An intelligent AI agent that acts as an automated first responder for security operations centers, providing autonomous threat investigation and response recommendations for organizations without dedicated SOC teams.
Scenario: Your SIEM detects a suspicious IP 203.0.113.100 attempting 50 failed logins in 2 minutes.
Without ThreatSentinel: Page analyst → ⏰ Wait for response → 🔍 Manual investigation → Research threat intel → Assess risk → Write report → Take action (2-6 hours)
With ThreatSentinel: Automatic investigation → Threat intelligence fusion → ⚖️ Risk assessment → 🔥 Auto-block on firewall → Slack alert to team → Investigation report (30 seconds)
The ThreatSentinel SOC Agent is a single autonomous agent that combines tool use, memory, and planning to investigate security events automatically. It acts like an experienced security analyst that never sleeps, analyzing threats 24/7 and providing actionable intelligence through a modern REST API.
- Small/Medium Businesses without dedicated security teams
- Overloaded SOC Teams needing automated first-level triage
- 24/7 Security Coverage without human analysts on-call
- Consistent Response Quality eliminating human error and fatigue
ThreatSentinel (Greek: αἰτία) means "cause" or "reason" - the fundamental principle of investigation. Just as human analysts seek the cause behind security events, ThreatSentinel autonomously investigates the reason behind every threat.
Alternative Names for Enterprise Deployment:
- CyberIntelAgent - For organizations preferring explicit cybersecurity branding
- ThreatSentinel - For companies wanting guardian/protection imagery
- SOC-AI - For simple, direct SOC automation branding
The core agent can be rebranded in backend/config.py to match your organization's naming preferences.
ThreatSentinel/
├── agent/ # Core agent logic
│ ├── planner.py # Decision flow using autonomous reasoning
│ ├── tools.py # Tool definitions: Shodan, VirusTotal, etc.
│ ├── memory.py # Vector memory (SQLite + patterns)
│ ├── reporter.py # Generates final incident report
│ ├── task_queue.py # Priority-based task queue with persistence
│ ├── action_logger.py # Comprehensive action logging & audit
│ └── integrations/ # Modular SOC tool integrations
│ ├── base.py # Abstract base for all integrations
│ ├── firewall.py # Palo Alto, Fortinet, pfSense
│ ├── siem.py # Splunk, QRadar, Azure Sentinel
│ ├── communication.py # Slack, Teams, Email
│ ├── incident.py # ServiceNow, Jira, PagerDuty
│ └── registry.py # Central integration orchestrator
│
├── backend/ # FastAPI backend
│ ├── main.py # API server + lifespan management
│ ├── routes/ # Organized API routes
│ │ ├── investigations.py # Investigation management
│ │ ├── reports.py # Report generation/retrieval
│ │ ├── monitoring.py # Real-time metrics & health
│ │ ├── integrations.py # Integration management
│ │ ├── tasks.py # Task queue management
│ │ └── audit.py # Audit & compliance
│ ├── models.py # Pydantic v2 data models
│ └── config.py # pydantic-settings configuration
│
├── frontend/ # React dashboard
│
├── tests/ # 153 passing tests
│
├── .github/workflows/ci.yml # CI: Python 3.10-3.12, lint, Docker
├── Dockerfile # Production container
├── docker-compose.yml # Full stack deployment
├── requirements.txt
├── main_api.py # Main API entry point
└── env_template # Environment variables template
The ThreatSentinel SOC Agent follows a sophisticated autonomous workflow that mimics human security analyst reasoning:
graph TB
subgraph "Security Event Sources"
SIEM_IN["SIEM Alerts"]
NET_MON["Network Monitoring"]
EDR["Endpoint Detection"]
THREAT_FEED["Threat Feeds"]
end
subgraph "ThreatSentinel SOC Agent Core"
EVENT_CLASSIFIER["Event Classifier"]
PLANNER["SOC Agent Planner"]
