singhananya0043/sentinelai

# 🛡️ SentinelAI — Unified AI Security Operations Platform ## Overview SentinelAI combines three security intelligence layers with a Claude-powered AI brain to deliver correlated, actionable threat intelligence: | Engine | Capability | |--------|-----------| | 🔎 **OSINT Investigator** | IP/domain/email profiling — GeoIP, Shodan, VirusTotal, WHOIS, HaveIBeenPwned | | ⚠️ **Zero-Day Monitor** | NVD + GitHub CVE feed with AI exploitability scoring | | 📋 **SIEM Assistant** | Log ingestion, natural language queries, anomaly detection | | 🔗 **Correlation Engine** | Cross-engine threat fusion with unified 0–10 scoring | | 🤖 **Claude AI Brain** | Threat reports, MITRE ATT&CK mapping, NL Q&A | ## Architecture sentinelai/ ├── siem/ │ ├── log_simulator.py # Generates auth/dns/firewall/web/system logs │ ├── ingestor.py # Normalises raw logs into structured events │ └── query_engine.py # Natural language → log filter engine ├── osint/ │ ├── sources.py # GeoIP, Shodan, VirusTotal, WHOIS, HIBP wrappers │ └── investigator.py # Full OSINT profiler for IP/domain/email ├── zeroday/ │ └── monitor.py # NVD + GitHub advisory CVE feed ├── llm/ │ └── brain.py # Claude API hub (reports, scoring, Q&A) ├── correlation/ │ └── engine.py # Cross-engine threat fusion & scoring ├── data/ │ └── db.py # SQLite persistence layer ├── utils/ │ └── logger.py # Rich terminal output ├── main.py # CLI entry point └── app.py # Streamlit dashboard (5 tabs) ## Attack Types Detected `brute_force` · `port_scan` · `malware_beacon` · `data_exfil` · `privilege_escalation` · `lateral_movement` ## Quick Start ### 1. Install dependencies pip install -r requirements.txt ### 2. Configure API keys cp .env.example .env # Edit .env and add your keys ### 3. Run the full pipeline python -X utf8 main.py ### 4. Launch the dashboard python -X utf8 main.py --dashboard # opens at http://localhost:8502 ## CLI Usage # Full threat intelligence pipeline (SIEM + CVE + OSINT + correlation) python -X utf8 main.py # Natural language SIEM query python -X utf8 main.py --query "show failed SSH logins from external IPs" # OSINT investigation python -X utf8 main.py --investigate 8.8.8.8 # CVE alerts only python -X utf8 main.py --cves # Dashboard on custom port python -X utf8 main.py --dashboard --port 9000 ## Dashboard — 5 Tabs | Tab | Description | |-----|-------------| | 🚨 **Threats** | Correlated threat table with AI-generated reports (TLP:RED) | | ⚠️ **CVE Alerts** | Zero-day feed with CVSS scores and AI exploitability assessment | | 📋 **SIEM** | Log timeline, severity breakdown, flagged event drill-down | | 🔎 **OSINT** | IP/domain profiler — live investigation input | | 💬 **Ask SentinelAI** | Claude-powered chat for natural language SOC queries | ## API Keys (Optional) All external API keys are optional — SentinelAI falls back to rule-based analysis when keys are absent. | Key | Source | Used For | |-----|--------|----------| | `ANTHROPIC_API_KEY` | [console.anthropic.com](https://console.anthropic.com) | Claude AI reports & Q&A | | `SHODAN_API_KEY` | [shodan.io](https://shodan.io) | Open port & vulnerability data | | `VIRUSTOTAL_API_KEY` | [virustotal.com](https://virustotal.com) | Malware reputation | | `HIBP_API_KEY` | [haveibeenpwned.com](https://haveibeenpwned.com) | Email breach data | ## Threat Scoring Threats are scored 0–10 using a weighted model: | Signal | Weight | |--------|--------| | OSINT risk score | 35% (up to 3.5) | | SIEM flagged events | 30% (up to 3.0) | | CVE count matched | 20% (up to 2.0) | | Critical SIEM events | +1.5 bonus | Severity bands: **CRITICAL** ≥ 8 · **HIGH** ≥ 6 · **MEDIUM** ≥ 3 · **LOW** < 3 ## Related Projects - [BGP Anomaly Detector](https://github.com/singhananya0043/bgp_anomaly_detector) — Isolation Forest BGP hijack detection - [AI IDS + DNS Anomaly Detector](https://github.com/singhananya0043/ai_ids_dns_detector) — Two-layer network defence ## License MIT License — see [LICENSE](LICENSE)