AI-Powered SOC Command Center
Natural Language β SIEM Queries Β· Real-Time Detection Β· AI Copilot Β· Automated Response
Features β’ Architecture β’ Quickstart β’ API β’ Security β’ Contributing
OpenSentinel is a full-stack Security Operations Center (SOC) platform that combines AI-driven analysis with traditional SIEM capabilities. It translates natural language queries into Splunk SPL, runs automated detection rules mapped to MITRE ATT&CK, and provides an AI copilot for incident investigation β all behind an API hardened against the OWASP API Security Top 10.
- Natural language β Splunk SPL translation via spaCy NER
- Support for custom fine-tuned NLP models
- Entity extraction: IPs, domains, users, security actions
- Context-aware query building with time range support
- 6 built-in detection rules mapped to MITRE ATT&CK
- Real-time alert lifecycle (new β acknowledged β closed)
- Configurable thresholds and time windows
- Anomaly detection module
| Rule | MITRE | Severity |
|---|---|---|
| Brute Force Detection | T1110 | High |
| Suspicious PowerShell | T1059.001 | Critical |
| DNS Exfiltration | T1048.003 | Critical |
| Lateral Movement (SMB) | T1021.002 | High |
| Privilege Escalation | T1068 | Critical |
| C2 Beaconing | T1071 | High |
- Full incident lifecycle with timeline tracking
- Alert-to-incident linking
- Notes, status updates, and severity tracking
- BOLA-protected object-level access control
- Script Analyzer β Deobfuscate and assess suspicious scripts
- Threat Intel Enrichment β IOC lookups via VirusTotal & AbuseIPDB
- Investigator β AI-guided investigation workflows
- Summarizer β Natural language summaries of SIEM query results
- Pre-built hunt library with categorized queries
- Hunt notebook for tracking investigations
- One-click hunt execution against live SIEM data
- 5 built-in response playbooks
- Action-based execution engine
- Execution statistics and audit trail
- Glassmorphism dark-theme UI
- Responsive design with hamburger menu
- Real-time status indicators
- Interactive chat interface for NLP queries
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Dashboard (HTML) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β FastAPI Server (main.py) β
β ββββββββββββ ββββββββββββ βββββββββββββββββββββ β
β β Security β β Auth β β Input Validator β β
β βMiddlewareβ β Manager β β (SSRF/Injection) β β
β ββββββββββββ ββββββββββββ βββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β ββββββββββββ ββββββββββββ ββββββββββββ β
β β SOC β β Sentinel β β AI β β
β β Agent β β Engine β β Copilot β β
β β(NLPβSPL)β β(Detect) β β(Gemini) β β
β ββββββ¬ββββββ ββββββββββββ ββββββ¬ββββββ β
β β β β
β ββββββ΄ββββββ ββββββββββββ ββββββ΄ββββββ β
β β Splunk β βPlaybooks β βVirusTotalβ β
β β SIEM β β Engine β βAbuseIPDB β β
β ββββββββββββ ββββββββββββ ββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- Python 3.10+
- Splunk instance (optional β Gemini AI works without SIEM)
- API Keys for Gemini, VirusTotal, AbuseIPDB (optional)
# Clone the repository
git clone https://github.com/Techris93/OpenSentinel.git
cd OpenSentinel
# Create virtual environment
python -m venv venv
source venv/bin/activate # macOS/Linux
# venv\Scripts\activate # Windows
# Install dependencies
pip install -r requirements.txt
# Download spaCy model
python -m spacy download en_core_web_smCreate a .env file in the project root:
# Google Gemini API (https://aistudio.google.com/app/apikey)
GEMINI_API_KEY=your_gemini_key_here
# VirusTotal API (https://www.virustotal.com)
VIRUSTOTAL_API_KEY=your_vt_key_here
# AbuseIPDB API (https://www.abuseipdb.com)
ABUSEIPDB_API_KEY=your_abuseipdb_key_here
# Splunk Connection (optional)
SPLUNK_HOST=localhost
SPLUNK_PORT=8089
SPLUNK_USERNAME=admin
SPLUNK_PASSWORD=changeme
# Security
OPENSENTINEL_API_KEY=your-secure-api-key
RATE_LIMIT=60
CORS_ORIGINS=http://localhost:5001python main.pyπ‘οΈ OpenSentinel Command Center v1.0.0 starting on port 5001...
