Category: Builder's Corner
Keyword: custom AI agents SOC workflows
Word Count: ~2200 words
Security Operations Centers (SOCs) are under constant pressure to detect, investigate, and respond to threats at machine speed. Manual triage and repetitive tasks slow down response times and increase burnout. Custom AI agents—built with modern frameworks—can automate these workflows, freeing your analysts for higher-value work and improving your security posture.
This deep-dive tutorial will guide you through building a custom AI agent that automates a typical SOC workflow: ingesting alerts, triaging them, and escalating only those that require human attention. We’ll use Python, LangChain, and OpenAI’s GPT-4, but the concepts are extensible to other LLMs and frameworks.
For broader context on how custom AI agents are transforming vertical-specific workflows, see our parent pillar article.
Prerequisites
- Python 3.10+ installed (
python --version) - pip for package management
- Basic knowledge of Python scripting
- Familiarity with Security Operations Center (SOC) concepts (alerts, triage, escalation)
- API key for OpenAI (for GPT-4 access)
- Terminal/CLI access
We’ll use the following libraries and tools:
langchain(v0.1.0+)openai(v1.0.0+)pydantic(for data validation)dotenv(for managing environment variables)- Sample alert data (provided in this tutorial)
Step 1: Set Up Your Development Environment
-
Create and activate a virtual environment:
python -m venv soc-ai-env source soc-ai-env/bin/activate # On Windows use: soc-ai-env\Scripts\activate
-
Install required packages:
pip install langchain openai pydantic python-dotenv
-
Set up your OpenAI API key:
- Create a file named
.envin your project directory:
touch .env
- Add your API key to
.env:
OPENAI_API_KEY=sk-...
- Create a file named
Step 2: Define the SOC Workflow and Alert Schema
A typical SOC alert triage workflow includes:
- Ingesting raw alerts from security tools (SIEM, EDR, etc.)
- Enriching alerts with context (IP reputation, asset info)
- Classifying alert severity and urgency
- Escalating critical alerts to analysts
Let’s define a Pydantic schema for alerts:
from pydantic import BaseModel, Field
from typing import List, Optional
class Alert(BaseModel):
id: str
timestamp: str
source: str
event_type: str
description: str
severity: Optional[str] = Field(default=None)
enrichment: Optional[dict] = Field(default_factory=dict)
escalated: bool = False
Save this as alert_schema.py.
Step 3: Ingest and Enrich Alerts
For this tutorial, we’ll simulate alert ingestion using static data. In real-world deployments, you’d connect to your SIEM or EDR API.
from alert_schema import Alert
def fetch_sample_alerts():
return [
Alert(
id="ALERT-001",
timestamp="2024-06-10T10:05:00Z",
source="EDR",
event_type="Suspicious Login",
description="Multiple failed login attempts from 203.0.113.42"
),
Alert(
id="ALERT-002",
timestamp="2024-06-10T10:15:00Z",
source="Firewall",
event_type="Port Scan",
description="Inbound port scan detected from 198.51.100.23"
),
]
For enrichment, you might pull in threat intelligence or asset data. For now, let’s mock this:
def enrich_alert(alert):
# Simple enrichment: mark known bad IPs
bad_ips = {"203.0.113.42": "Known brute-force attacker"}
for ip, info in bad_ips.items():
if ip in alert.description:
alert.enrichment["threat_intel"] = info
return alert
Step 4: Build the AI Agent with LangChain and OpenAI
LangChain provides a flexible framework for orchestrating LLM-powered workflows. We’ll create a chain that:
- Summarizes the alert in plain English
- Classifies severity (Low, Medium, High, Critical)
- Decides if escalation is needed
First, configure LangChain and OpenAI:
import os
from dotenv import load_dotenv
from langchain.llms import OpenAI
from langchain.prompts import PromptTemplate
from langchain.chains import LLMChain
load_dotenv()
llm = OpenAI(model="gpt-4", temperature=0.2, openai_api_key=os.getenv("OPENAI_API_KEY"))
Now, create prompt templates for each workflow step:
summary_prompt = PromptTemplate(
input_variables=["description"],
template="Summarize this security alert for a SOC analyst: {description}"
)
severity_prompt = PromptTemplate(
input_variables=["description", "enrichment"],
template=(
"Given this alert: {description}\n"
"With enrichment: {enrichment}\n"
"Classify severity as one of: Low, Medium, High, Critical."
