Building an AI-Powered SOC Platform From Scratch
- Maryam Ziaee
- May 18
- 2 min read
Over the last phase of development, I transformed the SECOPS Platform from a basic incident dashboard into an AI-enhanced security investigation pipeline capable of ingesting, enriching, correlating, and investigating security incidents automatically.
The platform architecture now includes:
Elasticsearch
↓
FastAPI Backend
↓
Incident Normalization
↓
MITRE ATT&CK Mapping
↓
Risk Scoring Engine
↓
Incident Correlation
↓
Context Collection
↓
AI Triage Engine
↓
Autonomous Investigation
↓
Timeline Reconstruction
↓
Threat Intelligence Enrichment
↓
Live SOC Dashboard
Key Features Implemented
Real-Time Incident Ingestion
Created authenticated FastAPI ingestion endpoints capable of receiving security incidents from Elastic detections and external systems.
Example ingestion test:
curl -X POST http://localhost:..../incident \
-H "Authorization: Bearer token \
-H "Content-Type: application/json" \
-d '{
"title":"SSH Bruteforce",
"severity":"high",
"category":"unauthorized_access",
"ip":"192.168..."
}'
MITRE ATT&CK Mapping
The backend now automatically maps incidents to MITRE ATT&CK tactics and techniques.
Examples:
T1110 → Brute Force
Credential Access
Remote Access Abuse
PowerShell-related activity
AI Triage Engine
Implemented an AI triage layer capable of generating:
incident summaries
severity reasoning
investigation recommendations
attack explanations
Example output:
"This incident appears to involve PowerShell RDP Bruteforce activity..."
Timeline Reconstruction
Built timeline generation logic to reconstruct attack progression:
initial detection
suspicious activity
escalation events
AI triage execution
investigation execution
Threat Intelligence Enrichment
Added IOC enrichment and attacker context generation:
malicious IP reputation
suspicious activity patterns
known attack behavior
Recommended response actions
Real Engineering Challenges Solved
This phase involved solving multiple real-world backend engineering and infrastructure problems:
FastAPI routing failures
Uvicorn process conflicts
PM2 reload issues
Elasticsearch version mismatches
API synchronization inconsistencies
frontend/backend state conflicts
ingestion debugging
live dashboard synchronization
route registration issues
Python virtual environment recovery
Core Technologies
Python
FastAPI
Elasticsearch
Uvicorn
PM2
Nginx
JavaScript frontend
MITRE ATT&CK
AI-assisted investigation workflows
Comments