v1 → v2 settings migration ([#124](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F124)), bounded `eval()` + playbook timeouts ([#126](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F126)), one-flag dev-mode (`AISOC_DEV_MODE` — supersedes `DEV_MODE` \u002F `SKIP_AUTH` \u002F `AISOC_DEMO_MODE`, [#127](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F127)), untrusted-enrichment sanitisation before LLM ([#128](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F128)).\n- Python CodeQL alert count on `main` driven to zero ([#133](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F133), [#136](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F136), [#137](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F137)); enforced as a CI gate going forward.\n- First community contribution merged: [#135](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fpull\u002F135) (UEBA env-var alignment, closes [#134](https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC\u002Fissues\u002F134)). Every UEBA variable accepts both unprefixed (`DATABASE_URL`) and legacy (`UEBA_DATABASE_URL`) forms; unprefixed wins.\n\n**Stage 2 \u002F Stage 3 platform additions** — landed alongside v8.0 wave-1.\n- **Wazuh Indexer ingest connector** — polls `wazuh-alerts-*` over HTTPX, paginates time-windowed queries, retries on 5xx; collapses Wazuh severity into the AiSOC ladder. Docs: [`apps\u002Fdocs\u002Fdocs\u002Fconnectors\u002Fwazuh.md`](apps\u002Fdocs\u002Fdocs\u002Fconnectors\u002Fwazuh.md). The connector registry now declares **52 first-party connectors**.\n- **auditd `file_tail` connector + `aisoc.rules` profile** — replaces the host-agent dependency for Linux endpoint visibility; 4 new detections pivot on the bundled `aisoc_*` audit keys. Docs: [`apps\u002Fdocs\u002Fdocs\u002Fconnectors\u002Fauditd.md`](apps\u002Fdocs\u002Fdocs\u002Fconnectors\u002Fauditd.md).\n- **Live Actions dispatcher** — generic vendor\u002Fcapability surface so plugins can register executors against the in-tree taxonomy (`isolate_host`, `disable_user`, `block_ip`, …) without forking. Unknown pairs return a typed `LiveActionResult(FAILED, \"executor_not_found\")` — never a 500. Docs: [`apps\u002Fdocs\u002Fdocs\u002Fconcepts\u002Flive-actions.md`](apps\u002Fdocs\u002Fdocs\u002Fconcepts\u002Flive-actions.md).\n- **Deterministic NL → ES|QL \u002F KQL \u002F SPL translator** — replaces the template fallback in `\u002Fnl_query` with an IR + grammar validator; 50-pair gold eval set scores 100% syntactic, 100% semantic. Air-gapped by default; optional `gpt-4o-mini` enhancement falls back deterministically.\n- **STIX → MISP push** — every STIX 2.1 indicator\u002Fbundle published through `\u002Fapi\u002Fv1\u002Fthreatintel\u002Fstix\u002F...` can now be mirrored into the configured MISP instance. Air-gap gated, with a `?push_to_misp=true` query param and a dry-run endpoint for air-gapped audits. Docs: [`apps\u002Fdocs\u002Fdocs\u002Fintegrations\u002Fmisp-push.md`](apps\u002Fdocs\u002Fdocs\u002Fintegrations\u002Fmisp-push.md).\n- **GCP Cloud Run + Cloud SQL Terraform skeleton** — serverless-first BYOC equivalent of the existing AWS module. One `terraform apply` stands AiSOC up on GCP with private-IP networking, Secret Manager, and Artifact Registry. Docs: [`apps\u002Fdocs\u002Fdocs\u002Fdeployment\u002Fgcp.md`](apps\u002Fdocs\u002Fdocs\u002Fdeployment\u002Fgcp.md).\n- **Blameless case post-mortem endpoint** — `GET \u002Fapi\u002Fv1\u002Fcases\u002F{case_id}\u002Fpostmortem?format=json|html` produces a deterministic retrospective covering contributing factors, detection timing\u002Fgaps, response phases, blast radius, and action items. Analyst handles are explicitly redacted from the narrative. Docs: [`apps\u002Fdocs\u002Fdocs\u002Foperations\u002Fcase-reports.md`](apps\u002Fdocs\u002Fdocs\u002Foperations\u002Fcase-reports.md).\n- **Per-rule cross-fire FP gate** — `services\u002Fagents\u002Ftests\u002Ftest_detection_fp_rate.py` replays every rule's `match_when` against every *other* rule's positive fixture; current corpus 816 native rules, worst FPR 0.49% (5% ceiling). Wired into `scripts\u002Frun_evals.py` as `suites.detection_fp_rate`.\n- **Operator-facing documentation refresh** — new pages for [notifications](apps\u002Fdocs\u002Fdocs\u002Foperations\u002Fnotifications.md), [plugin lifecycle](apps\u002Fdocs\u002Fdocs\u002Fplugins\u002Flifecycle.md), and [credentials \u002F vault rotation](apps\u002Fdocs\u002Fdocs\u002Foperations\u002Fcredentials.md); v2.2 architecture diagram and the corrected **52-connector count** (now including Wazuh Indexer + auditd `file_tail`) rolled through every surface.\n\nThe full inventory (with file paths, env-var changes, and test counts) lives in the `[Unreleased]` section of [`CHANGELOG.md`](CHANGELOG.md).\n\n---\n\n## How AiSOC compares\n\n| Capability | AiSOC | Wazuh | Splunk ES | Closed-source AI SOC |\n|---|---|---|---|---|\n| Open-source license | MIT | GPL-2 | proprietary | proprietary |\n| Self-hostable | yes | yes | enterprise-only | cloud-only |\n| Autonomous AI investigation | LangGraph | no | partial (Splunk AI) | yes |\n| Agent decision audit trail | public Investigation Ledger | n\u002Fa | n\u002Fa | not published |\n| Public substrate eval harness | CI-gated, reproducible, with synthetic telemetry corpus + per-template macros | n\u002Fa | n\u002Fa | not published |\n| Detection content | 800 native + 6,000+ imported (Sigma \u002F Splunk \u002F Chronicle \u002F CAR) | 1,200+ rules | 1,000+ apps | curated |\n| Plugin SDK | Python \u002F TypeScript \u002F Go | YAML rules only | apps | proprietary |\n| Data residency | your infra | your infra | partial | vendor cloud |\n| Pricing | $0 (self-host) | $0 (self-host) | per ingest GB | enterprise |\n\nClosed-source AI SOC vendors ship working products. AiSOC's contribution is making the agent itself open, the per-step decision trail readable, and the substrate gated by a public eval harness on every PR targeting `main` \u002F `develop`.\n\n---\n\n## Deploy in 60 seconds\n\nFour frictionless paths to a running, seeded AiSOC instance with `INC-RT-001` (the LockBit 3.0 ransomware showcase) already mid-investigation when you land on it. Each path runs `alembic upgrade head` and `python -m app.scripts.seed_demo` as part of its lifecycle, so the seeded data is present without a manual step.\n\n### 0. One-click installer — zero prerequisites\n\nDon't have Docker, Node, pnpm, or even git installed? Use the bootstrap installer. It detects your OS, installs everything idempotently, clones the repo, and launches the demo.\n\n```bash\n# Linux + macOS (one-liner):\ncurl -fsSL https:\u002F\u002Fraw.githubusercontent.com\u002Fbeenuar\u002FAiSOC\u002Fmain\u002Finstall.sh | bash\n\n# Windows (PowerShell as Administrator):\niwr -useb https:\u002F\u002Fraw.githubusercontent.com\u002Fbeenuar\u002FAiSOC\u002Fmain\u002Finstall.ps1 | iex\n```\n\nThe installer covers Ubuntu\u002FDebian (`apt`), Fedora\u002FRHEL (`dnf`), Arch (`pacman`), openSUSE (`zypper`), Alpine (`apk`), macOS (`brew`), and Windows (`winget`). On Windows it also handles WSL2 enablement for Docker Desktop. Re-running is safe — every step is idempotent. To uninstall later, `.\u002Funinstall.sh` (Linux\u002FmacOS) or `.\\uninstall.ps1` (Windows). See the [Quick install guide](docs\u002FQUICK_INSTALL.md) for flags, troubleshooting, and what gets installed.