INTEL_GATHERER["Intelligence Gatherer"]
RISK_ANALYZER["Risk Analyzer"]
ACTION_ENGINE["Action Engine"]
MEMORY["Agent Memory"]
end
subgraph "Integration Registry"
REGISTRY["Integration Registry"]
BASE_INT["Base Integration"]
ACTION_ORCHESTRATOR["Action Orchestrator"]
end
subgraph "🔥 Firewall Integrations"
PALO_ALTO["Palo Alto Networks"]
FORTINET["Fortinet FortiGate"]
PFSENSE["pfSense"]
end
subgraph "📊 SIEM Integrations"
SPLUNK["Splunk"]
QRADAR["IBM QRadar"]
SENTINEL["Azure Sentinel"]
end
subgraph "💬 Communication Integrations"
SLACK["Slack"]
TEAMS["Microsoft Teams"]
EMAIL["Email SMTP"]
end
subgraph "🎫 Incident Response Integrations"
SERVICENOW["ServiceNow"]
JIRA["Jira"]
PAGERDUTY["PagerDuty"]
end
subgraph "Automated Actions"
BLOCK_IP["Block Malicious IPs"]
CREATE_INCIDENT["Create Incidents"]
SEND_ALERTS["Send Alerts"]
UPDATE_RULES["Update Security Rules"]
ESCALATE["Escalate to Analysts"]
end
subgraph "Human Oversight"
ANALYST["Security Analyst"]
MANAGER["Security Manager"]
AUDIT_TRAIL["Audit Trail"]
end
%% Main workflow
SIEM_IN --> EVENT_CLASSIFIER
NET_MON --> EVENT_CLASSIFIER
EDR --> EVENT_CLASSIFIER
THREAT_FEED --> EVENT_CLASSIFIER
EVENT_CLASSIFIER --> PLANNER
PLANNER --> INTEL_GATHERER
INTEL_GATHERER --> RISK_ANALYZER
RISK_ANALYZER --> ACTION_ENGINE
ACTION_ENGINE --> MEMORY
%% Integration flow
ACTION_ENGINE --> REGISTRY
REGISTRY --> ACTION_ORCHESTRATOR
%% Firewall actions
ACTION_ORCHESTRATOR --> PALO_ALTO
ACTION_ORCHESTRATOR --> FORTINET
ACTION_ORCHESTRATOR --> PFSENSE
PALO_ALTO --> BLOCK_IP
FORTINET --> BLOCK_IP
PFSENSE --> BLOCK_IP
%% SIEM actions
ACTION_ORCHESTRATOR --> SPLUNK
ACTION_ORCHESTRATOR --> QRADAR
ACTION_ORCHESTRATOR --> SENTINEL
SPLUNK --> CREATE_INCIDENT
QRADAR --> CREATE_INCIDENT
SENTINEL --> UPDATE_RULES
%% Communication actions
ACTION_ORCHESTRATOR --> SLACK
ACTION_ORCHESTRATOR --> TEAMS
ACTION_ORCHESTRATOR --> EMAIL
SLACK --> SEND_ALERTS
TEAMS --> SEND_ALERTS
EMAIL --> SEND_ALERTS
%% Incident Response actions
ACTION_ORCHESTRATOR --> SERVICENOW
ACTION_ORCHESTRATOR --> JIRA
ACTION_ORCHESTRATOR --> PAGERDUTY
SERVICENOW --> CREATE_INCIDENT
JIRA --> CREATE_INCIDENT
PAGERDUTY --> ESCALATE
%% Human oversight
PLANNER --> ANALYST
ESCALATE --> MANAGER
ACTION_ORCHESTRATOR --> AUDIT_TRAIL
%% Memory and learning
MEMORY --> PLANNER
ANALYST --> MEMORY
AUDIT_TRAIL --> MEMORY
%% Styling
classDef coreAgent fill:#e1f5fe,stroke:#01579b,stroke-width:2px
classDef firewall fill:#ffebee,stroke:#c62828,stroke-width:2px
classDef siem fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px
classDef comm fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px
classDef incident fill:#fff3e0,stroke:#ef6c00,stroke-width:2px
classDef human fill:#fce4ec,stroke:#ad1457,stroke-width:2px
classDef action fill:#e0f2f1,stroke:#00695c,stroke-width:2px
class EVENT_CLASSIFIER,PLANNER,INTEL_GATHERER,RISK_ANALYZER,ACTION_ENGINE,MEMORY coreAgent
class PALO_ALTO,FORTINET,PFSENSE firewall
class SPLUNK,QRADAR,SENTINEL siem
class SLACK,TEAMS,EMAIL comm
class SERVICENOW,JIRA,PAGERDUTY incident
class ANALYST,MANAGER,AUDIT_TRAIL human
class BLOCK_IP,CREATE_INCIDENT,SEND_ALERTS,UPDATE_RULES,ESCALATE action
The ThreatSentinel SOC Agent Core contains the autonomous components that make intelligent security decisions:
- Event Classifier: Analyzes and categorizes incoming security events from multiple sources
- SOC Agent Planner: Orchestrates the entire investigation workflow with human oversight integration
- Intelligence Gatherer: Executes threat intelligence gathering across multiple APIs and sources
- Risk Analyzer: Performs contextual risk analysis with escalation trigger evaluation
- Action Engine: Generates and prioritizes automated response actions