API Docs: http://localhost:5001/api/docs
Dashboard: http://localhost:5001/dashboard
OWASP: API1-10 protections active
All endpoints are available at /api/v1/ (versioned) and /api/ (legacy).
| Method | Path | Description |
|---|---|---|
GET |
/api/v1/health |
Health check with system status |
GET |
/dashboard |
Web dashboard UI |
GET |
/api/docs |
Interactive OpenAPI docs |
Include
X-API-Key: <your-key>header in all requests.
| Method | Path | Role | Description |
|---|---|---|---|
POST |
/api/v1/connect |
admin | Connect to Splunk SIEM |
POST |
/api/v1/chat |
analyst | NLP query interface |
POST |
/api/v1/sentinel/start |
admin | Start detection engine |
POST |
/api/v1/sentinel/stop |
admin | Stop detection engine |
GET |
/api/v1/sentinel/alerts |
analyst | Get security alerts |
GET |
/api/v1/anomalies |
analyst | Get detected anomalies |
GET |
/api/v1/incidents |
analyst | List incidents (BOLA-filtered) |
GET |
/api/v1/incidents/{id} |
analyst | Get incident detail |
GET |
/api/v1/hunts |
analyst | List threat hunts |
POST |
/api/v1/hunts/{id}/execute |
analyst | Execute a threat hunt |
POST |
/api/v1/copilot/analyze-script |
analyst | AI script analysis |
POST |
/api/v1/copilot/enrich |
analyst | IOC enrichment |
GET |
/api/v1/playbooks |
analyst | List playbooks |
GET |
/api/v1/playbooks/stats |
analyst | Playbook execution stats |
curl -X POST http://localhost:5001/api/v1/chat \
-H "X-API-Key: your-key" \
-H "Content-Type: application/json" \
-d '{"message": "Show me failed login attempts from 192.168.1.100"}'OpenSentinel implements all OWASP API Security Top 10 protections:
| # | Vulnerability | Mitigation |
|---|---|---|
| API1 | BOLA | Ownership verification on incident endpoints |
| API2 | Broken Auth | Key expiry, timing-safe comparison, brute-force lockout |
| API3 | Property Auth | Field-level response filtering by role |
| API4 | Rate Limiting | Global + per-endpoint rate limits |
| API5 | Function Auth | Role-based access (admin/analyst/readonly) |
| API6 | Anti-Automation | Per-endpoint throttling on sensitive flows |
| API7 | SSRF | Private IP blocking in recon targets |
| API8 | Misconfiguration | Security headers (HSTS, CSP, X-Frame-Options) |
| API9 | Inventory | API versioning + OpenAPI documentation |
| API10 | Unsafe Consumption | External API response truncation and sanitization |
admin > analyst > readonly
- admin β Full access: SIEM connection, sentinel control, all data
- analyst β Query, investigate, hunt, view own incidents
- readonly β View limited incident fields only
OpenSentinel/
βββ main.py # FastAPI server (19 endpoints)
βββ soc_agent.py # NLP β Splunk SPL engine
βββ gemini_client.py # Google Gemini AI client
βββ dashboard.html # Web UI (glassmorphism)
βββ requirements.txt # Python dependencies
βββ .gitignore
β
βββ security/
β βββ __init__.py
β βββ auth.py # API key management & RBAC
β βββ middleware.py # Rate limiting, headers, audit
β βββ input_validator.py # Injection & SSRF prevention
β
βββ sentinel/
β βββ __init__.py
β βββ detection_engine.py # Rule-based threat detection
β βββ rules.py # MITRE ATT&CK detection rules
β βββ anomaly_detector.py # Statistical anomaly detection
β βββ incidents.py # Incident lifecycle manager
β
βββ copilot/
β βββ __init__.py
β βββ summarizer.py # AI event summarization
β βββ script_analyzer.py # Malicious script analysis
β βββ investigator.py # AI investigation assistant
β βββ threat_intel.py # VirusTotal & AbuseIPDB
β
βββ hunting/
β βββ __init__.py
β βββ hunt_library.py # Pre-built hunt queries
β βββ notebook.py # Hunt investigation notebook
β
βββ playbooks/
β βββ __init__.py
β βββ engine.py # Playbook execution engine
β βββ actions.py # Response action definitions
β
βββ connectors/
βββ __init__.py # SIEM connector interface
Contributions are welcome! Areas where help is especially valued:
- Detection Rules β Add new MITRE ATT&CK-mapped rules
- SIEM Connectors β Extend beyond Splunk (Elastic, QRadar, Sentinel)
- Playbook Actions β Add automated response capabilities
- Tests β Improve test coverage
- Documentation β Improve guides and tutorials
MIT License β see LICENSE for details.
Built with β€οΈ for the Blue Team