\n\n### 1. Render — one click, hosted\n\n[![Deploy to Render](https:\u002F\u002Frender.com\u002Fimages\u002Fdeploy-to-render-button.svg)](https:\u002F\u002Frender.com\u002Fdeploy?repo=https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC)\n\nRender reads [`render.yaml`](render.yaml) at the repo root, provisions Postgres + Redis, and brings up the demo profile (api, agents, web, realtime). The `preDeployCommand` migrates and seeds, so the canonical `INC-RT-001` is present on first boot. Sleep-on-idle on the hobby tier; flip to standard instances for production. Demo runs deterministic-mode by default — no OpenAI\u002FAnthropic key needed. See [`infra\u002Frender\u002FREADME.md`](infra\u002Frender\u002FREADME.md) for cost, scaling, and BYO-LLM details.\n\n### 2. Docker Compose — one command, local\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC.git && cd AiSOC && pnpm aisoc:demo\n```\n\nPulls prebuilt `ghcr.io\u002Fbeenuar\u002F*` images, brings up the slim demo profile (Postgres, Redis, Kafka, api, agents, realtime, web), runs the seeder as a one-shot container, and opens your browser at `\u002Fcases\u002FINC-RT-001?tab=ledger` with `demo@tryaisoc.com` already auto-logged-in. Idempotent: re-running is a no-op against a seeded volume. Target on a clean Mac with a warm Docker daemon: clone-to-investigation in **~3.5 min warm \u002F ~5 min cold**. Stop with `pnpm aisoc:demo:down`. See [One-shot demo](#one-shot-demo) for the timing breakdown and what you'll see on screen.\n\n**Screencast path — `--quick` mode:** for a deterministic four-case demo that runs in under four minutes on a warm laptop (the path the [90-second screencast](apps\u002Fweb\u002Fpublic\u002F.demo-mp4-placeholder) records against), pass `--quick`:\n\n```bash\npnpm aisoc:demo --quick # 4 cases in 4 minutes\n```\n\nThis seeds exactly four cases — `DEMO-001` (spear-phishing), `DEMO-002` (cloud takeover), `DEMO-003` (insider exfil), `DEMO-004` (ransomware) — with byte-stable UUIDs and timestamps, then lands the browser on `DEMO-004`. Re-running cleans the four cases and reseeds, so it doubles as a reset button. Run `pnpm aisoc:demo --help` for the full flag list.\n\n### 3. Fly.io — one script, hosted, persistent\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC.git && cd AiSOC\n.\u002Finfra\u002Ffly\u002Ffly-demo-deploy.sh --provision # first run: also creates Postgres + Upstash\n.\u002Finfra\u002Ffly\u002Ffly-demo-deploy.sh # subsequent runs: deploys updates\n```\n\nIdempotent shell wrapper around `flyctl` that deploys four apps (api, agents, web, realtime) plus managed Postgres + Upstash Redis, wires the `*.internal` 6PN DNS between them, runs migrations + seeding as a `release_command`, and issues TLS certs for your domain. ~$14\u002Fmo at idle. **Time-to-first-investigation budget: \u003C60s from the click**, since the seeder pre-warms a running investigation so the deeplink lands inside the TTFI budget regardless of cold-start. See [`infra\u002Ffly\u002FREADME.md`](infra\u002Ffly\u002FREADME.md) for DNS prerequisites and per-app sizing.\n\n> **Production-grade install?** Skip the demo paths above and use [`infra\u002Fhelm\u002F`](infra\u002Fhelm\u002F) (Kubernetes) or [`infra\u002Fterraform\u002F`](infra\u002Fterraform\u002F) (AWS). Both bring up the full storage tier — ClickHouse, Kafka, OpenSearch, Neo4j, Qdrant — gated behind compose profiles in the demo paths above.\n\n---\n\n## Deployment options\n\nEach target ships a tested config in [`infra\u002F`](infra\u002F):\n\n| Platform | Status | Config | Notes |\n|---|---|---|---|\n| Fly.io | first-class | [`infra\u002Ffly\u002F`](infra\u002Ffly\u002F) | 4 apps, ~$14\u002Fmo. See [infra\u002Ffly\u002FREADME.md](infra\u002Ffly\u002FREADME.md). |\n| Render | supported | [`render.yaml`](render.yaml) + [`infra\u002Frender\u002F`](infra\u002Frender\u002F) | Sleep-on-idle, hobbyist tier. One-click via blueprint button. |\n| Railway | supported | [`infra\u002Frailway\u002Frailway.toml`](infra\u002Frailway\u002Frailway.toml) | PaaS, pay-as-you-go. |\n| Coolify | supported | [`docker-compose.yml`](docker-compose.yml) | Self-hosted on your own VPS. See [infra\u002Fcoolify\u002FREADME.md](infra\u002Fcoolify\u002FREADME.md). |\n| Kubernetes \u002F Helm | first-class | [`infra\u002Fhelm\u002F`](infra\u002Fhelm\u002F) | `helm install aisoc .\u002Finfra\u002Fhelm\u002Faisoc` |\n| AWS \u002F Terraform | first-class | [`infra\u002Fterraform\u002F`](infra\u002Fterraform\u002F) | `cd infra\u002Fterraform && terraform apply` |\n\nThe Render, Railway, and Coolify configs deploy the lean demo profile: api, agents, web, realtime, Postgres, and Redis. ClickHouse, Kafka, OpenSearch, Neo4j, and Qdrant are gated behind compose profiles. For a production-grade install with the full storage tier, use Helm or Terraform.\n\n---\n\n## Use it from Claude, Cursor, or Cody\n\nAiSOC ships an [MCP server](https:\u002F\u002Fmodelcontextprotocol.io) so analysts can query alerts, run agent investigations, and replay every step the agent took without leaving the IDE or chat.\n\n```bash\n# Claude Desktop \u002F Cursor \u002F Continue \u002F Cody\nnpx -y @aisoc\u002Fmcp install --host claude \\\n --aisoc-url https:\u002F\u002Faisoc.your-company.com \\\n --api-key aisoc_pat_xxxxxxxxxxxx\n```\n\nThe server exposes 11 tools — discovery (`aisoc_list_alerts`, `aisoc_list_cases`, `aisoc_query_detections`), deep-dive (`aisoc_get_case`, `aisoc_get_investigation`), and the action\u002Freplay set (`aisoc_run_investigation`, `aisoc_replay_decision`, `aisoc_explain_step`) for walking the agent decision ledger step-by-step.\n\nFull guide: [docs\u002Fintegrations\u002Fmcp](apps\u002Fdocs\u002Fdocs\u002Fintegrations\u002Fmcp.md). Source: [`services\u002Fmcp\u002F`](services\u002Fmcp\u002F). npm: `@aisoc\u002Fmcp`.\n\n---\n\n## What's in the box\n\nAiSOC bundles the components a SOC normally pieces together from separate vendors:\n\n- **Connect data sources in three clicks** — a 50-connector click-and-connect catalog spans EDR\u002FXDR (CrowdStrike Falcon, SentinelOne, Microsoft Defender XDR, Palo Alto Cortex XDR, Cortex XSIAM, VMware Carbon Black, Trellix Helix, Trend Vision One), SIEM (Splunk, Microsoft Sentinel, Elastic, Sumo Logic, Datadog Cloud SIEM, Google Chronicle, Rapid7 InsightIDR), cloud + CNAPP (AWS Security Hub, AWS GuardDuty, AWS CloudTrail, AWS VPC Flow Logs, Azure Activity, Azure Defender, GCP Cloud Audit, GCP SCC, Wiz, Lacework, Tenable, Prisma Cloud, Orca), identity (Okta, Microsoft Entra, Auth0, Duo Security, 1Password), SaaS (Microsoft 365 audit, Google Workspace, Cloudflare, Proofpoint, Mimecast, ServiceNow, Jira, Slack audit, Salesforce, Email inbox), VCS (GitHub, Snyk), endpoint fleet (osctrl, FleetDM for fleet-wide osquery), container + orchestration (Kubernetes audit logs via apiserver webhook or `audit.log` tail), and network (Tailscale, Zscaler, Cisco Umbrella). Each connector renders a schema-driven form, runs a live `Test connection` round-trip before save, encrypts every secret with the application-layer `CredentialVault` (Fernet AES-128-CBC + HMAC-SHA256), and starts polling on a per-instance schedule. Walkthrough: [docs\u002Fconnectors](apps\u002Fdocs\u002Fdocs\u002Fconnectors\u002Findex.md). Threat model + key rotation: [docs\u002Foperations\u002Fcredentials](apps\u002Fdocs\u002Fdocs\u002Foperations\u002Fcredentials.md).