Skip to content
/ agentic-soc-analyst Public

AI-powered SOC analyst for Azure Sentinel threat hunting with GPT and VirusTotal integration.

License

MIT license
6 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

fyankov96/agentic-soc-analyst

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
context
context
 
 
models
models
 
 
protocols
protocols
 
 
queries
queries
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.py
main.py
 
 
requirements.txt
requirements.txt
 
 
secrets_.py
secrets_.py
 
 
threats.jsonl
threats.jsonl
 
 
utilities.py
utilities.py
 
 

Repository files navigation

🕵️ Agentic SOC Analyst

An AI-powered threat hunting assistant that integrates with Azure Sentinel and VirusTotal to provide comprehensive security analysis. The tool pulls data directly from your Azure Log Analytics Workspace and enriches findings with threat intelligence.

Screenshot 2025-09-07 220916

🚀 Features

  • AI-Powered Threat Detection: Leverages GPT models for intelligent threat analysis
  • Azure Sentinel Integration: Direct connection to your Log Analytics Workspace
  • VirusTotal Integration: Automatic IOC reputation checking and threat intelligence
  • MITRE ATT&CK Integration: Built-in knowledge of tactics, techniques, and procedures
  • Multi-Model Support: Choose from 2 optimized AI models based on complexity and budget
  • Comprehensive Analysis: MDE & MDO telemetry, user sign-ins, Azure Network Security Groups telemetry, and Sentinel incidents

🔗 Integrations

Azure Log Analytics Workspace - Supported Tables:

Microsoft Defender for Endpoint (MDE)

  • DeviceProcessEvents
  • DeviceNetworkEvents
  • DeviceLogonEvents
  • DeviceFileEvents
  • DeviceRegistryEvents
  • AlertInfo
  • AlertEvidence

Microsoft Defender for Office 365 (MDO)

  • EmailEvents
  • EmailAttachmentInfo
  • EmailUrlInfo
  • UrlClickEvents
  • EmailPostDeliveryEvents

Entra ID & Activity

  • SigninLogs
  • AzureActivity

Azure Network

  • AzureNetworkAnalytics_CL

Azure Sentinel

  • SecurityIncident

🛠️ Installation & Setup

Prerequisites:

  • Python 3.8+
  • Azure CLI
  • Azure Log Analytics Workspace ID
  • API Keys: OpenAI, VirusTotal

Step 1: Install Python Dependencies

git clone https://github.com/fyankov96/agentic-soc-analyst.git
cd agentic-soc-analyst
pip install -r requirements.txt

Step 2: Install & Configure Azure CLI

Installation:

Authentication: Run az login to authenticate with Azure

Step 3: Configure API Keys

Add OpenAI, VirusTotal API keys and Log Analytics Workspace ID within secrets_.py

Step 4: Run

# Run the SOC Analyst
python main.py

🎬 Demo & Use Case Examples

Screenshot 2025-09-12 151347 Screenshot 2025-09-12 151432 Screenshot 2025-09-12 151521 Screenshot 2025-09-12 151548

Real-World Use Cases

🚨 Incident Investigation

"Can you give me an update on Sentinel Incident #10860 from 2 days ago? I'd like to know its current status"

👤 User Compromise Assessment

"I'm worried that john.smith@example.com might be compromised. Can you take a look at the past 7 days of sign-in and audit activity?"

🌍 Anomaly Detection

"Can you check SigninLogs for the past 2 hours and tell me if we've had any failed logins coming from locations that look unusual?"

🙏 Special Thanks

Special thanks to Josh Madakor and his incredible Cyber Range Community for inspiring this project and fostering innovation in cybersecurity education and tooling.

About

AI-powered SOC analyst for Azure Sentinel threat hunting with GPT and VirusTotal integration.

Topics

threat-hunting virustotal ai-security azure-sentinel microsoft-defender soc-analyst

Resources

Readme

License

MIT license
Activity

Stars

6 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages