SentinelAI SOC Assistant

An AI-powered Security Operations Center assistant that analyzes security logs, detects anomalies using a hybrid approach (rule-based + LLM reasoning), and generates explainable incident reports with MITRE ATT&CK technique mapping.

Key Features:

• Hybrid Detection Engine - Rule-based detection for deterministic reliability combined with LLM analysis for contextual reasoning
• Privacy-First Architecture - Raw logs never sent to LLM; only structured evidence summaries are analyzed
• MITRE ATT&CK Mapping - Industry-standard threat classification (T1110.001 Brute Force, T1595 Scanning, T1498 DoS)
• Multi-Format Log Support - Auth logs (sshd, sudo), Nginx access logs, and flexible JSON logs with auto-field detection
• Incident Reports - Severity assessment, evidence summary, actionable recommendations, and false positive likelihood
• RESTful API - Full CRUD for incidents with upload, analysis, status tracking, and health monitoring endpoints

Detection Rules:

• Brute Force Detection - Failed login attempts from single IP
• Suspicious IP Behavior - Multi-user targeting, scanner detection
• Frequency Anomaly - Request rate spikes, off-hours activity