### Deploy ASPS Platform Locally Source: https://context7.com/safelineman/agentic-soc-simulation/llms.txt Instructions for setting up and running the Autonomous Security Platform (ASPS) locally. This involves installing dependencies, configuring environment variables, and starting the MCP server and Streamlit dashboard. ```bash # Step 1: Install dependencies pip install -r requirements.txt # Step 2: Configure environment variables (optional, can use UI) export DEEPSEEK_API_KEY="your-deepseek-api-key" export VIRUSTOTAL_API_KEY="your-virustotal-api-key" # Step 3: Start MCP Server (Terminal 1) python3 -m uvicorn mcp_server.main:app --reload --port 8000 # Output: INFO: Uvicorn running on http://127.0.0.1:8000 # Step 4: Start Streamlit Dashboard (Terminal 2) python3 -m streamlit run app/main.py # Output: You can now view your Streamlit app in your browser. # Local URL: http://localhost:8501 # Step 5: Access the web interface # Open browser to http://localhost:8501 # Step 6: Configure API keys in UI (Sidebar -> System Configuration) # Enter DeepSeek API Key and VirusTotal API Key # Click "Save Configuration" # Step 7: Run parallel simulation # In sidebar, enter attack scenario or use default # Click "Start Full Simulation" # Watch the SOC team workflow execute automatically ``` -------------------------------- ### Install Project Dependencies Source: https://github.com/safelineman/agentic-soc-simulation/blob/main/README.md Installs all required Python packages for the project using pip. This command should be run after cloning the repository. ```bash pip install -r requirements.txt ``` -------------------------------- ### Start MCP Tool Server with Uvicorn Source: https://github.com/safelineman/agentic-soc-simulation/blob/main/README.md Starts the MCP (Mission Control Plane) server, which acts as the 'hands and feet' for the AI agents, providing APIs for tool interaction. This command uses Uvicorn for ASGI application serving and enables auto-reloading for development. ```bash python3 -m uvicorn mcp_server.main:app --reload --port 8000 ``` -------------------------------- ### Start Streamlit Web Dashboard Source: https://github.com/safelineman/agentic-soc-simulation/blob/main/README.md Launches the Streamlit-based dashboard, which serves as the visual command center for security analysts, displaying data, agent activity, and allowing interaction. ```bash python3 -m streamlit run app/main.py ``` -------------------------------- ### Initialize and Evaluate Detection Engine Source: https://context7.com/safelineman/agentic-soc-simulation/llms.txt Initializes a detection engine, loads security rules, and evaluates telemetry events to generate alerts. Outputs the number of alerts generated and details for each alert. ```python from detection_engine import DetectionEngine # Initialize engine engine = DetectionEngine() # Load detection rules engine.load_rules(rules) # Evaluate telemetry events alerts = engine.evaluate(telemetry_events) print(f"Generated {len(alerts)} alerts") # Output: Generated 4 alerts # Example alert structure for alert in alerts: print(f"Alert Type: {alert['type']}") print(f"Severity: {alert['severity']}") print(f"Source IP: {alert['source_ip']}") print(f"Target: {alert['target']}") print(f"Details: {alert['details']}") print(f"Timestamp: {alert['timestamp']}") print("---") # Output: # Alert Type: Suspicious PowerShell Execution # Severity: High # Source IP: 45.33.22.11 # Target: User-Workstation-01 # Details: Rule 'Suspicious PowerShell Execution' triggered. Process: powershell.exe (-enc base64payload) # Timestamp: 2026-01-03T14:32:15Z ``` -------------------------------- ### Orchestrate SOC Workflow with Agent Source: https://context7.com/safelineman/agentic-soc-simulation/llms.txt Initializes the main orchestrator agent, providing necessary API keys, and runs the first step of the SOC workflow: generating telemetry data based on an attack scenario. Includes a callback for streaming messages. ```python from agent.core import Agent import os # Initialize orchestrator with API keys agent = Agent( deepseek_api_key=os.getenv("DEEPSEEK_API_KEY"), virustotal_api_key=os.getenv("VIRUSTOTAL_API_KEY") ) # Step 1: Generate telemetry data def stream_callback(msg): print(f"[Stream] {msg}") telemetry = agent.run_purple_step1_gen_data( scenario_text=attack_scenario, stream_callback=stream_callback ) ``` -------------------------------- ### Initialize and Run BaseAgent for Security Tasks Source: https://context7.com/safelineman/agentic-soc-simulation/llms.txt Initializes a BaseAgent for security operations, enabling LLM interaction and tool calling. It connects to an MCP server, uses API keys for authentication (DEEPSEEK and VirusTotal), and runs an agent reasoning loop with a system prompt, user input, and specified tools. A callback function handles real-time logging. ```python from agent.core import BaseAgent import os # Initialize base agent with API keys agent = BaseAgent( name="SecurityAgent", mcp_url="http://localhost:8000", api_key=os.getenv("DEEPSEEK_API_KEY"), vt_api_key=os.getenv("VIRUSTOTAL_API_KEY") ) # Run agent loop with system prompt and tools system_prompt = """You are a security analyst. Analyze the alert and determine if it's malicious.""" user_input = "Alert: Suspicious login from IP 45.33.22.11" # Get tools from MCP server tools = agent.get_tools(["check_ip_reputation"]) # Log callback for real-time updates def log_callback(message): print(f"[Log] {message}") # Execute agent reasoning loop (max 5 turns) result = agent.run_loop( system_prompt=system_prompt, user_input=user_input, tools=tools, callback=log_callback, max_turns=5 ) print(f"Agent Result: {result}") ``` -------------------------------- ### Create OCSF Process Activity Event Source: https://context7.com/safelineman/agentic-soc-simulation/llms.txt Generates an OCSF event representing a process creation activity, typically used to log malware execution. It includes details about the process name, command line, user, and source endpoint. ```python process_event = OCSFEvent( class_uid=1007, # Process Activity class_name="Process Activity", activity_id=1, # Create activity_name="Create", timestamp="2026-01-03T14:32:15Z", severity="High", src_endpoint=Endpoint( ip="10.0.0.15", hostname="User-Workstation-01" ), process=Process( name="invoice.exe", pid=4521, ppid=2340, cmd_line="C:\\Users\\john\\Downloads\\invoice.exe", path="C:\\Users\\john\\Downloads\\invoice.exe", user=User( name="john.doe", uid="S-1-5-21-...", domain="CORP" ) ) ) ``` -------------------------------- ### DetectionEngine - Rule Matching Engine Source: https://context7.com/safelineman/agentic-soc-simulation/llms.txt The DetectionEngine is responsible for evaluating incoming telemetry events against a set of predefined detection rules. It generates security alerts when a rule's conditions are met by an event. ```APIDOC ## DetectionEngine - Rule Matching Engine ### Description This engine takes detection rules and telemetry events as input. It processes each event against the rules to identify potential security threats and generates alerts for any matches found. This is the core component for real-time threat detection within the ASPS platform. ### Method Evaluation: `evaluate_events(rules: list, events: list, callback: callable)` (Assumed method based on description) ### Endpoint N/A (This is a class used for evaluation, not a direct API endpoint). ### Parameters #### Initialization Parameters (Not explicitly defined in the provided text, but likely involves loading rules) #### `evaluate_events` Parameters - **rules** (list) - Required - A list of detection rule objects to be used for matching. - **events** (list) - Required - A list of OCSF telemetry events to be evaluated. - **callback** (callable) - Optional - A function to receive real-time updates or generated alerts. ### Request Example ```python from agent.engine import DetectionEngine # Assuming rules and telemetry_events are already generated rules = [ { "id": "rule_001", "title": "Suspicious PowerShell Execution", "severity": "High", "logic": {"class_uid": 1007, "conditions": {"process.name": "powershell.exe", "process.cmd_line__contains": "-enc"}} } ] telemetry_events = [ { "class_name": "Process Activity", "activity_name": "Create", "process": {"name": "powershell.exe", "cmd_line": "powershell.exe -enc ..."