Meliodas-001/soc-navigator

# 🛡️ SOC Navigator ## 🚀 The Problem It's 2 AM. An alert fires. A junior analyst has to jump between runbook PDFs, Google searches, and query builders just to figure out what to run in Microsoft Sentinel. Critical steps get missed. Time is lost. **SOC Navigator replaces that chaos with a guided, streamlined action plan — in seconds.** ## 🎯 How It Works ### Phase 1 — Interactive Incident Playbook When an alert triggers (e.g., *"Compromised User Account"*), the analyst opens the dedicated playbook. - **Replaces static PDFs** — Instead of reading a document, the analyst is guided through a dynamic, interactive checklist - **Guided containment** — Moves through specific stages: reviewing alert details, confirming suspicious activity, running KQL for impossible travel indicators, and verifying identity - **Procedural tracking** — A progress bar tracks completed vs. remaining steps, ensuring that under the pressure of a 2AM breach, no critical step is ever missed ### Phase 2 — KQL Query Library To investigate the alert, the analyst needs telemetry. Instead of writing queries from scratch under pressure: - **7 specialized categories** — Incidents, Threats, Endpoint Behavior, Cloud, and more - **Deploy to Sentinel** — Copy raw KQL directly from the library and paste it into Microsoft Sentinel - **Instant telemetry** — Reveals the attacker's location, attempt frequency, and suspicious IPs ### Phase 3 — Live Threat Intelligence Lookup Once a suspicious IP is identified in Sentinel, the analyst needs to assess severity fast. - **Instant verification** — Paste the extracted IP directly into SOC Navigator's Threat Intel lookup - **Actionable scoring** — Returns a repeatable threat score, identifying whether the IP is malicious - **Rapid escalation decisions** — Analyst can confidently decide in under **5 seconds** whether to escalate to P1 or close as a false positive ## 💡 The Impact By combining interactive playbooks, rapid KQL deployment, and instant threat intelligence, SOC Navigator transforms a chaotic incident response process into a streamlined, guided action plan — purpose-built for the realities of junior SOC analyst work. ## ✨ Feature Summary | Feature | Description | |---------|-------------| | 📋 Interactive Playbooks | Dynamic, step-by-step incident response workflows with progress tracking | | 🔎 KQL Query Library | 7 categories of pre-built Microsoft Sentinel queries — copy and paste ready | | 🌐 Threat Intel Lookup | Instant IP threat scoring for fast P1 escalation decisions | | ⚡ Single-Page Tool | No login, no friction — built for speed during live incidents | ## 🧰 Tech Stack | Layer | Technology | |-------|-----------| | Frontend | JavaScript | | Backend | Python | | AI Engine | Claude API — Anthropic | | Build Platform | MeDo | | SIEM Integration | Microsoft Sentinel (KQL) | ## ⚙️ Getting Started ### Prerequisites - Python 3.9+ - An [Anthropic API key](https://console.anthropic.com/) ### Installation # Clone the repository git clone https://github.com/Meliodas-001/soc-navigator.git cd soc-navigator # Install dependencies pip install -r requirements.txt # Set up environment variables cp .env.example .env # Add your ANTHROPIC_API_KEY to .env # Run the app python main.py Then open the app in your browser at the local URL shown in your terminal. ## 🔑 Environment Variables ANTHROPIC_API_KEY=your_api_key_here ## 🏆 Hackathon Context Built solo for the **MEDO Hackathon** using MeDo's rapid-development platform. This project demonstrates that rapid-development tools can produce highly functional, production-grade solutions for real-world security teams. ## 🗺️ Roadmap - [ ] Auto-run KQL queries via Microsoft Sentinel API - [ ] Expand KQL library beyond 7 categories - [ ] Playbook export to PDF / Markdown for offline use - [ ] Incident history and audit log - [ ] Support for additional SIEM platforms (Splunk, Elastic) ## 🎥 Demo Watch the walkthrough: [Loom Demo](https://www.loom.com/share/12dc0b652e2143a4899767f1ebaa7c4c) ## 📄 License MIT License — see [LICENSE](LICENSE) for details. ## 👤 Author **Meliodas-001** [GitHub](https://github.com/Meliodas-001) · [LinkedIn](https://linkedin.com/in/john-shekoni-2987a087/)