\n- **Own your endpoint telemetry** — first-party `aisoc-osquery-tls` FastAPI service (`services\u002Fosquery-tls\u002F`) and `aisoc-direct` lightweight agent connector ship a self-hosted osquery TLS plugin, FleetDM-compatible config\u002Flog endpoints, and a direct-from-agent ingest path that bypasses third-party SaaS. Built-in **file integrity monitoring (FIM)** endpoint (`services\u002Fosquery-tls\u002Fapp\u002Fapi\u002Fv1\u002Fendpoints\u002Ffim.py`) ingests `file_events` and synthesizes alerts on writes to `\u002Fetc\u002Fpasswd`, `\u002Fetc\u002Fshadow`, sshd configs, sudoers, and Windows registry hives; bundled osquery packs cover incident response, OSquery-ATT&CK, and FIM out of the box. **16 native osquery detections** (`detections\u002Fendpoint\u002Fosquery-*.yaml`, IDs `det-endpoint-281..296`) cover credential access, persistence, lateral movement, defense evasion, and discovery — paired with positive\u002Fnegative test fixtures (`detections\u002Ffixtures\u002Fosquery_*.json`) and CI-gated against the Detection Validation workflow. **Live-query playbook step** (`osquery_live_query`) lets responders push allowlisted distributed queries to single hosts or fleet-wide via osctrl\u002FFleetDM with HMAC-signed ChatOps approval. **5 custom Go-based virtual tables** (`services\u002Fosquery-extensions\u002F`) extend the agent with `aisoc_browser_extensions`, `aisoc_kernel_modules`, `aisoc_attck_persistence`, `aisoc_pending_actions`, and `aisoc_alert_cache` for richer endpoint visibility and bidirectional response. Walkthroughs: [docs\u002Fconnectors\u002Fosctrl](apps\u002Fdocs\u002Fdocs\u002Fconnectors\u002Fosctrl.md), [docs\u002Fconnectors\u002Ffleetdm](apps\u002Fdocs\u002Fdocs\u002Fconnectors\u002Ffleetdm.md).\n- **Ingest** events from any connector into a Kafka spine.\n- **Correlate** them in real time with deduplication, ML scoring, per-alert confidence scoring, and Sigma\u002FYARA detection.\n- **Roll up signal onto entities** — Risk-Based Alerting accumulates time-decayed risk points on the user, host, IP, and domain each alert touches, promotes them to entity-incidents at a tunable threshold, and surfaces an entity-centric queue in the alerts UI. Hits the published 2026 KPI bar of ≥ 50:1 alert-to-incident ratio (CI-gated in [`services\u002Ffusion\u002Ftests\u002Ftest_entity_risk.py`](services\u002Ffusion\u002Ftests\u002Ftest_entity_risk.py)).\n- **Search across SIEMs** — Federated Search fans out a single query to connected Splunk, Microsoft Sentinel, and Elastic instances, translating the query into each target's native dialect (SPL, KQL, ES|QL) via pluggable translators in [`services\u002Fconnectors\u002Fapp\u002Ffederated\u002F`](services\u002Fconnectors\u002Fapp\u002Ffederated\u002F).\n- **Manage detections as code** — Detection-as-Code (DAC) provides a propose → review → eval-gate → promote lifecycle for detection rules. Every proposal carries an eval result from the harness; candidates that regress MITRE accuracy cannot be promoted. Endpoints in [`services\u002Fapi\u002Fapp\u002Fapi\u002Fv1\u002Fendpoints\u002Fdetection_proposals.py`](services\u002Fapi\u002Fapp\u002Fapi\u002Fv1\u002Fendpoints\u002Fdetection_proposals.py).\n- **Run hypothesis-driven hunts on a schedule** — Hunt-as-Code YAML definitions in [`hunts\u002F`](hunts\u002F) declare a hypothesis, MITRE ATT&CK tags, log sources, indicators, and a cron schedule. The hunt engine in [`services\u002Fagents\u002Fapp\u002Fhunt\u002F`](services\u002Fagents\u002Fapp\u002Fhunt\u002F) loads the corpus at startup, runs hunts on their schedule, and stores findings in the DB.\n- **Track detection drift** — the Purple Team service takes ATT&CK coverage snapshots and diffs them over time, so you can see which techniques gained or lost coverage between releases. Implementation in [`services\u002Fpurple-team\u002Fapp\u002Fservices\u002Fdrift.py`](services\u002Fpurple-team\u002Fapp\u002Fservices\u002Fdrift.py).\n- **Verify ChatOps actions** — HMAC-signed approval prompts are sent to Slack or Teams before high-impact SOAR actions execute, with a time-limited verification token. Implementation in [`services\u002Factions\u002Fapp\u002Fexecutors\u002Fchatops.py`](services\u002Factions\u002Fapp\u002Fexecutors\u002Fchatops.py).\n- **Benchmark against adversary LLMs** — a deterministic attacker-LLM mutator generates adversary incidents to test detection resilience. Script: [`scripts\u002Fgenerate_adversary_incidents.py`](scripts\u002Fgenerate_adversary_incidents.py); eval: [`services\u002Fagents\u002Ftests\u002Ftest_adversary_eval.py`](services\u002Fagents\u002Ftests\u002Ftest_adversary_eval.py).\n- **Enrich** every signal with threat intelligence from TAXII 2.1, MISP, OTX, and CISA KEV.\n- **Reason** about attacks via a LangGraph multi-agent system grounded in MITRE ATT&CK.\n- **Detect deviations** with UEBA — per-user behavioural baselines and Z-score anomaly scoring.\n- **Trap adversaries** with HMAC-signed honeytokens (URLs, files, AWS credentials, emails).\n- **Validate coverage** with automated Atomic Red Team and Caldera adversary emulation.\n- **Respond** with blast-radius-aware SOAR actions, every step explainable.\n- **Govern** with multi-tenant RLS, granular RBAC, immutable audit logs, and SOC 2 \u002F ISO 27001 \u002F NIST CSF \u002F PCI-DSS \u002F HIPAA \u002F DORA evidence dashboards.\n- **Manage at scale** with an MSSP parent-tenant console — onboard child tenants, delegate actions cross-tenant, and view rollup metrics in one pane.\n- **Track assets** with an asset inventory that auto-correlates vulnerabilities to alerts and surfaces asset blast radius.\n- **Detect insider threats** with user risk profiles, behavioural indicators, and peer-group deviation scoring.\n- **Gate automation** through L0–L4 maturity tiers — each tier unlocks progressively more autonomous remediation, with per-action whitelist and full audit gate log.\n- **Generate internal threat intelligence** — harvest IOCs from alert history, track threat actors and campaigns, subscribe to external STIX\u002FTAXII feeds, all queryable via the REST API.\n- **Assess cloud posture** with a built-in CSPM\u002FKSPM engine that ingests findings, tracks drift between scan runs, and surfaces a per-provider summary with suppress\u002Fresolve workflows.\n- **Correlate through identities** with a graph of users, devices, and service accounts; link alerts to identity nodes for blast-radius queries and attack-path reconstruction.\n- **Automate board reporting** — schedule PDF\u002FHTML executive summaries, store artefacts, and deliver via email or webhook.\n- **Three-tier agent memory** — session (in-process LRU), working (Redis-backed, 24 h TTL), and institutional (PostgreSQL + pgvector, permanent). Agents carry context across tool calls, cases, and sessions; institutional knowledge survives restarts.\n- **Autonomy guardrails** — per-action confidence thresholds (e.g. `block_ip ≥ 0.90`, `close_alert ≥ 0.60`) gate every autonomous decision. Tenant admins can tighten or loosen thresholds via API; all guard-rail decisions are logged.\n- **Investigation cost telemetry** — every LLM call is tracked by model, prompt tokens, completion tokens, latency, and estimated USD cost. Aggregates are persisted per-run to `aisoc_run_costs` and surfaced in SOC dashboards.