SENTINEL: Multi-Source Autonomous IR Correlation Agent

Autonomous DFIR agent that analyzes disk and memory evidence, correlates findings, self-corrects hallucinations, and produces a full IR report with MITRE ATT&CK TTPs.

Comment

Inspiration

AI-powered attackers can compromise an entire network in under 8 minutes. Human incident responders can't keep up. SENTINEL was built to close that gap — an autonomous DFIR agent that never sleeps, never guesses, and never stops until the evil is found.

What it does

SENTINEL autonomously analyzes forensic evidence from a compromised Domain Controller — memory dumps, disk images — and correlates findings across multiple sources simultaneously.

On a real SRL-2018 compromised enterprise network, SENTINEL identified:

  • Backdoor:PowerShell/Listrun.A active on the DC
  • Meterpreter payload signature in memory
  • C2 infrastructure: myvinhlong.com and smart-web.me
  • DLL injection via mstd32.dll
  • PowerShell execution policy bypass with hidden window
  • Full attack timeline with MITRE ATT&CK TTPs

How I built it

Built entirely on the SANS SIFT Workstation using Python, Groq LLM API (llama-3.3-70b-versatile), and native SIFT forensic tools including strings, Volatility 3, and grep. The agent runs autonomous multi-phase analysis: Triage → Memory Analysis → IOC Detection → Correlation → Self-Correction → Report Generation.

All guardrails are architectural — destructive commands like rm, dd, and shred are blocked at the code level, not the prompt level.

Challenges i ran into

  • Volatility 3 symbol file permissions required manual chmod fixes
  • Gemini API authentication incompatibility forced migration to Groq
  • Getting the AI to distinguish confirmed findings from inferences required careful prompt engineering
  • Cross-referencing memory artifacts with known malware signatures without false positives

Accomplishments that I proud of

  • SENTINEL found 6 high-confidence IOCs in a real compromised DC memory dump
  • Full MITRE ATT&CK TTP mapping: T1059.001, T1055, T1071, T1105, T1070.004, T1190
  • Architectural guardrails that physically cannot be bypassed via prompt injection
  • Complete audit trail — every finding traceable to a specific tool execution
  • Self-correction engine that flags unsupported claims automatically

What i learned

Real memory forensics is messy — symbol files, permissions, and tool compatibility all need to be solved before any analysis can begin. SENTINEL handles all of this autonomously so analysts can focus on decisions, not setup.

What's next for SENTINEL: Multi-Source Autonomous IR Correlation Agent

  • Full disk image correlation (E01 format via ewfmount)
  • Network capture analysis (PCAP via Wireshark/tshark)
  • Multi-machine correlation across entire enterprise networks
  • Real-time monitoring mode with automatic alerting
  • Integration with SIEM platforms (Splunk, ELK)

Built With

Share this project:

Updates