} } ] def alert_callback(alert): print(f"ALERT: {alert}") detection_engine = DetectionEngine() alerts = detection_engine.evaluate_events( rules=rules, events=telemetry_events, callback=alert_callback ) print(f"Generated {len(alerts)} alerts.") ``` ### Response #### Success Response (200) - **alerts** (list) - A list of generated security alerts. Each alert typically includes information about the matched rule, the event(s) that triggered it, and severity level. #### Response Example ```json [ { "rule_id": "rule_001", "rule_title": "Suspicious PowerShell Execution", "severity": "High", "triggered_event": { "class_name": "Process Activity", "activity_name": "Create", "process": {"name": "powershell.exe", "cmd_line": "powershell.exe -enc ..."} } } // ... more alerts ] ``` ``` -------------------------------- ### Generate Investigation Reports with ReporterAgent Source: https://context7.com/safelineman/agentic-soc-simulation/llms.txt Creates comprehensive markdown reports summarizing the entire investigation process, including alert details, triage results, forensic findings, and response decisions. Requires an API key for the underlying service. ```python from agent.core import ReporterAgent # Initialize Reporter agent reporter = ReporterAgent( name="Reporter", api_key=os.getenv("DEEPSEEK_API_KEY") ) # Generate final report from case context case_context = [ { "alert": alert_data, "triage": triage_result, "forensic": forensic_report, "decision": response_decision } ] final_report = reporter.report( case_context=case_context, callback=callback ) print(final_report) # Output: Markdown formatted report with sections: # ## 案件摘要 # Lazarus APT 攻击链: 钓鱼邮件 -> C2 通信 -> 横向移动 -> 数据外泄 # # ## 攻击时间线 # - 14:30 - 钓鱼邮件发送到 User-Workstation-01 # - 14:32 - 恶意附件执行 # - 14:45 - C2 连接建立到 185.100.200.5 # # ## 调查发现 # - 恶意 IP: 185.100.200.5 (确认 C2 服务器) # - 受影响资产: User-Workstation-01, DB-Server-01 # # ## 处置结果 # - 已封禁 C2 IP 185.100.200.5 # - 已隔离受感染主机 # # ## 改进建议 # - 加强邮件安全网关过滤 # - 部署 EDR 监控可疑进程 ``` -------------------------------- ### FastAPI Tool Service Source: https://github.com/safelineman/agentic-soc-simulation/blob/main/README.md Provides essential APIs for the simulation, including IP reputation checks, firewall management, and graph operations, built with FastAPI. ```python mcp_server/main.py ``` -------------------------------- ### Develop Security Rules with DetectionEngineerAgent Source: https://context7.com/safelineman/agentic-soc-simulation/llms.txt Employs the DetectionEngineerAgent to automatically develop security detection rules from telemetry data. It requires an API key and analyzes a sample of telemetry events along with a scenario description. The output is a list of detection rules, each with an ID, title, severity, and logic definition. A callback function provides progress updates. ```python from agent.core import DetectionEngineerAgent # Initialize Detection Engineer detection_eng = DetectionEngineerAgent( name="DetectionEng", api_key=os.getenv("DEEPSEEK_API_KEY") ) # Develop rules from telemetry sample rules = detection_eng.develop_rules( telemetry_sample=telemetry_events, scenario_description=attack_scenario, callback=callback ) print(f"Developed {len(rules)} detection rules") # Example rule structure for rule in rules: print(f"Rule ID: {rule.id}") print(f"Title: {rule.title}") print(f"Severity: {rule.severity}") print(f"Logic: {rule.logic}") print("---") ``` -------------------------------- ### Streamlit Frontend Interface Source: https://github.com/safelineman/agentic-soc-simulation/blob/main/README.md The main program for the frontend interface, responsible for UI layout, state management, and data visualization using Streamlit. ```python app/main.py ``` -------------------------------- ### Make Response Decisions with CommanderAgent Source: https://context7.com/safelineman/agentic-soc-simulation/llms.txt Makes incident response decisions, such as blocking IP addresses or requesting human approval. Requires an API key for the underlying service. ```python from agent.core import CommanderAgent import os # Initialize Commander agent commander = CommanderAgent( name="Commander", api_key=os.getenv("DEEPSEEK_API_KEY") ) # Make response decision based on forensic report response_decision = commander.decide( alert_data=alert_data, forensic_report=forensic_report, callback=callback ) print(response_decision) # Output if auto-response: # "已自动封禁恶意 IP 185.100.200.5。