- Agent Memory: Learns patterns and stores investigation history for continuous improvement
The Integration Registry serves as the central orchestration hub for executing actions across:
🔥 Firewall Integrations: Automatically block malicious IPs/URLs/domains on Palo Alto, Fortinet, and pfSense
📊 SIEM Integrations: Create incidents, rules, and watchlists in Splunk, QRadar, and Azure Sentinel
💬 Communication Integrations: Send rich alerts and escalations via Slack, Teams, and Email
🎫 Incident Response Integrations: Auto-create tickets and alerts in ServiceNow, Jira, and PagerDuty
The agent autonomously executes security responses across your entire technology stack, transforming ThreatSentinel from an advisory system into a fully operational security orchestration platform.
- Self-Operating: Requires no human intervention for basic threat analysis
- Multi-Source Intelligence: Integrates VirusTotal, AbuseIPDB, URLVoid, and internal patterns
- Parallel Processing: Handles multiple investigations concurrently
- Real-Time Analysis: Sub-30 second emergency response for critical threats
- LLM-Style Analysis: Provides step-by-step reasoning like a human analyst
- Risk Scoring: Sophisticated algorithm combining base risk, threat intel, and context
- Pattern Recognition: Learns from attack patterns and escalates repeat offenders
- Contextual Awareness: Considers time, location, user behavior, and network context
- Prioritized Recommendations: Actions ranked by urgency and impact
- Multiple Response Types: BLOCK, ESCALATE, INVESTIGATE, MONITOR, ALERT
- Effort Estimation: Provides time estimates for each recommended action
- Emergency Protocols: Fast-track responses for critical incidents
- Event History: Maintains investigation database for pattern analysis
- Frequency Detection: Identifies unusual activity volumes from IPs/URLs
- Burst Pattern Analysis: Detects rapid-fire attacks and coordinated campaigns
- Adaptive Responses: Adjusts future recommendations based on learned patterns
- FastAPI Backend: Modern, high-performance API with automatic documentation
- Real-time Monitoring: WebSocket endpoints for live metrics and status updates
- Comprehensive Endpoints: Full CRUD operations for investigations, reports, and monitoring
- OpenAPI Documentation: Interactive API docs at
/docs
| Event Type | Description | Example Use Case |
|---|---|---|
| suspicious_ip | IP addresses showing malicious behavior | Brute force attacks, scanning |
| suspicious_url | Potentially malicious websites | Phishing campaigns, malware distribution |
| malware_detection | File-based threats | Trojans, ransomware, backdoors |
| login_anomaly | Unusual authentication patterns | Insider threats, compromised accounts |
| ddos_signs | Distributed denial of service indicators | Network availability threats |
| phishing_attempt | Social engineering attacks | Email-based credential theft |
# Clone the repository
git clone https://github.com/MohibShaikh/ThreatSentinel.git
cd ThreatSentinel
# Create virtual environment (uv recommended, pip works too)
uv venv && source .venv/bin/activate
uv pip install -r requirements.txt
# Or with plain pip:
# python -m venv .venv && source .venv/bin/activate
# pip install -r requirements.txtdocker compose up -d
# API at http://localhost:8000, frontend at http://localhost:3000# Copy configuration template
cp env_template .env
# Open .env and add your API keys (optional - works without keys too):
# VIRUSTOTAL_API_KEY=your_virustotal_key_here
# ABUSEIPDB_API_KEY=your_abuseipdb_key_here
# URLVOID_API_KEY=your_urlvoid_key_here
# Don't have API keys? No problem! ThreatSentinel works with simulated data for testing# Start the ThreatSentinel SOC Agent
python main_api.pyExpected Output:
🛡️ ThreatSentinel SOC Agent Starting...
