Autonomous SOC Orchestration Platform

• 

  Fast_Api Interface

• 

  Our metrics Interface

• 

  Front-end Entry page

• 

  ngrok

• 

  Elastic Dev Interface

• 

  Our Prediction model

• 

  Working architecture

• 

  Elastic Dev Interface

• 

  Brain of our system

• 

  Log in Json Formate

Security Operations Centers (SOCs) face a growing challenge: massive volumes of security logs, alert fatigue, and time-consuming manual triage. While SIEM platforms collect data efficiently, analysts still spend significant time investigating, enriching, escalating, and documenting incidents. Our project, SentinelAI – Autonomous SOC Orchestration Platform, addresses this gap by automating the full incident response lifecycle using Elasticsearch Agent Builder and native Elastic capabilities.

The system continuously monitors structured security logs stored in Elasticsearch. Using Watcher automation and search-based risk filtering, high-risk events (risk_score ≥ 70) trigger an intelligent orchestration workflow. Instead of generating duplicate alerts, the platform performs smart deduplication within a 10-minute window and identifies repeat offenders within 30 minutes, automatically escalating severity to CRITICAL when behavioral thresholds are crossed.

When a new incident is confirmed, the Agent Builder reasoning layer activates. Leveraging Elastic’s Inference API, the system generates an AI-powered Level 1 SOC triage report including executive summary, business impact, and remediation steps. Each threat is automatically mapped to the MITRE ATT&CK framework for structured defensive intelligence.

If an analyst escalates the case, the platform triggers a deeper Level 2 investigation, generating structured attack path analysis, containment strategies, and risk assessments. Upon resolution, a Level 3 executive closure report is automatically created, summarizing response actions taken, residual risk, and lessons learned — completing the full SOC lifecycle.

Key Elastic features utilized include: • Watcher for automated detection triggers • Search queries and structured filtering for risk analysis • Agent Builder reasoning for orchestration logic • Elastic Inference API for AI enrichment • Elasticsearch indexing and update APIs for lifecycle management

One of the most rewarding aspects of this project was integrating structured search logic with AI reasoning to simulate real SOC analyst workflows. A key challenge was ensuring atomic updates and preventing duplicate incident creation while maintaining lifecycle integrity. Designing a realistic escalation and investigation pipeline using Elastic-native tools was both technically demanding and highly educational.

This project demonstrates how Elasticsearch Agent Builder can power intelligent, automated security orchestration pipelines that reduce alert fatigue, accelerate incident response, and transform raw logs into actionable security intelligence.

Built With

• agent-builder
• att&ck
• elastic-inference-api
• elastic-watcher
• elasticsearch-(elastic-cloud)
• fastapi-(python)
• framework
• mitre
• ngrok
• react.js
• tailwind-css
• vite