Identity Threat Hunter (Elastic + Google Cloud-Vertex AI)

Identity Threat Hunter: Real-time detection of impossible travel, risky logins, and lateral movement using Elastic + Google Cloud-Vertex AI.

Comment

Identity Threat Hunter — Cloud-Native Identity Security Platform

Built for the Google Cloud + Elastic AI Accelerate Hackathon 2025
AI-enriched identity threat detection and response for modern enterprise environments.

Live Website

Inspiration

Modern attackers exploit identity systems such as Okta, Azure AD, and CyberArk — targeting users, tokens, and service accounts instead of traditional network perimeters.

Identity Threat Hunter (ITH) was designed to detect and respond to identity-based attacks in real time using a combination of:

  • Data enrichment from Vertex AI (Gemini-2.5-Flash)
  • Honey-Identity Traps for deception and early breach visibility
  • Quantum Guardian for adaptive cryptographic exposure scoring

What It Does

ITH continuously monitors and enriches identity events to detect:

  • Impossible travel
  • MFA bypass
  • Brute force and credential stuffing
  • Rare country logins
  • Privilege escalation
  • ASN / ISP change
  • Honey-Identity Traps (decoy users or tokens accessed)
  • Quantum Guardian exposure events (cryptographic risk > 70)

Each event is processed by the Ingestor service, enriched with AI context, and indexed into Elastic Cloud for rule-based detection and real-time alerting.

Architecture

[User / Judge] → ith-ui (Analyst UI, Cloud Run)
                  │
                  ├──> ith-event-gen → ith-ingestor ──► Elastic Cloud (ith-events*)
                  │                        │
                  │                        └─► Vertex AI (Gemini) ⇢ ai.summary / ai.confidence / event.scenario
                  │
                  ├──> quantum-guardian ──► Elastic (quantum-guardian*)
                  └──> Kibana (Rules & Alerts)

Components

Service Technology Description
ith-ui Next.js Web dashboard for analysts and judges
ith-ingestor FastAPI Enriches events with geo, ASN, and AI summaries
ith-event-gen FastAPI Generates synthetic attack patterns for testing
quantum-guardian FastAPI Calculates Quantum Exposure Score (QES) and pushes results to Elastic
Elastic Cloud Elasticsearch + Kibana Hosts indices, detection rules, and dashboards

Honey-Identity Traps

Purpose: Detect reconnaissance and lateral movement attempts through deception.

  • Deployed decoy users and API tokens in the identity store.
  • Each honey identity generates a unique canary_id tag.
  • Any authentication or query attempt on these accounts triggers a critical alert (ITH Honey-Identity Trap).

Example event: 

{
  "event.scenario": "honey_identity_access",
  "user.name": "svc_honeyadmin",
  "ai.summary": "Decoy identity accessed — possible credential harvesting",
  "ai.confidence": 0.97,
  "rule.explanation": "Access attempt on deception account triggered honey trap."
}

Quantum Guardian Module

Purpose: Measure and correlate cryptographic exposure risk in identity flows.

  • Generates Quantum Exposure Scores (QES) from 0–100.
  • Publishes results to quantum-guardian* index in Elastic Cloud.
  • High-risk scores (≥70) trigger Quantum Adaptive Response alerts.

Example event: 

{
  "quantum.score": 85,
  "quantum.category": "exposure",
  "ai.summary": "Detected high quantum exposure due to weak cryptographic signature",
  "rule.explanation": "Quantum Guardian flagged QES > 70 for recent identity key usage."
}

How It Works

  1. Synthetic events are created via ith-event-gen.
  2. Events pass through ith-ingestor, which adds enrichment fields (geo, asn, and ai.*).
  3. Enriched data is indexed into Elastic (ith-events*, quantum-guardian*).
  4. Elastic rules trigger detections (impossible travel, honey traps, QES).
  5. Analysts review enriched data in Kibana or the Analyst UI.
# Deploy Ingestor with AI Enrichment
gcloud run deploy ith-ingestor \
  --source ./services/ingestor \
  --allow-unauthenticated \
  --set-env-vars ELASTIC_CLOUD_URL=$ELASTIC_CLOUD_URL,VERTEX_MODEL=gemini-2.5-flash

AI Enrichment Example

{
  "@timestamp": "2025-10-20T22:15:00Z",
  "user.name": "demo_user",
  "event.scenario": "impossible_travel",
  "ai.enriched": true,
  "ai.summary": "Detected impossible travel with inconsistent MFA usage",
  "ai.confidence": 0.89,
  "rule.explanation": "Geo velocity anomaly confirmed by Vertex AI correlation"
}

## Challenges  

- Schema synchronization across multiple microservices and Elastic indices  
- Handling asynchronous enrichment calls to Vertex AI  
- Designing believable **Honey-Identity** traps without false positives  
- Mapping **Quantum Guardian** QES results to correlated identity events  

---

## Accomplishments  

- Successfully deployed four Cloud Run microservices integrated end-to-end.  
- Designed **Honey-Identity deception traps** for proactive defense.  
- Integrated **Quantum Guardian QES** scoring to quantify cryptographic risk.  
- Delivered fully operational, read-only demo environments for judges.  

---

## Judge Testing  

[Analyst UI Access](https://ith-ui-1054075376433.us-central1.run.app/)  

1. Open the Analyst UI.  
2. Trigger all scenarios or test individually (Impossible Travel, MFA Bypass, Honey Trap, Quantum Risk).  
3. Wait one minute for events to process.  
4. Open **Kibana → Security → Alerts**.  
5. Log in using:  
   - Username: `ith_judge`  
   - Password: `Hackathon2025`  
6. Verify alert fields:  
   - `ai.summary`  
   - `ai.confidence`  
---

## What’s Next  

- Integrate ML anomaly detection to replace static thresholds.  
- Automate response actions via SOAR playbooks.  
- Extend detection coverage to AWS, GCP, and Azure IAM.  
- Deploy federated **Honey-Identities** across multi-cloud environments.  
- Expand data analytics using BigQuery for long-term identity modeling.  

---

## Summary  

**Identity Threat Hunter (ITH)** combines enrichment, deception, and adaptive analytics into a single identity detection framework.  
**Honey-Identity Traps** provide early visibility, while **Quantum Guardian** quantifies risk from cryptographic exposure.  
Built for the **Google Cloud + Elastic AI Accelerate Hackathon 2025**, this system showcases scalable, cloud-native identity defense with real-time intelligence.  

[Visit Project Page](https://koushik2296.github.io/identity-threat-hunter/)

Built With

  • analytics
  • apache-2.0
  • asn-enrichment
  • bigquery
  • digital-twin
  • docker
  • elastic-cloud
  • elastic-security
  • fastapi
  • gemini-2.5-flash)
  • geoip-lookup
  • github
  • github-actions
  • google-cloud
  • google-cloud-build
  • google-cloud-logging
  • google-cloud-run
  • google-secret-manager
  • honey-identity-traps
  • infrastructure-as-code)
  • kibana
  • license:
  • next.js
  • open-source
  • public-repository)
  • python
  • qes)
  • quantum-guardian
  • tailwindcss
  • terraform
  • vertex-ai
  • webhooks
  • |
Share this project:

Updates