AI-SOC POC — README

AI-Powered SOC Triage Agent (secure demo)

This repository contains a ready-to-run POC demonstrating an AI-powered SOC triage agent. It fetches alerts from a mock SIEM, enriches them using a simulated threat intelligence wrapper via a secure MCP-like gateway, and generates a structured Markdown report.

Demo

Watch the agent in action:

---

Security Notes on Python Virtual Environments

Using a virtual environment (venv) is critical for security and maintainability:

• Isolation: Your POC dependencies will not interfere with system Python or other projects.
• Reproducibility: Exact package versions can be recorded in requirements.txt.
• Risk reduction: Malicious or vulnerable packages are confined to the venv.
• Secrets handling: Environment variables (like DEMO_JWT_SECRET) can be set per environment and excluded from Git.

Recommended practice:

• Always activate your venv before running any Python script.
• Use .gitignore to exclude venv/ and .env files.
• If experimenting with packages from untrusted sources, create a new venv to contain risk.

---

Project structure

AI-SOC POC/
│
├── agent.py                # Main AI triage agent
├── mcp_server.py           # Mock MCP gateway API
├── report_generator.py     # Generates Markdown SOC reports
├── requirements.txt        # Python dependencies
├── .gitignore              # Ignore secrets, venv, reports
├── reports/                # AI-generated reports (auto-created)
│   └── alert_001.md
└── README.md               # Project documentation

---

Step 1 — Clone the repository

git clone https://github.com/Paulinhx/ai-soc-poc.git
cd ai-soc-poc

---

Step 2 — Create a secure Python virtual environment (macOS/Linux)

python3 -m venv venv
source venv/bin/activate

Windows (PowerShell):

python -m venv venv
venv\Scripts\Activate.ps1

• Activate this environment every time before running scripts.
• Never run code outside the venv with sensitive environment variables.

---

Step 3 — Install dependencies

pip install -r requirements.txt

requirements.txt:

flask
pyjwt
requests
python-dotenv
transformers
torch

---

Step 4 — Create .gitignore

venv/
__pycache__/
*.pyc
.env
reports/

This prevents sensitive info and local caches from being pushed.

---

Step 5 — Start the MCP gateway (mock)

python3 mcp_server.py

• Starts a Flask server at http://127.0.0.1:8000
• Securely exposes endpoints for SIEM alerts and threat intel

---

Step 6 — Run the agent

python3 agent.py

• Fetches a mock SIEM alert
• Queries simulated threat intel via MCP
• Generates a Markdown SOC report at reports/alert_001.md

---

Step 7 — Open the report

cat reports/alert_001.md

Or in VS Code:

code reports/alert_001.md

---

Step 8 — Use Cases & Purpose of the POC

This project demonstrates how an AI-powered SOC assistant can:

---

Goals

• Automate Level-1 SOC triage → Reduces analyst workload by auto-summarizing alerts.
• Integrate threat intelligence → Enriches alerts with IP reputation, geolocation, and known vulnerabilities.
• Standardize reporting → Generates clean Markdown reports ready for hand-off to analysts or management.
• Demonstrate MCP-like integration → Uses a mock MCP server to simulate secure, structured data exchange between AI, SIEM, and threat intel sources.

---

Security-Oriented Highlights

• Local-only processing → No sensitive data leaves your environment.
• Supports environment-based secrets via .env → Secure for real SOC environments.
• Uses virtual environments for dependency isolation.
• Built with modular architecture → Can later integrate real SIEMs, EDR tools, and threat intel APIs securely.

---

Potential Extensions

• Replace mock SIEM with Splunk, ELK, Microsoft Sentinel, or integrate directly with a Wazuh MCP Server.
• Integrate real threat intel feeds like VirusTotal, Shodan, or AbuseIPDB.
• Add authentication and role-based access to the Flask MCP gateway.
• Extend Hugging Face AI to generate full incident response recommendations.