\n- **SOC metrics dashboard** — live MTTD, MTTR, False Positive Rate, alert\u002Fcase volumes (rolling 7 d), and ATT&CK technique heatmap. Backed by a real-time API endpoint and a polished React component.\n- **Analyst-override feedback loop with retroactive re-disposition** — analysts correct AI verdicts (`true_positive`, `false_positive`, `benign`, `escalate`) in one click. Corrections persist on the alert, flow into `aisoc_institutional_memory` keyed by an alert signature (category + connector + primary MITRE technique), and adjust FPR metrics automatically. The API surfaces *retroactive candidates* — past alerts in the same tenant matching the same signature whose disposition would now flip — for one-click bulk re-disposition.\n- **Natural-language detection authoring** — describe a threat in plain English; the API translates it to Sigma YAML, KQL (Microsoft Sentinel), SPL (Splunk), and ES|QL (Elastic) simultaneously. Falls back to curated templates when no LLM key is configured.\n- **Closed-loop detection engineering** — when an alert is marked as a false positive, the agent drafts a Sigma rule fix using an LLM, then automatically creates a Detection-as-Code proposal routed through the same human-review DAC workflow. CI re-runs evals on approval; regression gates block regressions.\n- **Natural-language query execution** — ask a security question in plain English (`POST \u002Fnl-query\u002Fexecute`). The API translates it to ES|QL, SPL, and KQL; for Elasticsearch-backed tenants it executes the ES|QL query live and returns structured results, column metadata, and the query text for all three dialects.\n- **Identity-centric investigation timeline** — build a chronological event timeline anchored to any user, device, service account, or IP (`POST \u002Fidentity-timeline\u002Fbuild`). The timeline queries alerts and raw events, annotates each event with the relevant ATT&CK technique, computes an entity risk score, and returns a sorted, deduplicated event list for triage.\n- **Cross-platform detection translation** — convert any detection rule bidirectionally between Sigma YAML, Splunk SPL, Microsoft Sentinel KQL, Elastic ES|QL, and Google Chronicle YARA-L2 \u002F UDM Search (`POST \u002Ftranslation\u002Ftranslate`). An LLM handles complex logic; a regex fallback handles simple field-mapping rules with no external dependency.\n- **Hypothesis-driven hunt workbench** — define a hunt hypothesis in natural language (`POST \u002Fhunts`); the API auto-generates ready-to-execute queries in ES|QL, SPL, and KQL; analysts record findings against any run and the workbench tracks open, completed, and inconclusive hunts.\n- **Phishing triage workflow** — submit raw email text, URLs, attachments, or domain indicators (`POST \u002Fphishing\u002Fsubmit`); the LLM extracts IOCs, assigns a verdict (phishing \u002F benign \u002F spam \u002F malware \u002F unknown), maps to MITRE ATT&CK, and optionally links the submission to an existing case.\n- **Knowledge-base + RAG** — ingest runbooks, policies, SOPs, and wikis (`POST \u002Fkb\u002Fingest`); the API chunks and full-text indexes each document; analysts query with natural language (`POST \u002Fkb\u002Fquery`) and receive the top matching chunks plus an LLM-synthesised answer with citation, backed by PostgreSQL FTS when no vector store is configured.\n\n### v7.0 — buyer-value plan (2026-05-10)\n\nShipped by Beenu Arora \u003Cbeenu@cyble.com>. All 16 workstreams:\n\n- **Slack ChatOps bot** — `\u002Faisoc triage`, `\u002Faisoc approve`, `\u002Faisoc status`, `\u002Faisoc summary` slash commands + interactive approval buttons. Human-in-the-loop gate works from Slack without opening the console. 61 pytest cases. (`services\u002Fslack-bot\u002F`)\n- **Executive digest PDF** — branded A4 PDF with KPI tiles, alert-volume chart, top-rule table, and remediation summary. Auto-emailed Monday 06:00 UTC via APScheduler. (`services\u002Fapi\u002Fapp\u002Fservices\u002Fdigest_pdf.py`, `weekly_digest_task.py`)\n- **AI investigation timeline (replayable)** — 684-line React component rendering the Investigation Ledger as a playable step-by-step timeline with scrubber. (`apps\u002Fweb\u002Fsrc\u002Fcomponents\u002Fcopilot\u002FInvestigationTimeline.tsx`)\n- **Case auto-summary + PDF export** — LLM-powered structured case summary (headline, severity rationale, recommended action, evidence links). (`case_summary.py`, `case_summary_html.py`)\n- **Playbook gallery** — 12 curated packs (Phishing, Ransomware, BEC, IAM Key Compromise, …) with TTP coverage badges and one-click import. 25 YAML templates added under `detections\u002Fplaybooks\u002F`.\n- **GitHub PR integration** — detection proposals automatically create draft PRs against the tenant's detection repo when promoted. (`services\u002Fapi\u002Fapp\u002Fservices\u002Fgithub.py`)\n- **BYOK per-tenant LLM credentials UI** — provider picker (OpenAI, Azure OpenAI, Anthropic, Ollama), API-key input, model selector, temperature slider, and connection test. (`SettingsView.tsx`, `llm_credentials.py`)\n- **WCAG AA accessibility** — axe-core CI gate covers 5 views + 3 modals; sidebar landmark roles, ARIA labels, focus trapping, skip-nav link, colour-contrast fixes. (`apps\u002Fweb\u002Fsrc\u002Ftest\u002Fa11y.test.tsx`)\n- **Light theme persisted in user profile** — stored in `localStorage`, synced to `PATCH \u002Fapi\u002Fv1\u002Fusers\u002Fme\u002Fpreferences`. (`ThemeProvider.tsx`)\n- **Saved views + drag-drop dashboard widgets** — widgets can be dragged, dropped, resized, pinned, removed; layout serialised to `POST \u002Fapi\u002Fv1\u002Fsaved-views`. (`DashboardView.tsx`, `saved_views.py`)\n- **Threat actor attribution engine v0** — weighted IOC \u002F TTP \u002F Tool \u002F Target scoring against three seed actor profiles (APT28, APT29, Lazarus). `POST \u002Factors\u002Fattribute`. (`services\u002Fthreatintel\u002Fapp\u002Factors\u002Fattribution.py`)\n- **Air-gap \u002F Ollama local-LLM mode** — `docker-compose.airgap.yml` override; disables external feed pullers, enables Ollama sidecar; step-by-step deployment guide in docs. (`docker-compose.airgap.yml`, `apps\u002Fdocs\u002Fdocs\u002Foperations\u002Fair-gapped.md`)\n- **MSSP console improvements** — `GET \u002Fmssp\u002Ftenants` aggregation: per-child alert counts, open cases, SLA breach rate, last-seen connector heartbeat; `parent_tenant_id` + `mssp_role` added to `Tenant` model.\n- **Team analytics view** — analyst leaderboard, MTTR per analyst, cases closed per shift, FP rate trend. (`TeamAnalyticsView.tsx`)\n- **Air-gap LLM status endpoint** — reports whether air-gap mode is active and which Ollama models are available; drives the settings UI model picker. (`llm_status.py`)\n\nEverything ships under MIT. Fork it, self-host it, audit it, extend it.