✅ Agent Planner initialized
✅ Tool Registry loaded (VirusTotal, AbuseIPDB, URLVoid, Shodan)
✅ Agent Memory connected (SQLite)
✅ Integration Registry loaded (10 platforms)
✅ FastAPI server ready
🚀 ThreatSentinel SOC Agent running at: http://localhost:8000
📖 API Documentation: http://localhost:8000/docs
🔍 Health Check: http://localhost:8000/health
Option A: Using Web Browser
- Visit http://localhost:8000/docs
- Click on
POST /api/v1/investigations/ - Click "Try it out"
- Use this sample payload:
{
"event_data": {
"event_type": "suspicious_ip",
"source_ip": "203.0.113.100",
"payload": {
"failed_login_attempts": 25,
"accessed_endpoints": ["/admin", "/login"],
"time_window": "10 minutes"
}
},
"emergency_mode": false
}Option B: Using Command Line
curl -X POST "http://localhost:8000/api/v1/investigations/" \
-H "Content-Type: application/json" \
-d '{
"event_data": {
"event_type": "suspicious_ip",
"source_ip": "203.0.113.100",
"payload": {
"failed_login_attempts": 25,
"accessed_endpoints": ["/admin", "/login"],
"time_window": "10 minutes"
}
},
"emergency_mode": false
}'Sample Investigation Response:
{
"investigation_id": "evt_20240126_143022_1234",
"status": "completed",
"risk_score": 0.75,
"risk_level": "HIGH",
"summary": "Malicious IP detected with active botnet participation",
"recommended_actions": [
{
"action_type": "block_ip",
"target": "203.0.113.100",
"priority": "critical",
"reason": "IP confirmed malicious by threat intelligence"
},
{
"action_type": "send_alert",
"target": "Security team notified of automatic IP block",
"priority": "high"
}
],
"investigation_time": "12.3 seconds",
"threat_intelligence": {
"virustotal_score": 8,
"abuseipdb_confidence": 95,
"known_campaigns": ["Mirai botnet", "Credential stuffing"]
}
}🎉 That's it! ThreatSentinel is now protecting your organization 24/7!
POST /api/v1/investigations/- Submit new security event for investigationGET /api/v1/investigations/{id}- Get investigation status and progressGET /api/v1/investigations/{id}/result- Get complete investigation resultsPOST /api/v1/investigations/bulk- Submit multiple events for batch processingPOST /api/v1/investigations/search- Search historical investigations
POST /api/v1/reports/generate- Generate formatted report from investigationGET /api/v1/reports/{report_id}- Retrieve generated report contentGET /api/v1/reports/{report_id}/download- Download report as fileGET /api/v1/reports/- List all available reports
GET /api/v1/monitoring/metrics- Get current system metricsGET /api/v1/monitoring/metrics/history- Get historical metrics dataWebSocket /api/v1/monitoring/metrics/stream- Real-time metrics streamGET /api/v1/monitoring/system/status- Detailed system status
GET /health- Basic health checkGET /api/v1/stats- Detailed agent statistics
POST /api/v1/tasks/- Create prioritized investigation tasksGET /api/v1/tasks/{task_id}- Get task status and progressDELETE /api/v1/tasks/{task_id}- Cancel pending/active tasksGET /api/v1/tasks/- Queue statistics and worker statusPOST /api/v1/tasks/queue/start- Start task queue workersPOST /api/v1/tasks/queue/stop- Stop task queue gracefullyPOST /api/v1/tasks/queue/cleanup- Remove old completed tasks
GET /api/v1/audit/investigations/{id}/logs- Complete investigation logsGET /api/v1/audit/investigations/{id}/timeline- Investigation timeline viewGET /api/v1/audit/investigations/{id}/export- Export audit trailGET /api/v1/audit/system/health- Overall system health metricsGET /api/v1/audit/components/{component}/performance- Component performanceGET /api/v1/audit/logs/search- Search and filter action logsGET /api/v1/audit/statistics/overview- High-level audit statistics