)
)
escalation_prompt = PromptTemplate(
input_variables=["severity"],
template="Should this alert with severity '{severity}' be escalated to a human analyst? Answer Yes or No."
)
Define the chains:
summary_chain = LLMChain(llm=llm, prompt=summary_prompt)
severity_chain = LLMChain(llm=llm, prompt=severity_prompt)
escalation_chain = LLMChain(llm=llm, prompt=escalation_prompt)
Step 5: Orchestrate the End-to-End Workflow
Let’s wire everything together in a main script that:
- Fetches and enriches alerts
- Runs them through the AI agent
- Prints triage results
from ingest_alerts import fetch_sample_alerts
from enrich_alerts import enrich_alert
from ai_agent import summary_chain, severity_chain, escalation_chain
def process_alert(alert):
alert = enrich_alert(alert)
summary = summary_chain.run(description=alert.description)
severity = severity_chain.run(description=alert.description, enrichment=alert.enrichment)
should_escalate = escalation_chain.run(severity=severity)
alert.severity = severity
alert.escalated = "Yes" in should_escalate
print(f"---\nAlert ID: {alert.id}")
print(f"Summary: {summary}")
print(f"Severity: {severity}")
print(f"Escalate: {alert.escalated}")
if __name__ == "__main__":
alerts = fetch_sample_alerts()
for alert in alerts:
process_alert(alert)
Run your workflow:
python main.py
Expected Output:
--- Alert ID: ALERT-001 Summary: Multiple failed login attempts from 203.0.113.42 indicate possible brute-force activity. Severity: High Escalate: True --- Alert ID: ALERT-002 Summary: Inbound port scan detected from 198.51.100.23. Severity: Medium Escalate: False
Screenshot: Terminal output showing AI-driven alert triage and escalation decisions.
Step 6: Customize and Extend Your Agent
You can extend your agent to:
- Integrate with real SIEM APIs (Splunk, Elastic, etc.)
- Enrich with live threat intelligence feeds
- Log escalated alerts to a ticketing system (JIRA, ServiceNow)
- Chain additional LLM tasks (e.g., recommend response actions)
To connect to legacy systems, see our tutorial on integrating AI workflow automation with mainframes.
Common Issues & Troubleshooting
-
OpenAI API errors (401/429):
- Check your
OPENAI_API_KEYin the.envfile. - Ensure your account has GPT-4 access and sufficient quota.
- Check your
-
LangChain version mismatches:
- Verify with
pip show langchain
. Use version 0.1.0 or later.
- Verify with
-
Prompt quality issues (poor classification):
- Tweak prompt templates for clarity and context.
- Experiment with
temperaturein the OpenAI LLM config.
-
Module import errors:
- Check that all scripts are in the same directory or update
PYTHONPATHaccordingly.
- Check that all scripts are in the same directory or update
-
Rate limits:
- Implement basic retry logic or
time.sleep()between requests if needed.
- Implement basic retry logic or
Next Steps
You’ve now built a functional AI agent that automates core SOC triage workflows. From here, you can:
- Integrate with production alert sources and ticketing systems
- Expand the agent’s logic (e.g., auto-remediation, playbook execution)
- Apply similar architectures to other verticals—see how AI agents automate healthcare claims adjudication for inspiration
- Secure your LLM prompts and data flows—see our guide on prompt security
For a broader look at building custom AI agents for vertical-specific workflow automation, revisit our pillar article.
Ready to supercharge your SOC? Start building, iterating, and automating—one workflow at a time.