aico-soar-system

Developed by MOATAZQ24

AICO Tech - Security Orchestration, Automation and Response Platform

🚀 Overview

AICO Tech is a comprehensive SOAR (Security Orchestration, Automation and Response) platform designed to streamline security operations, automate incident response, and provide intelligent threat analysis.

Phase 1 Features (✅ Completed)

• Configuration Console: Centralized management for all integrations and settings
• Dashboard: Real-time monitoring of security incidents and system status
• Incident Management: Track and manage security incidents with severity levels
• 12 Integration Categories:
  • General/System Settings
  • Message Bus (Kafka/RabbitMQ)
  • Threat Intelligence (VirusTotal, AbuseIPDB, GreyNoise, RiskIQ)
  • Vulnerability Scanners (Nessus, Qualys, OpenVAS)
  • SIEM/EDR (Elasticsearch, Splunk, CrowdStrike, MS Defender)
  • Policy Engine (OPA, HashiCorp Sentinel)
  • Forensics/Sandbox (Cuckoo, Any.Run, Volatility)
  • Execution/Firewalls (Palo Alto Panorama, Cisco FMC, Intune)
  • Secrets Management (HashiCorp Vault, AWS KMS, Azure Key Vault)
  • Storage (PostgreSQL, Elasticsearch, MinIO/S3)
  • Orchestrator (n8n)
  • Feature Flags (Auto-block, Auto-isolate, ML settings)

📋 Tech Stack

• Frontend: React 19 + React Router + Space Grotesk Font
• Backend: FastAPI (Python) + Motor (Async MongoDB)
• Database: MongoDB
• Styling: Custom CSS with modern dark theme
• Architecture: Microservices-ready with RESTful APIs

🎯 Getting Started

Prerequisites

• Node.js 16+
• Python 3.11+
• MongoDB (already running via supervisor)

Available Pages

1. Dashboard (/dashboard)

   • View total incidents and statistics
   • Monitor incidents by severity (Critical, High, Medium, Low)
   • Track incident status (New, Investigating, Resolved)
   • Check system component status

2. Configuration Console (/config)

   • Manage all integration settings
   • Test connections to external services
   • Enable/disable features
   • Export/Import configurations

3. Incidents (/incidents)

   • View all security incidents
   • Filter by severity and status
   • Detailed incident information

🔧 API Endpoints

Configuration Management

• GET /api/config/{section} - Get configuration for a section
• POST /api/config/{section} - Update configuration
• POST /api/config/test-connection - Test connection to a service
• GET /api/config/export - Export all configurations

Available sections:

• system, message-bus, threat-intel, vulnerability, siem
• policy, forensics, execution, secrets, storage
• orchestrator, features

Incident Management

• GET /api/incidents - List all incidents
• POST /api/incidents - Create new incident
• GET /api/incidents/{id} - Get incident details
• PUT /api/incidents/{id} - Update incident

Dashboard

• GET /api/dashboard/stats - Get dashboard statistics

🎨 Design Features

• Modern Dark Theme: Professional security-focused color scheme
• Space Grotesk Font: Tech-focused typography
• Glassmorphism: Backdrop blur effects for depth
• Color Coded Status: Easy-to-read severity and status badges
• Responsive Layout: Sidebar navigation with main content area
• Interactive Elements: Hover effects and smooth transitions

🔐 Security Features

Secret Management

• All API keys stored as Vault references (e.g., vault:secret/service)
• Never store secrets in plain text
• Secure configuration export/import

Feature Flags

• Auto Block: Automatically block malicious IPs/domains
• Auto Isolate: Automatically isolate compromised endpoints
• ML Auto Retrain: Retrain models with new data
• AI Summarization: GPT-5 powered incident summaries
• Human Approval Threshold: Configure when human approval is required (0-100)
• Rate Limiting: Max auto-actions per hour to prevent cascading effects

🚀 Upcoming Phases

Phase 2: Phishing Playbook + Orchestration (Next)

• n8n workflow integration
• Automated enrichment pipeline
• AI-powered scoring service
• Mock SIEM/Firewall/EDR connectors
• Evidence storage in MinIO
• Automated response actions

Phase 3: Real Integrations

• Connect to actual Threat Intelligence APIs
• OpenAI GPT-5 for AI summarization
• Real-time incident enrichment
• Automated playbook execution

Phase 4: Production Hardening

• OAuth2 authentication
• mTLS for service communication
• Production Vault configuration
• Kubernetes deployment
• Terraform infrastructure
• Monitoring and alerting

---

Built with ❤️ for Security Operations Teams

Current Version: Phase 1 MVP
Last Updated: October 2025