Multi-agent System for Real-Time Threat Identification, Prioritization, and Hunting

By /

Listen to this Post

Featured Image
Yuval Zacharia’s side project focuses on an AI-driven multi-agent system for cybersecurity threat detection. The system integrates:
– Structured data sources: CISA, NVD, Patch Tuesday, MalwareBazaar
– Semantic search: EXA and Perplexity
– Social media clustering: LLM-based semantic grouping

Key Agents:

1. Threat Identifier: Detects relevant signals

2. Threat Analyst: Cross-validates and prioritizes threats

  1. Threat Hunting Agent: Extracts IOCs and converts natural language into OCSF queries

The output includes actionable threat reports with hunting queries.

You Should Know:

1. Structured Threat Data Ingestion

Use these commands to fetch threat intelligence:

 Fetch CISA alerts 
curl -s https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json | jq .

Query NVD for CVEs 
curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-1234" | jq .

2. Semantic Search with EXA & Perplexity

Automate threat context retrieval:

import requests

exa_api_key = "YOUR_API_KEY" 
query = "latest Log4j exploits" 
response = requests.post( 
"https://api.exa.ai/search", 
headers={"Authorization": f"Bearer {exa_api_key}"}, 
json={"query": query, "num_results": 5} 
) 
print(response.json())

3. LLM-Based IOC Extraction

Convert natural language to OCSF queries:

 Use OpenAI to generate hunting queries 
openai api chat_completions.create -m "gpt-4" -p "Convert 'detect suspicious PowerShell execution' into an OCSF query"

4. Automated Threat Hunting with OCSF

Example Sigma rule for detecting suspicious process creation:

title: Suspicious PowerShell Execution 
description: Detects unusual PowerShell commands 
author: Yuval Zacharia 
logsource: 
product: windows 
service: sysmon 
detection: 
selection: 
EventID: 1 
CommandLine: 
- ' -EncodedCommand ' 
- ' -e ' 
condition: selection

What Undercode Say:

This AI-driven approach revolutionizes threat detection by reducing response time from days to hours. Key takeaways:
– Automate CVE ingestion with NVD/CISA APIs.
– Enhance threat validation using semantic search (EXA/Perplexity).
– Convert unstructured data (social media, blogs) into actionable IOCs.
– Deploy OCSF/Sigma rules for real-time hunting.

Expected Output:

{
"threat_report": {
"title": "APT29 Phishing Campaign", 
"priority": "High", 
"iocs": ["malware.exe", "185.123.45.67"], 
"hunting_queries": ["process_name='powershell' AND cmdline LIKE '% -EncodedCommand %'"] 
} 
}

Prediction:

AI-powered threat hunting will dominate SOC workflows by 2026, with LLMs automating 70% of analyst tasks.

URLs (if needed):

References:

Reported By: Yuval Zacharia – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: