VigilNet: Your Intelligent Agent-Powered SIEM Dashboard

VigilNet: Your intelligent, agent-powered SIEM dashboard for proactive, automated cybersecurity and rapid threat response

Comment

Inspiration

Our inspiration for VigilNet stemmed from the critical challenges facing modern cybersecurity teams. We recognised that organisations are "drowning in security data, struggling to identify real threats amidst the noise". This leads to "information overload", "alert fatigue" from too many false positives, and "slow response" to critical threats. We envisioned a proactive, automated future for cybersecurity, where intelligent agents could "intelligently process this data, detect subtle anomalies, and respond rapidly and automatically". This desire to empower security teams and revolutionise incident response drove us to create VigilNet, an intelligent, agent-powered SIEM dashboard.

What it does

VigilNet is an intelligent, agent-powered Security Information and Event Management (SIEM) dashboard designed to combat modern cyber threats, specifically addressing "information overload", "alert fatigue", and "slow response". Currently, it operates by processing simulated security event logs. Users initiate this by clicking 'Generate New Data & Restart Simulation' on the dashboard, which runs the data_simulator.py script to create log files with security events and pre-defined anomalies like 'port_scan' or 'malware_exec'. Subsequently, clicking 'Start Simulation' begins VigilNet's processing, where it continuously reads events from these files, and its specialised agents analyse them in near real-time. The dashboard dynamically updates to display alerts and actions as they are 'detected' in this simulated stream. The system's core components, including app.py, config.py, .env, alert_manager.py, and utils/data_processor.py, manage data flow and alerts. Intelligent agents—Endpoint, Network, User Behaviour, and Orchestrator—each play a role in anomaly detection within this simulated data. For instance, the Orchestrator Agent can correlate anomalies like 'malware_exec' from the Endpoint Agent and 'unusual_network_connection' from the Network Agent to generate a 'Critical' alert and trigger a 'isolate_host' action within the simulation.

How we built it

VigilNet was built with a modular and extensible architecture using Python and Streamlit. Development began with setting up the main app.py for the interactive dashboard and configuring project settings via config.py and .env. A data_simulator.py script was created to generate realistic security events and inject specific anomalies like 'port_scan' or 'malware_exec'. The utils/data_processor.py module was implemented to standardise these simulated events for agent consumption. The core intelligence comes from specialised agents: the Endpoint Agent monitors activities on individual computers, the Network Agent focuses on suspicious network traffic, and the User Behaviour Agent identifies unusual user activities. The Orchestrator Agent acts as a master agent, correlating anomalies from these specialised agents into higher-fidelity alerts (e.g., 'Potential Ransomware Infection') and triggering automated response actions like 'isolate_host'. Finally, the alert_manager.py component centrally manages all generated alerts and simulated actions, which are then displayed live on the Streamlit dashboard

Challenges we ran into

During the development of VigilNet, we encountered several challenges. A primary challenge was creating a data_simulator.py that could generate genuinely realistic security event logs while also allowing for the precise injection of specific, recognisable anomalies, which can be seen as a form of "data error" in the simulation context if not carefully managed. Designing the detection logic for each specialised agent, especially the Orchestrator Agent's correlation capabilities, posed a significant challenge ("agent errors" in logic and effectiveness). Ensuring that the Orchestrator could accurately identify high-fidelity threats by correlating multiple, disparate anomalies required iterative refinement and testing. Furthermore, maintaining real-time responsiveness of the Streamlit dashboard as simulated data increased and ensuring seamless communication and data flow between independent agents and the central AlertManager were also key hurdles.

Accomplishments that we're proud of

During the development of VigilNet, we achieved several key milestones that we are particularly proud of. We successfully demonstrated the ability to reduce "information overload" by intelligently filtering raw events into actionable anomalies and alerts. A significant achievement is the enablement of "proactive detection through specialised, always-on agents", which are capable of identifying subtle anomalies that might otherwise be missed. Furthermore, we are proud of facilitating "rapid response through automated actions, minimising the window of attack" by triggering predefined responses for critical threats. Ultimately, VigilNet transforms overwhelming security data into clear, actionable intelligence, empowering security teams to protect their organisations more effectively, showcasing a modular, extensible, and intelligently designed system that directly tackles critical industry challenges.

What we learned

Through building VigilNet, we gained invaluable insights into several key areas. We learned the power and flexibility of designing modular, agent-based architectures for security monitoring, where specialised agents contribute focused capabilities and an Orchestrator Agent handles complex correlation and automated response. We also mastered creating realistic simulated security event logs and programmatically injecting specific anomalies, which was crucial for thoroughly testing our agents' detection capabilities. Furthermore, we gained a deep understanding of real-time data processing concepts, exploring the necessity of message brokers like Apache Kafka or cloud-native solutions for live event pipelines. Finally, we effectively utilised Streamlit to build an intuitive, dynamically updating dashboard that provides a compelling user experience and a live operational picture of security events and alerts.

What's next for VigilNet: Your Intelligent Agent-Powered SIEM Dashboard

The future of VigilNet involves transitioning from its current simulated environment to a real-time application, integrating directly with diverse live data sources and APIs to provide genuine security intelligence. This will include connecting to Endpoint Logging APIs (e.g., EDR solutions), Network Flow Data (NetFlow/IPFIX) and Firewall APIs (e.g., Cisco, Palo Alto Networks), Cloud Audit Logs (e.g., Google Cloud Audit Logs, AWS CloudTrail), and notably, real-time authentication data from Identity Provider Logs (e.g., Okta, Active Directory). Crucially, real-time message brokers like Apache Kafka, Google Cloud Pub/Sub, or AWS Kinesis will serve as the pipeline for these live events, enabling VigilNet's data_processor to continuously consume data and detect threats as they occur, moving towards proactive and automated incident response.

Built With

  • google-adk
  • python
  • streamlit
  • visual-studio-code
Share this project:

Updates