Erick Cisneros
AboutExperienceProjectsSkillsContactResume
Back to Projects
AI / Machine Learning

AI SOC Analyst

An intelligent, AI-powered Security Operations Center (SOC) analyst tool that leverages OpenAI's API to perform automated threat hunting across Microsoft Defender for Endpoint (MDE), Azure Active Directory, and Azure resource logs.

Python
OpenAI API
Azure Log Analytics
KQL
Visit RepositoryWatch Demo

Overview

This tool acts as an agentic AI copilot for SOC analysts, intelligently selecting relevant log sources, querying Azure Log Analytics Workspace, and analyzing results to identify potential security threats. It maps findings to the MITRE ATT&CK framework and provides actionable recommendations.

Environments

  • Microsoft Defender (MDE)
  • Azure Active Directory
  • Azure Resource Logs

Key Features

Intelligent Log Query Selection

Uses OpenAI function calling to automatically determine which log tables and fields to query based on natural language requests from the analyst.

MITRE ATT&CK Mapping

Automatically maps detected threats to MITRE ATT&CK tactics, techniques, and sub-techniques to standardize threat classification.

Multi-Source Threat Hunting

Supports deep analysis across Microsoft Defender for Endpoint (Events, Network, Logon, File), Azure AD (Signins, Audits), and Azure Activity Logs simultaneously.

Structured Threat Logging

Returns findings in structured JSON format detailing IOCs, confidence levels, and tags. Automatically logs all findings to local audit trails.

Video Demo

System Architecture

The project consists of meticulously separated, modular components ensuring secure prompt execution and structured AI agent performance:

_main.py

Main entry point that orchestrates the workflow

EXECUTOR.py

Handles OpenAI API calls, log query execution, and analysis

PROMPT_MANAGEMENT.py

Manages system prompts, tool definitions, and hunting logic

MODEL_MANAGEMENT.py

Handles model selection, token counts, and API rate limiting

GUARDRAILS.py

Validates allowed tables, fields, and models to prevent abuse

UTILITIES.py

Provides helper functions for sanitization and visualization

Structured Output Example

findings.json
{
  "findings": [
    {
      "title": "Brief title describing the suspicious activity",
      "description": "Detailed explanation of why this activity is suspicious",
      "mitre": {
        "tactic": "e.g., Execution",
        "technique": "e.g., T1059",
        "sub_technique": "e.g., T1059.001",
        "id": "e.g., T1059, T1059.001",
        "description": "Description of the MITRE technique/sub-technique"
      },
      "log_lines": ["Relevant log lines"],
      "confidence": "Low | Medium | High",
      "recommendations": ["pivot", "create incident", "monitor", "ignore"],
      "indicators_of_compromise": ["IOCs found in logs"],
      "tags": ["privilege escalation", "persistence", "data exfiltration"],
      "notes": "Optional analyst notes"
    }
  ]
}
Back to All Projects