An on-premise software stack aimed to automate common SOC investigation tasks with AI agents, specifically by performing automated investigations in Security Information and Event Management (SIEM) systems. This software stack ingests security case information, generates investigation tasks, and automatically perform relevant investigations in SIEM. Models used including LLM for generation tasks and custom-designed classifier model for security event correlation.

• A single attacker can trigger a security incident, but incident response often requires many SOC analysts.
• Analysts must review and investigate large volumes of security logs, which leads to:
  • Information fatigue: risking missed evidence and reduced effectiveness
  • Limited specialization: analysts may not have expertise across all areas
  • High effort: correlating security logs is a labor-intensive task

• Ingests security case data to automatically generate investigation plans
• Helps reduce time and effort required to structure an effective incident response
• Experiment showed continued pretrained model consistently outperforms openai/gpt-oss:20b in investigation planning: https://github.com/Automatic-Case-Investigator/ACI_Training_Experiment

• Analyzes case data and available configurations (Eg. detection rulesets) to generate precise SIEM queries
• Iteratively queries the SIEM and evaluates potential Indicators of Compromise (IoC)
• Helps SOC analysts quickly locate pertinent logs, minimizing manual effort

• The Hive

• Wazuh

• Developing workflow for automatically investigating cases when they are added to SOAR
• Developing a pipeline to generate incident response reports based on automatic investigation results
• Implement a live investigation mode that allows users to observe the investigation process as it happens
• Implement dynamic schema enrichment to retrieve additional field context before generating queries, improving query quality and relevance
• Add settings to allow users to use external models
• Developing a generalized scheme allowing human SOC analysts to establish baselines in their organizational settings
• Perform an APT style adversarial emulation for testing

Figure 1. List of security cases retrieved from the SOAR platform (e.g., TheHive).

Figure 2. Detailed information for a selected case retrieved from the SOAR platform (e.g., TheHive).

Figure 3. Available automation workflows that can be executed for the selected case.

Figure 4. Investigation tasks automatically generated for the case.

Figure 5. Automated investigation identifying a potential implanted reverse shell.

Figure 6. Evidence log retrieved by the automated investigation showing the reverse shell activity.