防火墙规则已部署。" # Output if human approval required: # "PENDING_APPROVAL: Block IP 185.100.200.5 | Reason: C2 server confirmed, # but target involves critical infrastructure. Requesting human approval for network-wide ban." ``` -------------------------------- ### Create OCSF File Activity Event Source: https://context7.com/safelineman/agentic-soc-simulation/llms.txt Generates an OCSF event for a file read activity, useful for detecting data exfiltration. It captures file details like name, path, hash, size, and the actor process and user involved. ```python file_event = OCSFEvent( class_uid=1001, # File Activity class_name="File Activity", activity_id=2, # Read activity_name="Read", timestamp="2026-01-03T15:30:00Z", severity="Critical", src_endpoint=Endpoint( ip="10.0.0.20", hostname="DB-Server-01" ), file=File( name="customer_data.zip", path="C:\\Data\\customer_data.zip", hash="a1b2c3d4e5f6...", size=2147483648 # 2GB ), actor={ "process": { "name": "7za.exe", "cmd_line": "7za.exe a -tzip customer_data.zip C:\\Database\\*" }, "user": { "name": "admin" } } ) ``` -------------------------------- ### Generate Attack Telemetry with PurpleTeamAgent Source: https://context7.com/safelineman/agentic-soc-simulation/llms.txt Uses the PurpleTeamAgent to generate OCSF-standard telemetry data. This agent simulates realistic attack scenarios mixed with background noise. It requires an API key for initialization and takes a scenario description as input to produce telemetry events. A callback function handles progress messages. ```python from agent.core import PurpleTeamAgent # Initialize Purple Team agent purple_agent = PurpleTeamAgent( name="PurpleTeam", api_key=os.getenv("DEEPSEEK_API_KEY") ) # Define attack scenario attack_scenario = """ Simulate a Lazarus APT attack: 1. Attacker (IP: 45.33.22.11) sends phishing email to User-Workstation-01 2. User executes malicious attachment invoice.exe 3. Malware connects to C2 server at 185.100.200.5 4. Lateral movement via SMB brute force to DB-Server-01 5. Data exfiltration to C2 server """ def callback(msg): print(msg) # Generate 15-20 OCSF events (3-5 malicious, rest benign) telemetry_events = purple_agent.generate_telemetry( scenario_description=attack_scenario, callback=callback ) print(f"Generated {len(telemetry_events)} telemetry events") # Example event structure for event in telemetry_events[:2]: print(f"Class: {event.class_name}, Activity: {event.activity_name}") print(f"Source: {event.src_endpoint.ip if event.src_endpoint else 'N/A'}") print(f"Process: {event.process.name if event.process else 'N/A'}") ``` -------------------------------- ### Triage Security Alerts with TriageAgent Source: https://context7.com/safelineman/agentic-soc-simulation/llms.txt Analyzes security alerts to determine if they are false positives or legitimate threats using the TriageAgent. Requires an API key for the underlying service. ```python from agent.core import TriageAgent import os # Initialize Triage agent triage = TriageAgent( name="Triage", api_key=os.getenv("DEEPSEEK_API_KEY") ) # Analyze alert alert_data = { "type": "C2 Connection Attempt", "source_ip": "10.0.0.15", "target": "185.100.200.5", "timestamp": "2026-01-03T14:45:00Z", "details": "Suspicious DNS query to update.microsoft-support.com" } triage_result = triage.analyze( alert_data=alert_data, callback=callback ) print(triage_result) # Output: "这是一个高风险告警。域名 update.microsoft-support.com 伪装成微软官方域名, # 但实际指向外部 IP 185.100.200.5。建议进行深度取证调查。" ``` -------------------------------- ### BaseAgent Class Source: https://context7.com/safelineman/agentic-soc-simulation/llms.txt The BaseAgent class serves as the foundation for all specialized security agents. It provides capabilities for LLM interaction, tool calling, and agent reasoning loops. ```APIDOC ## BaseAgent Class ### Description The `BaseAgent` class is the foundational class for all specialized security agents within the ASPS system. It facilitates interaction with Large Language Models (LLMs) and enables tool execution. It manages the agent's reasoning loop, allowing it to process user inputs, utilize tools, and provide outputs based on predefined system prompts. ### Method Initialization: `BaseAgent(name: str, mcp_url: str, api_key: str, vt_api_key: str)` Execution: `run_loop(system_prompt: str, user_input: str, tools: list, callback: callable, max_turns: int)` ### Endpoint This