Autonomous SOC Engine

Self-running security operations -- humans only see what AI cannot handle. 90%+ alert auto-resolution target.

Status

Built

Async Loops

Decision Types

Frontend

Live

Overview

The Autonomous SOC Engine is the core AI-driven component that processes alerts without human intervention. It operates via four concurrent async loops: threat feed ingestion (30-min cycle), alert auto-processing (10-second cycle), self-update/optimization (hourly), and health monitoring (5-min cycle). The engine uses a decision matrix based on AI confidence scores and severity to determine whether to auto-resolve, auto-respond via SOAR playbook, or escalate to human analysts.

What Was Proposed

Ingest threat feeds automatically and generate detection rules from new threats
Auto-triage 90%+ of alerts without human intervention
Escalate only what AI cannot handle to human SOC analysts
Auto-execute SOAR playbooks for incident response
Self-update platform capabilities from each new threat
Configurable confidence thresholds for autonomous decision-making
Full decision audit trail

What's Built

Feature	Status	Details
Threat Feed Loop	Complete	30-min cycle, ingests from advisory engine, auto-generates Sigma rules
Alert Processing Loop	Complete	10-sec cycle, full decision pipeline: enrich, score, decide, execute
Self-Update Loop	Complete	Hourly: reviews FP rates, adjusts thresholds, optimizes playbooks
Health Check Loop	Complete	5-min cycle, logs auto-resolution rate and engine health
Auto Rule Generation	Complete	Sigma templates for ransomware, exploitation, phishing, credential theft
Decision Matrix	Complete	4 escalation levels: AUTO_RESOLVED, AUTO_RESPONDED, L2_REVIEW, CRITICAL
Threshold Configuration	Complete	Adjustable auto-resolve (0.85) and escalation (0.50) confidence thresholds
Decision Audit Log	Complete	In-memory circular buffer (last 200 decisions), type/severity/confidence tracked
Playbook Auto-Trigger	Complete	Selects playbook by alert type: phishing_response, brute_force_mitigation, malware_containment
SOC Escalation	Complete	WebSocket notifications via NotificationService on escalation

Architecture

Decision Flow

Incoming Alert
     |
     v
[AI Triage Scoring] -- ai_score, ai_confidence
     |
     v
[Decision Matrix]
     |
     +-- confidence >= 0.85 AND risk < 30 --> AUTO_RESOLVED (close, no human)
     |
     +-- confidence >= 0.75 AND risk >= 70 AND critical/high --> AUTO_RESPONDED (trigger playbook)
     |
     +-- confidence >= 0.70 AND risk < 50 AND not critical --> AUTO_RESOLVED (close with note)
     |
     +-- severity == critical OR confidence < 0.50 --> CRITICAL_ESCALATION (human SOC)
     |
     +-- default --> L2_REVIEW (analyst review)

Concurrent Loops

AutonomousSOCEngine.start()
    |
    +-- asyncio.gather(
    |       _threat_feed_loop()       -- every 30 min: fetch feeds, generate rules
    |       _alert_processing_loop()  -- every 10 sec: process pending alerts
    |       _self_update_loop()       -- every 1 hr:  review FPs, optimize playbooks
    |       _health_check_loop()      -- every 5 min: log engine health metrics
    |   )

API Routing

Router prefix: /api/v1/autonomous — Tag: autonomous-soc

GET/statsEngine stats: processed, auto-resolved, escalated, rates

GET/decisionsRecent autonomous decisions (max 200)

POST/startStart engine (admin)

POST/stopStop engine (admin)

PATCH/thresholdsAdjust AI confidence thresholds

Prerequisites

Threat Advisory Engine (threat_advisory_service.py) for feed ingestion
ML Pipeline for AI triage scoring
Playbook Engine for SOAR auto-response
WebSocket/Notification Service for escalation alerts

Data Model

The Autonomous SOC Engine uses an in-memory singleton (AutonomousSOCEngine) rather than database models. State is stored in:

Field	Type	Description
stats	dict	Counters: total_processed, auto_resolved, auto_responded, escalated_to_human, rules_auto_generated, playbooks_auto_triggered
_decisions_log	list[dict]	Circular buffer of last 200 decisions with type, detail, alert_id, severity, ai_score, ai_confidence, timestamp
AUTO_RESOLVE_CONFIDENCE	float	Threshold for auto-close (default: 0.85)
ESCALATION_THRESHOLD	float	Below this, escalate to human (default: 0.50)
_running	bool	Engine running state

UI Description

File: platform/frontend/src/app/autonomous-soc/page.tsx

The Autonomous SOC dashboard features:

Engine Status Banner -- Green/Red indicator with Start/Stop controls
Circular Gauge -- SVG gauge showing auto-resolution rate (target 90%+)
KPI Cards -- 6 cards: Alerts Processed, Auto-Resolved, Escalated to Human, Rules Auto-Generated, Playbooks Triggered, Engine Uptime
Threshold Configuration Panel -- Expandable panel with range sliders for auto-resolve confidence (50%-100%) and escalation threshold (10%-80%)
Decision Log -- Live-updating log (10-sec refresh) with expandable detail panels showing alert ID, AI confidence bar, risk score, decision reasoning, and actions taken

Each decision entry is color-coded: green for auto-resolved, orange for auto-responded, red for escalated, blue for rule generated. The page auto-refreshes every 10 seconds and falls back to mock data when the API is unreachable.