\n\n---\n\n## Highlights\n\n\u003Ctable>\n\u003Ctr>\n\u003Ctd valign=\"top\" width=\"50%\">\n\n### Real-time fusion\n- Kafka spine with sub-second ingestion\n- Bloom-filter dedup on 10M+ IOCs\n- LightGBM + Isolation Forest scoring\n- Per-alert confidence scoring (source reliability × indicator fidelity)\n- Risk-Based Alerting entity rollup (≥ 50:1 alert-to-incident, CI-gated)\n- Live WebSocket feed into the console\n\n### AI Copilot\n- LangGraph agents with persistent memory\n- Qdrant RAG over MITRE ATT&CK + tenant data\n- Natural-language threat hunts\n- Every decision traceable end-to-end\n\n### Knowledge graph\n- Neo4j entity graph (hosts, users, alerts, IOCs)\n- Attack-path reconstruction per case\n- Blast-radius gating on automated actions\n\n### UEBA\n- Per-user Welford online baseline (no batch jobs)\n- Z-score anomaly scoring with peer-group analysis\n- Kafka integration: `security.events` → `security.anomalies`\n- Feeds directly into ML fusion scoring\n\n\u003C\u002Ftd>\n\u003Ctd valign=\"top\" width=\"50%\">\n\n### Detection engineering\n- Detection-as-Code (DAC) lifecycle: propose → review → eval-gate → promote\n- Sigma over OpenSearch + ClickHouse\n- YARA file\u002Fmemory scanning\n- KQL, EQL, Lucene, regex query types\n- Community detection catalog with one-click install\n- Detection drift snapshots (ATT&CK coverage deltas between releases)\n- Hunt-as-Code: YAML hunt definitions with cron schedules\n\n### Federated search\n- Fan out a single query to Splunk, Sentinel, and Elastic\n- Pluggable translators: SPL, KQL, ES|QL\n\n### Honeytokens\n- HMAC-SHA256 signed tokens (URL, file, AWS key, email)\n- First-touch webhook alerting\n- Token lifecycle: active \u002F triggered \u002F expired\n- Built-in lure URL copy and share\n\n### Purple Team\n- Atomic Red Team YAML parser + Caldera executor\n- ATT&CK coverage heatmap (tactic × technique)\n- Detection reporting (true positive \u002F false negative)\n- Tabletop exercise session manager\n- Detection drift monitoring\n\n### Governance\n- SAML 2.0 + OIDC SSO\n- Multi-tenant Postgres RLS\n- Granular RBAC (`resource:action` permissions)\n- Immutable audit log with tamper-proof trigger\n- SOC 2, ISO 27001, NIST CSF, PCI-DSS, HIPAA, DORA dashboards\n- MTTD \u002F MTTR \u002F MTTC SLA tracking\n- ChatOps verification (HMAC-signed Slack\u002FTeams approval prompts)\n\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftable>\n\n---\n\n## Architecture\n\n```mermaid\nflowchart LR\n subgraph Sources[\"Sources\"]\n EDR[\"EDR \u002F XDR\"]\n SIEM[\"SIEM\"]\n Cloud[\"Cloud APIs\"]\n IDP[\"Identity\"]\n Net[\"Network\"]\n end\n\n subgraph Ingest[\"Ingest & Normalize\"]\n Connectors[\"Connectors\\n(Python · 50 vendors)\"]\n OsqueryTLS[\"osquery-tls\\n(Python · host telemetry)\"]\n IngestSvc[\"Ingest worker\\n(Go · OCSF)\"]\n Enrich[\"Enrichment\\n(Go · IOC + Shodan)\"]\n end\n\n subgraph Spine[\"Event Spine\"]\n Kafka[(\"Apache Kafka\")]\n end\n\n subgraph Detect[\"Detect & Reason\"]\n Fusion[\"Fusion\\n(Python · ML)\"]\n UEBA[\"UEBA\\n(Python · baseline)\"]\n TI[\"Threat Intel\\n(TAXII \u002F MISP \u002F OTX)\"]\n Rules[\"Rule engine\\n(Sigma · YARA · KQL)\"]\n Agents[\"AI Agents\\n(LangGraph)\"]\n HT[\"Honeytokens\\n(Python)\"]\n PT[\"Purple Team\\n(ART + Caldera)\"]\n end\n\n subgraph Storage[\"Storage Tier\"]\n PG[(\"PostgreSQL\\nconfig · cases · RLS\")]\n CH[(\"ClickHouse\\nevents · metrics\")]\n OS[(\"OpenSearch\\nIOCs · search\")]\n QD[(\"Qdrant\\nvector RAG\")]\n N4[(\"Neo4j\\nattack graph\")]\n RD[(\"Redis\\ncache · pub\u002Fsub\")]\n end\n\n subgraph Surface[\"Surface\"]\n API[\"Core API\\n(FastAPI)\"]\n RT[\"Realtime\\n(Node · WS + Web Push)\"]\n Web[\"Web Console + Responder PWA\\n(Next.js 14)\"]\n Actions[\"Actions \u002F SOAR\\n(Python)\"]\n Slack[\"Slack Bot\\n(Python · ChatOps)\"]\n MCP[\"MCP Server\\n(TS · stdio)\"]\n end\n\n Sources --> Connectors --> IngestSvc --> Kafka\n OsqueryTLS --> IngestSvc\n IngestSvc --> Enrich --> Kafka\n Kafka --> Fusion --> Kafka\n Kafka --> UEBA --> Kafka\n Kafka --> Rules --> Kafka\n TI --> Storage\n Fusion --> Storage\n HT --> Kafka\n PT --> API\n Agents --> QD\n Agents --> N4\n API --> Storage\n RT --> Kafka\n Web --> API\n Web --> RT\n Actions --> Kafka\n Slack --> API\n Slack --> Actions\n MCP --> API\n```\n\n**v1.5 console:** On `\u002Falerts\u002F[id]`, the **Investigation Rail** surfaces fusion correlation narrative, evidence chips, and Deep Explain (LLM) with audit logging. See [Investigation Rail](apps\u002Fdocs\u002Fdocs\u002Fconsole\u002Finvestigation-rail.md) in the docs site.\n\n### Service map\n\n| Service | Lang | Port | Role |\n|---|---|---|---|\n| `web` | Next.js 14 + React | 3000 | SOC console (alerts detail + Investigation Rail), benchmark scoreboard, marketing landing |\n| `api` | Python · FastAPI | 8000 | Alerts (detail envelope + correlation narrative), cases, RBAC, graph, rules, audit, compliance, detection proposals (DAC), federated search fan-out, SLA tracking |\n| `realtime` | Node.js · `ws` | 8086 | Per-channel WebSocket fan-out + VAPID Web Push |\n| `agents` | Python · LangGraph | 8001 | Multi-agent reasoning + Qdrant RAG + Hunt-as-Code engine & scheduler |\n| `fusion` | Python | 8003 | Dedup + ML scoring (LightGBM, IsoForest), alert confidence, entity risk \u002F RBA, correlation narrative projection for API |\n| `actions` | Python | 8002 | SOAR with blast-radius gating + ChatOps verification |\n| `connectors` | Python | — | Connector polling (APScheduler), credential vault, federated query translators |\n| `threatintel` | Python | 8005 | TAXII \u002F MISP \u002F OTX \u002F KEV polling |\n| `ueba` | Python | 8007 | User & Entity Behavior Analytics |\n| `honeytokens` | Python | 8008 | Honeytoken lifecycle + webhook alerting |\n| `purple-team` | Python | 8006 | Atomic Red Team + Caldera + ATT&CK heatmap + detection drift snapshots |\n| `osquery-tls` | Python | 8091 | Native osquery TLS server — enroll nodes, distribute packs, stream FIM\u002Fprocess\u002Fnetwork telemetry |\n| `osquery-extensions` | Python | — | Custom osquery extensions (AI-powered threat intel table, ML anomaly score table) |\n| `slack-bot` | Python | 8009 | ChatOps surface — interactive approvals for high-blast-radius actions, `\u002Faisoc` slash command, HMAC-signed Slack signature verification |\n| `mcp` | TypeScript | — (stdio) | Model Context Protocol server exposing 11 read-only AiSOC tools (case search, alert detail, IOC pivot, ledger query, DAC lookup, …) to IDE-side AI agents (Claude Code, Cursor, Continue, Cody) |\n| `ingest` | Go | 8081 | OCSF normalization + Shodan\u002FCVE |\n| `enrichment` | Go | 8080 | IOC enrichment (VT, AbuseIPDB, GreyNoise) |\n\n### Storage tier\n\n| Store | Purpose |\n|---|---|\n| PostgreSQL | Tenants, users, cases, detection rules, RBAC, audit log, compliance · Row-level security |\n| ClickHouse | High-cardinality event analytics + alert metrics |\n| OpenSearch | Full-text IOC + actor + report search · Sigma backend |\n| Qdrant | Vector RAG for agents, semantic ATT&CK lookup |\n| Neo4j | Knowledge graph: entities, attack paths, blast radius |\n| Redis | Cache, pub\u002Fsub, IOC bloom filter, enrichment TTL |\n| Kafka | Event streaming spine (raw, fused, vulnerability, anomaly, action) |\n\n---\n\n## Console tour\n\nThe console fuses the analyst's day-zero workflow into one surface:\n\n- **Dashboard** — KPI tiles, trend chart, and a WebSocket-driven event ticker.\n- **Alerts & Cases** — triage queues, status workflow, evidence timeline.\n- **Investigation Ledger** — replayable, step-by-step record of every prompt, tool call, and rationale the agent emitted on a case.\n- **Attack Graph** — Cytoscape + fcose layout over the Neo4j subgraph for a case.\n- **MITRE Heatmap** — coverage tiles with per-tactic technique density.\n- **Threat Hunting** — Sigma \u002F KQL \u002F YARA editor with on-demand hunts.\n- **Detection Rules** — Monaco-powered rule builder with Sigma autocompletion.\n- **Detection Catalog** — community Sigma rules with one-click tenant install.