import requests
# Submit investigation
response = requests.post("http://localhost:8000/api/v1/investigations/", json={
"event_data": {
"event_type": "malware_detection",
"source_ip": "192.168.1.45",
"file_hash": "d41d8cd98f00b204e9800998ecf8427e",
"file_name": "suspicious_document.pdf"
},
"emergency_mode": False
})
investigation = response.json()
investigation_id = investigation["investigation_id"]
# Check status
status_response = requests.get(f"http://localhost:8000/api/v1/investigations/{investigation_id}")
print(status_response.json())
# Get results when completed
result_response = requests.get(f"http://localhost:8000/api/v1/investigations/{investigation_id}/result")
results = result_response.json()# Submit multiple events
batch_response = requests.post("http://localhost:8000/api/v1/investigations/bulk", json={
"events": [
{
"event_type": "suspicious_ip",
"source_ip": "203.0.113.100",
"payload": {"scan_type": "port_scan"}
},
{
"event_type": "login_anomaly",
"source_ip": "172.16.0.100",
"user_id": "jdoe"
}
],
"emergency_mode": False
})// WebSocket connection for real-time metrics
const ws = new WebSocket("ws://localhost:8000/api/v1/monitoring/metrics/stream");
ws.onmessage = function(event) {
const metrics = JSON.parse(event.data);
console.log("Current metrics:", metrics);
};The ThreatSentinel SOC Agent uses a weighted scoring system:
Final Risk Score = (Base Risk × 30%) + (Threat Intel × 50%) + (Context × 20%)
- 🟢 LOW (0.0-0.3): Standard monitoring sufficient
- 🟡 MEDIUM (0.3-0.6): Enhanced monitoring and investigation required
- 🟠 HIGH (0.6-0.8): Immediate investigation and containment needed
- 🔴 CRITICAL (0.8-1.0): Emergency response and escalation required
- API Key Protection: Store credentials in environment variables
- Rate Limiting: Automatic throttling prevents API abuse
- Data Sanitization: Sensitive information excluded from logs
- Audit Trail: Complete investigation history maintained
- Offline Operation: Basic analysis works without external APIs
- No dedicated security team
- Limited cybersecurity expertise
- Need automated threat triage
- Require 24/7 monitoring capability
- First-level threat triage
- Alert fatigue reduction
- Consistent analysis quality
- Rapid incident response
- Initial threat assessment
- Evidence correlation
- Response prioritization
- Documentation automation
- SIEM system integration
- Security orchestration platforms
- Custom security applications
- Automated response workflows
- Reduces human workload by 80%
- Provides consistent analysis quality
- Operates 24/7 without fatigue
- Scales to handle high alert volumes
- Combines multiple threat sources
- Correlates internal and external data
- Identifies campaign patterns
- Reduces false positive rates
- Improves accuracy over time
- Recognizes organization-specific patterns
- Adjusts to emerging threats
- Builds institutional knowledge
- RESTful endpoints with OpenAPI documentation
- Real-time monitoring with WebSockets
- Comprehensive error handling
- Scalable async architecture
- Investigation Speed: 5-15 seconds per event
- Concurrent Processing: Up to 10 events simultaneously
- API Efficiency: Respects rate limits and caches results
