🛡 SOC Alert Triage Assistant

AI-powered SIEM alert analysis · MITRE ATT&CK mapping · False positive reduction · Investigation playbooks

🎯 Problem Statement

SOC analysts process hundreds of SIEM alerts per shift — up to 70% are false positives. Tier 1 analysts spend most of their time on repetitive triage before they can begin real threat hunting. This tool automates Tier 1 triage entirely, delivering Tier 2-quality analysis in under 5 seconds per alert.

🔍 What It Does

Capability	Description
Severity Scoring	1–10 numerical score with Critical/High/Medium/Low classification
IOC Extraction	Automatically pulls IPs, domains, hashes, processes, and users from raw alert text
MITRE ATT&CK Mapping	Maps to specific Tactics and Technique IDs (e.g. T1059.001, T1486)
False Positive Reduction	Assesses FP likelihood with context-specific reasoning
Correlation Detection	Surfaces related events and suspicious patterns within alert context
Investigation Playbooks	Ordered investigation steps aligned with NIST SP 800-61
Escalation Recommendation	AI determines if alert warrants escalation and explains why

📸 Screenshots

Ransomware Detection — Critical 10/10

SSH Brute Force — High 8/10

Investigation Playbook — NIST SP 800-61 Aligned

🚀 Quick Start

1. Clone the Repository

git clone https://github.com/dcartermarshall/soc-triage-assistant.git
cd soc-triage-assistant

2. Add Your API Key

cp src/config.example.js src/config.js
nano src/config.js
# Replace YOUR_API_KEY_HERE with your Anthropic API key

3. Run a Local Server

python3 -m http.server 8080

4. Open in Browser

http://localhost:8080/src/index.html

🔬 Test Cases

Four real-world attack scenarios included:

• SSH Brute Force — TOR exit node, 847 attempts/4min, impossible travel correlation
• Ransomware — Shadow copy deletion, base64 PowerShell, mass file encryption
• Data Exfiltration — 4.7GB via compromised service account, 56x baseline anomaly
• Lateral Movement — Mimikatz credential dumping, PsExec across 7 hosts

🏗 Architecture

Raw SIEM Alert → Input Normalization → Claude AI Engine → Structured Analysis → SOC Dashboard

Stack: Vanilla HTML/CSS/JS · Anthropic Claude API · MITRE ATT&CK v15 · NIST SP 800-61

🔐 Security Notes

• src/config.js is gitignored — your API key never touches GitHub
• No alert data persists — all analysis is in-memory only
• Read-only analysis — the tool never takes action on your infrastructure
• Built with healthcare-grade data handling (HIPAA-aware design)

👤 Author

D'Anthony Carter-Marshall

• CompTIA Security+ (SY0-701, DoD 8140 Approved)
• KU Certificate in Cybersecurity
• 3+ years HIPAA compliance operations at University of Kansas Health System

GitHub · marshalldanthony@gmail.com