\n- **Threat Intel** — IOC search, feed status, and STIX \u002F MISP source health.\n- **Marketplace** — plugins, playbooks, and detections, with ratings, badges, and category filters.\n- **Playbooks** — community and private playbooks with SOAR automation.\n- **UEBA** — behavioural anomaly feed and peer-group deviation chart.\n- **Honeytokens** — create lures, view trigger log, copy lure URLs.\n- **Purple Team** — ATT&CK heatmap, execution tracker, tabletop sessions.\n- **Compliance** — SOC 2 \u002F ISO 27001 \u002F NIST CSF \u002F PCI-DSS \u002F HIPAA \u002F DORA evidence.\n- **SLA Dashboard** — MTTD, MTTR, MTTC metrics + breach alerts.\n- **Audit Log** — immutable, paginated, tenant-scoped event history.\n- **Benchmark** — public eval harness (alert-reduction measurement plus three substrate self-consistency gates), run in CI.\n- **Investigation Chat** — multi-turn conversational copilot at `\u002Finvestigate` for case-scoped follow-up Q&A.\n- **Coverage Advisor** — MITRE ATT&CK coverage gap finder with prioritized rule recommendations.\n- **Shifts** — outgoing\u002Fincoming analyst handoff dashboard with active cases and queued approvals.\n- **EASM** — external attack surface inventory: assets, exposed services, certificate-expiry monitor.\n- **Noise Tuning** — per-rule false-positive analytics and one-click tuning suggestions.\n- **MSSP Dashboard** — multi-tenant executive rollup with cross-tenant KPIs and SLA posture.\n- **Team Analytics** — analyst leaderboard, MTTR per analyst, disposition accuracy, shift load balance.\n- **Settings → RBAC** — roles, permissions, and user-role assignments.\n- **Ambient Copilot** — context-aware next-action suggestions on alert, case, rule, and playbook pages. Each suggestion runs the right tool with the right payload.\n- **AI Copilot dock** — slide-over invoked with `⌘J` for any page.\n- **Command palette** — global `⌘K` for navigation, quick actions, and Copilot.\n\n### Responder PWA\n\nA separate, installable PWA route at `\u002Fresponder\u002F*` for analysts who carry a pager:\n\n- **Passkey login** — WebAuthn \u002F FIDO2 platform authenticators only, no SMS fallback.\n- **On-call view** — current responder per tenant, surfaced in alerts on the desktop console too.\n- **Approvals queue** — long-lived approval requests for blast-radius-gated SOAR actions, signed off with a hardware-attested passkey.\n- **Push notifications** — VAPID-signed Web Push delivered through `services\u002Frealtime`, following the on-call rotation.\n- **Offline shell** — service worker + cached app shell so the responder surface keeps loading on a flaky carrier link.\n\nSee [`apps\u002Fweb\u002Fsrc\u002Fapp\u002F(responder)\u002F`](apps\u002Fweb\u002Fsrc\u002Fapp\u002F(responder)\u002F) and [`services\u002Fapi\u002Fmigrations\u002F009_responder_pwa.sql`](services\u002Fapi\u002Fmigrations\u002F009_responder_pwa.sql).\n\nThe marketing landing lives at `\u002F` and the console at `\u002Fdashboard`. Both share the same brand tokens.\n\n---\n\n## Quick start\n\n### One-shot demo\n\nTo see AiSOC investigate an in-flight ransomware case in your browser:\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC.git\ncd AiSOC\npnpm aisoc:demo\n```\n\nThat single command:\n\n1. Pulls prebuilt images from `ghcr.io\u002Fbeenuar\u002F*` (api, agents, web, realtime).\n2. Brings up the slim demo profile — Postgres, Redis, Kafka, api, agents, realtime, web.\n3. Runs the canonical-data seeder (`services\u002Fapi\u002Fapp\u002Fscripts\u002Fseed_demo.py`) as a one-shot container that exits when finished. The seeder is idempotent: re-running it is a no-op against an already-seeded volume.\n4. Locates `INC-RT-001` — a LockBit 3.0 ransomware investigation that's mid-stream when you arrive (encryption is in progress, the agent is streaming decisions to the Investigation Ledger, an auto-isolation playbook is mid-DAG).\n5. Opens your browser directly at `\u002Fcases\u002FINC-RT-001?tab=ledger`, with the demo analyst (`demo@tryaisoc.com`) already auto-logged-in.\n\nTarget on a clean Mac with a warm Docker daemon: **clone-to-investigation in under 5 minutes**.\n\n| Step | Time |\n|---|---|\n| `docker compose pull` (cold) | ~90s |\n| `docker compose up` + healthchecks | ~60s |\n| Seed canonical data (one-shot container) | ~30s |\n| Kick off live investigation step | ~30s |\n| Total | ~3.5 min warm \u002F ~5 min cold |\n\nWhat you'll see when the browser opens:\n\n- **Investigation Ledger** — the agent's per-step prompt, response, evidence cited, and tool calls for `INC-RT-001`, replayable from any step.\n- **Decision graph** — Cytoscape view of the LangGraph traversal that produced the verdict.\n- **Playbook timeline** — the in-flight ransomware containment DAG, with completed and pending steps.\n- **15 other seeded cases** — phishing, credential access, lateral movement, exfiltration, cloud takeover — across `INC-PH-*`, `INC-CR-*`, `INC-LM-*`, `INC-EX-*`, `INC-CL-*` series, all with populated alerts, IOCs, and ledger artifacts.\n\nWhen you're done: `pnpm aisoc:demo:down` (stops containers and deletes the demo volumes).\n\n#### Hosted, public-internet equivalent\n\nThe same stack ships a Cloudflare Tunnel template (see [Public demo on your own domain](#public-demo-on-your-own-domain)) and tested deployment configs for [Render](render.yaml) and [Fly.io](infra\u002Ffly\u002F) — both wire `alembic upgrade head && python -m app.scripts.seed_demo` into the deploy lifecycle so the same `INC-RT-001` showcase is present after `render blueprint launch` or `fly deploy`.\n\nThe full development quick start with all services (UEBA, Honeytokens, Purple Team, ClickHouse, OpenSearch, Neo4j, Qdrant) is below.\n\n### Public demo on your own domain\n\nThe same demo stack can be reached from the public internet without exposing\nports, opening firewall rules, or paying for a cloud VM. AiSOC ships a\nCloudflare Tunnel template plus a wrapper script that:\n\n1. Brings up the slim demo profile via `pnpm aisoc:demo --no-open` (Postgres, Redis, Kafka, api, agents, realtime, web).\n2. Creates a named `cloudflared` tunnel (or reuses one if it already exists).\n3. Renders an ingress config from [`infra\u002Fcloudflare\u002Fconfig.yml.example`](infra\u002Fcloudflare\u002Fconfig.yml.example) into `~\u002F.cloudflared\u002F\u003Ctunnel-name>.yml`, after validating it with `cloudflared tunnel ingress validate`.\n4. Adds DNS routes on your zone so the apex (`https:\u002F\u002F\u003Cyour-domain>`) and the `api`, `ws`, `docs` subdomains all resolve to the tunnel.\n5. Runs `cloudflared tunnel run` in the foreground (Ctrl+C exits cleanly; the local stack keeps running).\n\nThe result: a publicly reachable, fully self-hosted SOC console, served from\nyour laptop, accepting only traffic that came in through Cloudflare. No\ninbound ports are opened on your router or firewall.\n\n#### Prerequisites\n\n- A domain whose DNS is managed by Cloudflare.\n- The [`cloudflared`](https:\u002F\u002Fdevelopers.cloudflare.com\u002Fcloudflare-one\u002Fconnections\u002Fconnect-networks\u002Fget-started\u002F) CLI installed locally (`brew install cloudflared` on macOS).\n- One of two auth methods (the script accepts either):\n - **(A) Origin-cert flow:** run `cloudflared tunnel login` once on this machine — it drops a `cert.pem` in `~\u002F.cloudflared\u002F` that authorises this host to manage tunnels and DNS records on the zone. The script will then create the tunnel, render the ingress config, and wire DNS automatically.