- Memory Usage: ~50MB baseline, scales with history
- Accuracy: Continuously improves through pattern learning
- Machine Learning Models: Enhanced pattern recognition
- SIEM Integration: Direct connector development
- Custom Playbooks: Organization-specific response workflows
- Advanced Correlation: Cross-event relationship analysis
- Threat Hunting: Proactive threat discovery capabilities
- Multi-tenant Support: Organization isolation and management
- Advanced Alerting: Email, Slack, and webhook notifications
# Set debug mode
export DEBUG=true
# Run with auto-reload
python main_api.py
# Run tests (153 tests)
pytest tests/ -v
# Run with specific log level
LOG_LEVEL=DEBUG python main_api.py- Interactive Docs: http://localhost:8000/docs
- ReDoc: http://localhost:8000/redoc
- OpenAPI JSON: http://localhost:8000/openapi.json
- New Event Types: Update
backend/models.pyEventType enum - New Tools: Add to
agent/tools.pyand register in ToolRegistry - New Endpoints: Create in appropriate
backend/routes/module - New Monitoring: Extend
backend/routes/monitoring.py
ThreatSentinel includes comprehensive human oversight capabilities for enterprise environments:
Automatic Escalation Triggers:
- Risk score exceeds 0.8 (high-risk threshold)
- Analysis confidence below 0.5 (uncertain cases)
- Critical infrastructure assets involved
- Multiple unknown threat indicators detected
Review Queue Management:
- Priority-based SLA assignments (Critical: 1hr, High: 4hr, Medium: 24hr, Low: 72hr)
- Analyst assignment and workload distribution
- Real-time review status tracking
Audit Trail & Compliance:
- Complete audit logs for all investigation actions
- Analyst feedback tracking for AI improvement
- Investigation decision history for compliance reporting
# Request human review for investigation
POST /api/v1/investigations/reviews/
{
"investigation_id": "evt_20240126_143022_1234",
"reason": "High risk score requires human validation",
"priority": "high",
"risk_score": 0.85,
"confidence_score": 0.45
}
# Get review queue for analysts
GET /api/v1/investigations/reviews/queue?priority=critical
# Assign review to analyst
POST /api/v1/investigations/reviews/{review_id}/assign
{
"analyst_id": "john.doe@company.com"
}
# Submit analyst feedback
POST /api/v1/investigations/reviews/{review_id}/feedback
{
"analyst_id": "john.doe@company.com",
"review_status": "approved",
"accuracy_rating": 4,
"feedback_text": "Analysis accurate, recommend blocking IP",
"false_positive": false
}
# Get audit trail
GET /api/v1/investigations/reviews/{review_id}/auditAI Improvement Through Feedback:
- Analyst accuracy ratings (1-5 scale) adjust AI confidence thresholds
- False positive marking prevents similar misclassifications
- Missed indicator reporting enhances future detection
- Pattern learning from human corrections
Analytics & Metrics:
- Review completion rates and SLA adherence
- AI accuracy trends over time
- False positive reduction tracking
- Escalation trigger effectiveness
🛡️ The ThreatSentinel SOC Agent represents the future of autonomous cybersecurity - intelligent, adaptive, and always vigilant. Deploy your AI security analyst today through a modern REST API! 🛡️
ThreatSentinel now features a comprehensive integration framework that allows it to execute actions across popular SOC tools, not just recommend them. This transforms ThreatSentinel from an advisory system into a fully operational security orchestration platform.