class interacts with an MCP (Model Context Protocol) server, typically at `http://localhost:8000`. ### Parameters #### Initialization Parameters - **name** (str) - Required - The name of the agent. - **mcp_url** (str) - Required - The URL of the MCP server. - **api_key** (str) - Required - The API key for the LLM service (e.g., DeepSeek). - **vt_api_key** (str) - Required - The API key for VirusTotal. #### `run_loop` Parameters - **system_prompt** (str) - Required - The system prompt that guides the agent's behavior. - **user_input** (str) - Required - The input provided by the user or another agent. - **tools** (list) - Required - A list of available tools the agent can use. - **callback** (callable) - Optional - A function to receive real-time logs or updates. - **max_turns** (int) - Optional - The maximum number of reasoning turns the agent will perform. ### Request Example ```python from agent.core import BaseAgent import os agent = BaseAgent( name="SecurityAgent", mcp_url="http://localhost:8000", api_key=os.getenv("DEEPSEEK_API_KEY"), vt_api_key=os.getenv("VIRUSTOTAL_API_KEY") ) system_prompt = """You are a security analyst. Analyze the alert and determine if it's malicious.""" user_input = "Alert: Suspicious login from IP 45.33.22.11" tools = agent.get_tools(["check_ip_reputation"]) def log_callback(message): print(f"[Log] {message}") result = agent.run_loop( system_prompt=system_prompt, user_input=user_input, tools=tools, callback=log_callback, max_turns=5 ) print(f"Agent Result: {result}") ``` ### Response #### Success Response (200) - **result** (str) - The final output or conclusion generated by the agent after its reasoning process. #### Response Example ```json { "result": "[SecurityAgent] IP 45.33.22.11 is malicious: VirusTotal found 10 engines marked it as malicious..." } ``` ``` -------------------------------- ### Conduct Forensic Investigation with ForensicAgent Source: https://context7.com/safelineman/agentic-soc-simulation/llms.txt Performs in-depth forensic investigation using threat intelligence tools and builds knowledge graphs. Requires API keys for DeepSeek and VirusTotal. ```python from agent.core import ForensicAgent import os # Initialize Forensic agent forensic = ForensicAgent( name="Forensics", api_key=os.getenv("DEEPSEEK_API_KEY"), vt_api_key=os.getenv("VIRUSTOTAL_API_KEY") ) # Investigate alert with triage context forensic_report = forensic.investigate( alert_data=alert_data, triage_notes=triage_result, callback=callback ) print(forensic_report) # Output includes: # - IP reputation check results from VirusTotal # - Payload analysis identifying malware type # - Knowledge graph construction with entities and relationships # - Summary of findings with evidence chain # Example: "调查发现 IP 185.100.200.5 被 12 个威胁情报引擎标记为 C2 服务器。 # 已构建攻击图谱: IP:45.33.22.11 --[Phishing Email]--> Host:User-Workstation-01 # --[C2 Connection]--> IP:185.100.200.5" ``` -------------------------------- ### Agent Core Logic Source: https://github.com/safelineman/agentic-soc-simulation/blob/main/README.md Contains the core logic for the AI agents, defining base agent classes and specialized roles. It also includes the analysis engine for rule matching and alert triggering, and the OCSF data model definition. ```python agent/core.py ``` ```python agent/engine.py ``` ```python agent/ocsf.py ``` -------------------------------- ### PurpleTeamAgent - Generate Attack Telemetry Source: https://context7.com/safelineman/agentic-soc-simulation/llms.txt The PurpleTeamAgent is responsible for generating realistic attack telemetry data. It produces OCSF-standard events that include both malicious activities and normal background noise, simulating real-world scenarios. ```APIDOC ## PurpleTeamAgent - Generate Attack Telemetry ### Description This agent simulates attack scenarios by generating telemetry data that conforms to the OCSF (Open Cybersecurity Schema Framework) standard. It can create a mix of malicious and benign events to provide a realistic dataset for security analysis and rule development. ### Method Generation: `generate_telemetry(scenario_description: str, callback: callable)` ### Endpoint N/A (This is a class used for data generation, not a direct API endpoint). ### Parameters #### Initialization Parameters - **name** (str) - Required - The name of the agent (e.g., "PurpleTeam"). - **api_key** (str) - Required - The API key for the LLM service. #### `generate_telemetry` Parameters - **scenario_description** (str) - Required - A detailed description of the attack scenario to be simulated. - **callback** (callable) - Optional - A function to receive real-time updates during telemetry generation. ### Request Example ```python from agent.core import PurpleTeamAgent import os purple_agent = PurpleTeamAgent( name="PurpleTeam", api_key=os.getenv("DEEPSEEK_API_KEY") ) attack_scenario = """ Simulate a Lazarus APT attack: 1. Attacker (IP: 45.33.22.11) sends phishing email to User-Workstation-01 2. User executes malicious attachment invoice.exe 3. Malware connects to C2 server at 185.100.200.5 4. Lateral movement via SMB brute force to DB-Server-01 5. Data exfiltration to C2 server """ def callback(msg): print(msg) telemetry_events = purple_agent.generate_telemetry( scenario_description=attack_scenario, callback=callback ) print(f"Generated {len(telemetry_events)} telemetry events") ``` ### Response #### Success Response (200) - **telemetry_events** (list) - A list of OCSF-compliant telemetry events representing the simulated scenario. Each event is an object with fields like `class_name`, `activity_name`, `src_endpoint`, `process`, etc. #### Response Example ```json [ { "class_name": "Process Activity", "activity_name": "Create", "src_endpoint": {"ip": "45.33.22.11"}, "process": {"name": "invoice.exe"} }, { "class_name": "Network Activity", "activity_name": "Connect", "dst_endpoint": {"ip": "185.100.200.5"} } // ... more events ] ``` ``` -------------------------------- ### DetectionEngineerAgent - Develop Security Rules Source: https://context7.com/safelineman/agentic-soc-simulation/llms.txt The DetectionEngineerAgent analyzes telemetry data to automatically generate detection rules. These rules are designed to identify malicious behavior patterns within the security data. ```APIDOC ## DetectionEngineerAgent - Develop Security Rules ### Description This agent takes a sample of telemetry data and a scenario description as input to automatically create detection rules. These rules can then be used by a detection engine to identify threats in real-time or during forensic analysis. ### Method Rule Development: `develop_rules(telemetry_sample: list, scenario_description: str, callback: callable)` ### Endpoint N/A (This is a class used for rule generation, not a direct API endpoint). ### Parameters #### Initialization Parameters - **name** (str) - Required - The name of the agent (e.g., "DetectionEng"). - **api_key** (str) - Required - The API key for the LLM service. #### `develop_rules` Parameters - **telemetry_sample** (list) - Required - A list of OCSF telemetry events to analyze. - **scenario_description** (str) - Required - A description of the scenario the telemetry data represents. - **callback** (callable) - Optional - A function to receive real-time updates during rule development. ### Request Example ```python from agent.core import DetectionEngineerAgent import os # Assuming telemetry_events is already generated by PurpleTeamAgent télémetry_events = [ { "class_name": "Process Activity", "activity_name": "Create", "src_endpoint": {"ip": "45.33.22.11"}, "process": {"name": "invoice.exe"} }, { "class_name": "Network Activity", "activity_name": "Connect", "dst_endpoint": {"ip": "185.100.200.5"} } ] attack_scenario = "Simulate a Lazarus APT attack..." def callback(msg): print(msg) detection_eng = DetectionEngineerAgent( name="DetectionEng", api_key=os.getenv("DEEPSEEK_API_KEY") ) rules = detection_eng.develop_rules( telemetry_sample=telemetry_events, scenario_description=attack_scenario, callback=callback ) print(f"Developed {len(rules)} detection rules") ``` ### Response #### Success Response (200) - **rules** (list) - A list of detection rule objects. Each rule object contains fields such as `id`, `title`, `severity`, and `logic`. #### Response Example ```json [ { "id": "rule_001", "title": "Suspicious PowerShell Execution", "severity": "High", "logic": {"class_uid": 1007, "conditions": {"process.name": "powershell.exe", "process.cmd_line__contains": "-enc"}} } // ... more rules ] ``` ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.