\n - **(B) Tunnel-token flow ★:** create a tunnel in the Cloudflare Zero Trust dashboard (Networks → Tunnels → *Create a tunnel* → Cloudflared), configure the four public hostnames (apex\u002Fapi\u002Fws\u002Fdocs → `localhost:3000\u002F8000\u002F8086\u002F3001`), and copy the `--token ey…` value the dashboard hands you. No `cert.pem` required, no local DNS plumbing. Useful when the browser-based `cloudflared tunnel login` won't write a cert (corporate browsers, headless boxes, etc).\n\n#### Run it\n\n```bash\n# (A) Origin-cert flow — script manages tunnel, ingress, and DNS:\npnpm demo:public # default: tryaisoc.com\nDOMAIN=demo.example.com pnpm demo:public # any zone you control\n\n# (B) Tunnel-token flow — dashboard owns the tunnel, ingress, and DNS:\nexport CLOUDFLARE_TUNNEL_TOKEN='ey…' # paste the token from the dashboard\npnpm demo:public # script auto-detects the token\n\n# Already have the local stack running? Just bring the tunnel up:\npnpm demo:public:tunnel-only # works for both auth modes\n\n# Just provision the tunnel + DNS, but don't run cloudflared\n# (origin-cert flow only — useful before `cloudflared service install`\n# to leave it running 24\u002F7):\nSKIP_RUN=1 pnpm demo:public:setup\n```\n\nAll env vars are forwarded to [`infra\u002Fcloudflare\u002Ftunnel.sh`](infra\u002Fcloudflare\u002Ftunnel.sh):\n`DOMAIN` (apex, default `tryaisoc.com`), `TUNNEL_NAME` (default `aisoc-tryaisoc`,\nignored in token mode), `SUBDOMAINS` (default `\"api ws docs\"`, ignored in token\nmode), `SKIP_DNS=1` (don't touch DNS records), `SKIP_RUN=1` (set up everything\nbut don't run the tunnel), and `CLOUDFLARE_TUNNEL_TOKEN` (switch to flow B).\nRun `bash scripts\u002Fdemo-public.sh --help` to see the full set, or read\n[`infra\u002Fcloudflare\u002FREADME.md`](infra\u002Fcloudflare\u002FREADME.md) for the topology\ndiagram and production-hardening notes (running `cloudflared` as a launchd \u002F\nsystemd service, layering Cloudflare Access in front, etc).\n\n#### Stop it\n\n```bash\n# Ctrl-C in the tunnel terminal stops cloudflared.\n# Then bring the local stack down:\npnpm aisoc:demo:down\n```\n\nThe `tryaisoc.com` instance linked at the top of this README is exactly that:\nthis script, running from a maintainer's machine. The tunnel infra is\nupstream so anyone can do the same on their own domain.\n\n### Full stack (development)\n\n> **Heads-up — this is the developer-build path.**\n> If you just want to *see* AiSOC investigate cases in your browser, use [`pnpm aisoc:demo`](#one-shot-demo) above instead — it pulls prebuilt images from `ghcr.io\u002Fbeenuar\u002F*` and is up in ~5 minutes.\n> The full stack below builds **22 services from source** (Python, Go, Node, Next.js) and brings up a heavy datastore tier (Postgres, Redis, Kafka, ClickHouse, OpenSearch, Neo4j, Qdrant). Only use this path if you're hacking on the source.\n\n#### Prerequisites\n\n- **Docker 24+** with **Docker Compose v2** (built into Docker Desktop). Run `docker compose version` to confirm — Compose v1's `docker-compose` is not supported.\n- **Docker resources**: at minimum **6 GB of RAM** and **20 GB of free disk** allocated to the Docker daemon. On Docker Desktop: *Settings → Resources*. The OpenSearch + ClickHouse + Neo4j + Kafka quartet alone reserves ~3.5 GB at idle; under-provisioning causes silent OOM-kills that surface as opaque \"container exited\" errors.\n- **Node.js 20+** and **pnpm 8+** (`corepack enable` then `corepack prepare pnpm@8.15.1 --activate`).\n- **Go 1.21+** and **Python 3.11+** are only required if you plan to run individual services *outside* the compose stack.\n- A free **8 GB of disk** for the build cache and image layers, on top of the 20 GB allocated to Docker.\n\nRun `pnpm aisoc:doctor` after cloning — it sanity-checks Docker, Compose v2, allocated RAM, and host port availability before you spend 10 minutes on a build that's destined to fail.\n\n#### 1. Clone\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fbeenuar\u002FAiSOC.git\ncd AiSOC\ncp .env.example .env\n```\n\n#### 2. Configure\n\n```env\n# AI providers (one required)\nANTHROPIC_API_KEY=sk-ant-...\nOPENAI_API_KEY=sk-...\n\n# Optional enrichment\nCYBLE_API_KEY=...\nVIRUSTOTAL_API_KEY=...\nABUSEIPDB_API_KEY=...\nGREYNOISE_API_KEY=...\nSHODAN_API_KEY=...\n\n# Optional TAXII feeds\nTAXII_FEEDS=https:\u002F\u002Fcti-taxii.mitre.org\u002Ftaxii\u002F,enterprise-attack,,\n\n# Optional SSO (SAML 2.0)\nSAML_IDP_METADATA_URL=https:\u002F\u002Fyour-idp.example.com\u002Fmetadata\n\n# Optional SSO (OIDC)\nOIDC_DISCOVERY_URL=https:\u002F\u002Fyour-idp.example.com\u002F.well-known\u002Fopenid-configuration\nOIDC_CLIENT_ID=aisoc\nOIDC_CLIENT_SECRET=...\n\n# Optional Purple Team\nCALDERA_URL=http:\u002F\u002Flocalhost:8888\nCALDERA_API_KEY=...\nATOMIC_RED_TEAM_PATH=\u002Fopt\u002Fatomic-red-team\u002Fatomics\n```\n\n#### 3. Boot\n\n```bash\n# Optional: pre-flight check (Docker daemon, RAM, ports) before a long build\npnpm aisoc:doctor\n\n# Build and start all 22 services. Cold first run: 10-20 min (build) + ~90s (warm-up).\n# Subsequent runs reuse cached layers and start in ~90s.\ndocker compose up -d --build\n\n# Watch services come up\ndocker compose ps\n```\n\nThe first invocation on a clean checkout will pull ~5 GB of base images and compile every Python, Go, and Next.js service from source. Plan for **10-20 minutes** on a typical laptop. After that, layers are cached and `docker compose up -d` is roughly 90 seconds.\n\nIf the build aborts, check Docker Desktop *Settings → Resources* — under-provisioning RAM is the #1 cause of opaque failures, particularly for the Kafka, OpenSearch, ClickHouse, and Neo4j containers.\n\n#### 4. Seed demo data\n\n```bash\npnpm seed:demo # generates cases, alerts, IOCs, attack paths, UEBA anomalies\n```\n\n#### 5. Verify\n\n```bash\npnpm aisoc:doctor # health check: ports, containers, demo data, API + WS\n```\n\nIf any check fails, the doctor tells you exactly what to fix before logging in.\n\n#### 5b. Run the public eval harness (optional)\n\n```bash\n# Run all five substrate eval suites against the bundled 200-incident\n# dataset (55 distinct templates) and its companion synthetic_telemetry.jsonl\n# corpus, then write a machine-readable report. The dataset size is fixed by\n# services\u002Fagents\u002Ftests\u002Feval_data\u002Fsynthetic_incidents.json — there is no\n# --count flag.\npython scripts\u002Frun_evals.py --out eval_report.json\n\n# Or run a single eval gate\npytest services\u002Fagents\u002Ftests\u002Ftest_mitre_accuracy.py\npytest services\u002Fagents\u002Ftests\u002Ftest_synthetic_telemetry.py # schema + coverage gate\n\n# Regenerate the dataset and the backing telemetry corpus from scratch\n# (e.g. after adding a template). Both files are written deterministically\n# from a seeded RNG.\npython scripts\u002Fgenerate_eval_incidents.py\n```\n\nThe harness writes `eval_report.json` and `eval_mitre_accuracy_report.json`, which the [public eval harness page](apps\u002Fdocs\u002Fdocs\u002Fbenchmark.md) renders. Each scoring suite reports both a per-case mean and a per-template macro across the 55 templates — the macro is the regression signal that doesn't dilute when the dataset is enlarged. The same harness runs in CI on every PR targeting `main` \u002F `develop` — see [`.github\u002Fworkflows\u002Fci.yml`](.github\u002Fworkflows\u002Fci.yml).\n\nThe harness runs deterministic substrate code (extractors, fusion, templates, judges) against synthetic data — it does not call the live LLM agent. Three of the four scoring metrics are substrate self-consistency gates rather than agent accuracy scores; the synthetic-telemetry suite is a schema\u002Fcoverage gate, not a score. The [benchmark page](apps\u002Fdocs\u002Fdocs\u002Fbenchmark.md) documents what each suite measures and what it does not.\n\n#### 6. Open\n\n| Surface | URL | Notes |\n|---|---|---|\n| Marketing | http:\u002F\u002Flocalhost:3000 | Public landing page |\n| Console | http:\u002F\u002Flocalhost:3000\u002Fdashboard | Default user: `admin@aisoc.local` \u002F `changeme` |\n| API (Swagger) | http:\u002F\u002Flocalhost:8000\u002Fdocs | REST + GraphQL endpoints |\n| Agents | http:\u002F\u002Flocalhost:8001\u002Fdocs | LangGraph runner |\n| UEBA | http:\u002F\u002Flocalhost:8007\u002Fdocs | Behavioural analytics |\n| Honeytokens | http:\u002F\u002Flocalhost:8008\u002Fdocs | Honeytoken lifecycle |\n| Purple Team | http:\u002F\u002Flocalhost:8006\u002Fdocs | Adversary emulation |\n| osquery TLS | http:\u002F\u002Flocalhost:8091\u002Fdocs | Node enrolment + pack distribution + FIM stream (`osquery` profile) |\n| Kafka UI | http:\u002F\u002Flocalhost:8090 | Kafka topic + consumer-group inspector |\n| Realtime WS | ws:\u002F\u002Flocalhost:8086\u002Fws\u002Falerts | Live alert channel |\n| Neo4j | http:\u002F\u002Flocalhost:7474 | `neo4j` \u002F `neo4j_dev_secret` |\n| Grafana | http:\u002F\u002Flocalhost:3001 | `admin` \u002F `admin` (`monitoring` profile) |\n| Jaeger | http:\u002F\u002Flocalhost:16686 | Distributed traces (`monitoring` profile) |\n\n#### Optional profiles\n\n```bash\ndocker compose --profile connectors up -d # CrowdStrike, Splunk, AWS, Okta, Sentinel\ndocker compose --profile monitoring up -d # Prometheus, Grafana, Jaeger, OTel Collector\n```\n\n---\n\n## Monorepo layout\n\n```\nAiSOC\u002F\n├── apps\u002F\n│ ├── web\u002F # Next.js 14 console + marketing landing + Responder PWA route\n│ └── docs\u002F # Docusaurus documentation site\n├── services\u002F\n│ ├── api\u002F # Core REST API + Neo4j graph + rule engine + auth + RBAC + compliance + ledger\n│ ├── ingest\u002F # Go · OCSF normalization · Shodan + CVE\n│ ├── enrichment\u002F # Go · IOC enrichment\n│ ├── fusion\u002F # Python · dedup + ML scoring\n│ ├── agents\u002F # Python · LangGraph + Qdrant RAG + investigation ledger writer\n│ ├── actions\u002F # Python · SOAR + blast-radius gating\n│ ├── threatintel\u002F # Python · TAXII \u002F MISP \u002F OTX \u002F KEV\n│ ├── realtime\u002F # Node.js · per-channel WebSocket fan-out + VAPID Web Push\n│ ├── ueba\u002F # Python · User & Entity Behavior Analytics\n│ ├── honeytokens\u002F # Python · deceptive credential traps\n│ ├── purple-team\u002F # Python · Atomic Red Team + Caldera + ATT&CK\n│ ├── osquery-tls\u002F # Python · native osquery TLS server + FIM + pack distribution\n│ ├── osquery-extensions\u002F # Python · AI threat-intel table + ML anomaly score table\n│ └── mcp\u002F # TypeScript · Model Context Protocol server (@aisoc\u002Fmcp)\n├── integrations\u002F # Connector implementations (CrowdStrike, Splunk, AWS, …)\n├── packages\u002F\n│ ├── types\u002F # Shared TS types\n│ ├── ui\u002F # Shared React primitives\n│ ├── ocsf\u002F # OCSF normalization helpers\n│ ├── sdk-ts\u002F # TypeScript client SDK for AiSOC API (npm: @aisoc\u002Fsdk)\n│ ├── sdk-py\u002F # Async Python client SDK (PyPI: aisoc-sdk)\n│ ├── sdk-go\u002F # Go client SDK + models (module: github.com\u002Fbeenuar\u002Faisoc\u002Fsdk-go)\n│ ├── plugin-sdk-ts\u002F # TypeScript plugin development SDK\n│ ├── plugin-sdk-py\u002F # Python plugin development SDK (PyPI: aisoc-plugin-sdk)\n│ ├── plugin-sdk-go\u002F # Go plugin development SDK (module: github.com\u002Fbeenuar\u002Faisoc\u002Fplugin-sdk-go)\n│ └── aisoc-cli\u002F # CLI: scaffold \u002F validate \u002F publish plugins & detections\n├── detections\u002F # Community Sigma detection rules (YAML)\n├── hunts\u002F # Hunt-as-Code YAML definitions (hypothesis + indicators + schedule)\n├── playbooks\u002F # Community SOAR playbooks (YAML)\n├── plugins\u002F # First-party plugins (Go + Python)\n├── marketplace\u002F # Marketplace index (JSON, generated by scripts\u002Fbuild_marketplace.py)\n├── infra\u002F\n│ ├── coolify\u002F # Coolify (self-hosted Heroku-style PaaS) quickstart\n│ ├── fly\u002F # Fly.io machines + deploy script\n│ ├── railway\u002F # Railway template (railway.toml)\n│ ├── render\u002F # Render blueprint (render.yaml)\n│ ├── terraform\u002F # AWS (VPC, EKS, RDS, ElastiCache, MSK)\n│ └── helm\u002F # Kubernetes Helm chart (HPA, PDB, Ingress per service)\n├── docs\u002F\n│ ├── openapi.yaml # OpenAPI 3.1 spec\n│ ├── architecture\u002F # System design docs\n│ └── operations\u002F # Runbooks + multi-region guide\n└── scripts\u002F\n ├── aisoc-demo.ts # One-shot demo orchestrator (powers `pnpm aisoc:demo`)\n ├── aisoc-doctor.ts # Local health check\n ├── run_evals.py # Public eval harness (per-case + per-template macros, telemetry coverage)\n ├── generate_eval_incidents.py # 200-incident synthetic generator (55 templates) + synthetic_telemetry.jsonl\n ├── build_marketplace.py # Build marketplace\u002Findex.json from detections+playbooks+plugins\n ├── validate_detections.py # YAML schema validation for Sigma detections\n ├── validate_playbooks.py # YAML schema validation for playbooks\n ├── backup.sh # Postgres + ClickHouse + plugins → S3\u002FR2\n ├── restore.sh # Point-in-time restore\n └── generate_runbook.py # Auto-generate runbooks from OTel traces\n```\n\n---\n\n## API reference\n\nThe full OpenAPI 3.1 spec lives at [`docs\u002Fopenapi.yaml`](docs\u002Fopenapi.yaml). Endpoint groups:\n\n| Tag | Prefix | Notes |\n|---|---|---|\n| `auth` | `\u002Fapi\u002Fv1\u002Fauth\u002F` | JWT login, SAML ACS, OIDC callback |\n| `alerts` | `\u002Fapi\u002Fv1\u002Falerts\u002F` | CRUD, bulk status, timeline, detail envelope (`investigation_rail`, `correlation_narrative`, `deep_explain`) |\n| `cases` | `\u002Fapi\u002Fv1\u002Fcases\u002F` | Create, link alerts, evidence |\n| `rules` | `\u002Fapi\u002Fv1\u002Frules\u002F` | Sigma \u002F YARA \u002F KQL CRUD + test |\n| `detections` | `\u002Fapi\u002Fv1\u002Fdetections\u002F` | Catalog browse + install |\n| `detection-proposals` | `\u002Fapi\u002Fv1\u002Fdetection-proposals\u002F` | DAC lifecycle: propose, review, eval-gate, promote |\n| `federated` | `\u002Fapi\u002Fv1\u002Ffederated\u002F` | Fan-out query to connected SIEMs (Splunk, Sentinel, Elastic) |\n| `hunts` | `\u002Fapi\u002Fv1\u002Fhunts\u002F` | Hunt-as-Code: list, get, run, findings |\n| `entity-risk` | `\u002Fapi\u002Fv1\u002Fentity-risk\u002F` | RBA: top entities by risk score, entity detail |\n| `plugins` | `\u002Fapi\u002Fv1\u002Fplugins\u002F` | Registry, publish, rate, approve |\n| `playbooks` | `\u002Fapi\u002Fv1\u002Fplaybooks\u002F` | Community + private p","AiSOC 是一个开源的、基于AI的安全运营中心,旨在通过警报融合、紫队演练、代理辅助分类和MITRE ATT&CK调查来提升网络安全。其核心功能包括利用AI进行安全事件关联与分析,并将整个调查过程(从LLM提示到工具调用)详细记录下来以供回放审查。此外,项目提供了公开的评估框架,确保代码质量。该解决方案适合需要自托管且高度透明的安全操作场景使用,特别适用于那些希望在保持对数据完全控制的同时,利用先进AI技术增强威胁检测与响应能力的企业或组织。",2,"2026-06-11 03:31:44","CREATED_QUERY"]