| Category | Tool | Actions Supported |
|---|---|---|
| 🔥 Firewalls | Palo Alto Networks | Block IP, Block URL/Domain, Create Rules |
| Fortinet FortiGate | Block IP, Block URL, Create Policies | |
| pfSense | Block IP, Create Rules, Add to Watchlists | |
| 📊 SIEMs | Splunk | Create Incidents, Alerts, Saved Searches, Watchlists |
| IBM QRadar | Create Offenses, Custom Rules, Reference Sets | |
| Azure Sentinel | Create Incidents, Analytics Rules, Watchlists | |
| 💬 Communication | Slack | Security Alerts, Notifications, Escalations |
| Microsoft Teams | Rich Card Alerts, Notifications, Escalations | |
| HTML Alerts, Notifications, Escalations | ||
| 🎫 Incident Response | ServiceNow | Create/Update Incidents, Escalations |
| Jira | Create Issues, Update Status, Escalations | |
| PagerDuty | Trigger Alerts, Create Incidents, Escalations |
When ThreatSentinel completes an investigation, it can now automatically execute the recommended actions:
# Example: Automatic response to malicious IP
investigation_result = {
"risk_score": 0.85,
"recommended_actions": [
{
"action_type": "block_ip",
"target": "203.0.113.100",
"priority": "high",
"preferred_integrations": ["palo_alto", "fortinet"]
},
{
"action_type": "send_alert",
"target": "Critical IP blocked automatically",
"context": {"severity": "high", "channel": "#security-alerts"}
},
{
"action_type": "create_incident",
"target": "Malicious IP Detected - Automatic Block Applied",
"context": {"severity": "high", "assignment_group": "SOC Tier 2"}
}
]
}
# ThreatSentinel executes all actions automatically across configured tools# List all configured integrations
GET /api/v1/integrations/
# Test integration connectivity
POST /api/v1/integrations/{integration_name}/test
# Execute single action across relevant tools
POST /api/v1/integrations/actions/execute
{
"action_type": "block_ip",
"target": "192.168.1.100",
"context": {"reason": "Malware C2 communication"}
}
# Execute multiple actions in bulk
POST /api/v1/integrations/actions/bulk
{
"actions": [
{"action_type": "block_ip", "target": "203.0.113.100"},
{"action_type": "send_alert", "target": "Threat blocked"},
{"action_type": "create_incident", "target": "Security Event"}
]
}
# Get integration capabilities
GET /api/v1/integrations/capabilities/block_ip
# Health check all integrations
GET /api/v1/integrations/healthConfigure integrations in your environment variables:
# Firewall Integration
PALO_ALTO_HOSTNAME=firewall.company.com
PALO_ALTO_API_KEY=your_api_key
FORTINET_HOSTNAME=fortigate.company.com
FORTINET_API_KEY=your_api_key
# SIEM Integration
SPLUNK_HOSTNAME=splunk.company.com
SPLUNK_TOKEN=your_splunk_token
QRADAR_HOSTNAME=qradar.company.com
QRADAR_SEC_TOKEN=your_sec_token
# Communication Integration
SLACK_WEBHOOK_URL=https://hooks.slack.com/services/...
SLACK_BOT_TOKEN=xoxb-your-bot-token
TEAMS_WEBHOOK_URL=https://company.webhook.office.com/...
EMAIL_SMTP_SERVER=smtp.company.com
EMAIL_USERNAME=soc-agent@company.com
EMAIL_PASSWORD=your_email_password
# Incident Response Integration
SERVICENOW_INSTANCE_URL=https://company.service-now.com
SERVICENOW_USERNAME=api_user
SERVICENOW_PASSWORD=api_password
JIRA_SERVER_URL=https://company.atlassian.net
JIRA_USERNAME=api_user@company.com
JIRA_API_TOKEN=your_jira_token
PAGERDUTY_API_TOKEN=your_pd_token
PAGERDUTY_ROUTING_KEY=your_routing_key- Event Detection: SIEM detects suspicious activity
- ThreatSentinel Investigation: Autonomous threat analysis and risk scoring
- Automatic Response: Based on risk level, ThreatSentinel executes actions:
- Low Risk: Send Slack notification to SOC team
- Medium Risk: Create Jira ticket + Email alert to analysts
- High Risk: Block IP on firewall + Create ServiceNow incident + PagerDuty alert
- Critical Risk: All of the above + Escalate to security manager
✅ Reduced Response Time: From hours to seconds for threat containment
✅ Consistent Actions: No human error in executing security procedures
✅ Full Audit Trail: Complete logging of all automated actions
✅ Tool Orchestration: Unified control across heterogeneous security stack
✅ Scalable Operations: Handle high-volume threats without additional staff
ThreatSentinel has been enhanced with advanced enterprise features addressing the "Agent Depth" requirements:
- Intelligent Queuing: Emergency > Critical > High > Medium > Low priority processing
- Automatic Retry Logic: Exponential backoff for failed investigations
