Inspiration

A SOC analyst copilot to reduce alert fatigue and speed up triage (UI/LLM prompts label it “Autonomous SOC Triage Copilot”). The SOC challenge CSV datasets (SOC_challenge_datasheet_*.csv) suggest a data‑driven triage workflow.

What it does

Ingests SOC event CSVs, correlates events into cases, scores risk/priority, and surfaces a triage dashboard. Provides AI‑assisted analysis: summarize, explain why it matters, and suggest next steps, plus case chat. Persists session state (preferences, notes, cached summaries, uploaded datasets) per analyst session.

How we built it

Frontend: React + Vite with a dashboard UI, case filters, event table, and Recharts visualizations (web/src/components/). Backend: Cloudflare Worker with Durable Objects for session state and dataset storage (index.ts, wrangler.toml). Triage logic: correlation window + entity/event keying and a multi‑factor risk scoring model (worker/src/triage/). AI layer: LLM calls (Cloudflare AI or Ollama) with JSON validation + fallbacks for analyze/explain/next‑steps/chat (worker/src/agent/*).

Challenges we ran into

Correlating noisy event streams into coherent cases with time windows and entity keys. Designing a risk score that balances severity, confidence, external signals, entity spread, and temporal burstiness. Making LLM outputs robust: strict JSON validation + retry/fallback logic. Handling dataset uploads safely (idempotency + duplicate detection) and caching summaries per session.

Accomplishments that we’re proud of

End‑to‑end pipeline from CSV ingest → case correlation → risk scoring → UI visualization. Rich triage UX: filters, risk breakdown charts, evidence lists, and inline AI tooling. Session‑aware workflows with Durable Objects: notes, summaries, dataset storage, and dedupe.

What we learned

How to structure SOC data into actionable cases with explainable scoring. Practical LLM guardrails (schema validation, retries, fallbacks). The value of session persistence and caching for analyst workflows.

What's next for SentinelIQ

Real “Export Report” output and storing notes/flags in the session backend. Threat intel enrichment + reputation/geo signals to improve confidence scoring. Live streaming/ingest and alert normalization beyond CSV uploads. More analyst controls (preferences already scaffolded in the session API).

Share this project:

Updates