- Persistent Storage: SQLite-based task persistence across system restarts
- Concurrent Processing: Up to 5 parallel investigation workers
- Timeout Management: Configurable investigation timeouts (default: 5 minutes)
API Endpoints:
# Create high-priority investigation task
POST /api/v1/tasks/
{
"task_type": "investigation",
"priority": "critical",
"payload": {"event_data": {...}},
"timeout_seconds": 180
}
# Monitor task queue
GET /api/v1/tasks/ # Queue statistics
GET /api/v1/tasks/{task_id} # Task status
DELETE /api/v1/tasks/{task_id} # Cancel task
POST /api/v1/tasks/queue/start # Start workers
POST /api/v1/tasks/queue/cleanup # Clean old tasks- SQLite Persistence: Investigation patterns stored permanently
- Pattern Learning: Frequency anomalies, burst detection, time-based analysis
- Similarity Matching: Find related past investigations automatically
- Memory Analytics: Track learning progress and pattern effectiveness
- Configurable Retention: Automatic cleanup of old memories (default: 6 months)
Memory Features:
# Enhanced memory capabilities
- Event embedding and similarity matching
- Pattern insight generation and storage
- Investigation outcome tracking
- False positive learning
- Attack campaign correlation- Detailed Audit Trails: Every action logged with full context
- Performance Metrics: Success rates, duration tracking, error analysis
- Component Monitoring: Individual component health and performance
- Investigation Timeline: Complete step-by-step investigation history
- Compliance Ready: Export audit trails for regulatory requirements
Audit API Endpoints:
# Investigation audit trails
GET /api/v1/audit/investigations/{id}/logs # All logs for investigation
GET /api/v1/audit/investigations/{id}/timeline # Timeline view
GET /api/v1/audit/investigations/{id}/export # Complete audit trail
# System health monitoring
GET /api/v1/audit/system/health # Overall system health
GET /api/v1/audit/components/{component}/performance # Component metrics
GET /api/v1/audit/logs/search?component=... # Search and filter logs
# Administrative
DELETE /api/v1/audit/logs/cleanup?days=90 # Clean old logs
GET /api/v1/audit/statistics/overview # High-level statisticsLearning & Adaptation:
- Pattern Recognition: Detects attack campaigns, repeated offenders, time-based anomalies
- Confidence Scoring: Self-assessment of investigation accuracy
- False Positive Reduction: Learns from analyst feedback to improve accuracy
- Dynamic Thresholds: Risk scoring adapts based on historical performance
Performance Optimization:
- Concurrent API Calls: Parallel threat intelligence gathering
- Intelligent Caching: Avoid redundant API queries for known indicators
- Rate Limit Handling: Automatic throttling and retry logic
- Memory Efficiency: Optimized for 24/7 operation with minimal resource usage
Reliability:
- Graceful Error Handling: Continues operation even when external APIs fail
- Background Task Processing: Non-blocking investigation queuing
- Health Monitoring: Real-time system status and component health checks
- Automatic Recovery: Self-healing capabilities for common failure scenarios
Observability:
- Structured Logging: JSON-formatted logs for SIEM integration
- Metrics Collection: Performance, error rates, investigation success tracking
- WebSocket Monitoring: Real-time metrics streaming for dashboards
- Component Profiling: Individual module performance analysis
# Production-grade ThreatSentinel deployment
import asyncio
from agent import SOCAgentPlanner, TaskQueue, ActionLogger
async def enterprise_ThreatSentinel():
# Initialize with enterprise features
agent = SOCAgentPlanner(
memory_retention_days=180,
confidence_threshold=0.7,
max_concurrent_investigations=10
)
# Start task queue with 5 workers
task_queue = TaskQueue(max_workers=5)
await task_queue.start()
# Enable comprehensive logging
action_logger = ActionLogger()
# Configure auto-scaling based on load
if await task_queue.get_queue_stats()['pending_tasks'] > 20:
# Scale up workers or alert operations team
pass
# 24/7 operation with monitoring
while True:
health = action_logger.get_system_health()
if health['error_rate'] > 10:
# Alert operations team
pass
await asyncio.sleep(60)🎯 These enterprise enhancements transform ThreatSentinel from a basic automation tool into a production-grade, self-managing SOC agent capable of handling enterprise-scale security operations with full audit compliance and continuous learning capabilities.