Skip to content
@Automatic-Case-Investigator

Automatic Case Investigator

ACI — Autonomous Case Investigator

Turn a flood of security alerts into evidence-backed incident reports — without a human watching every step.

Screenshot 2026-07-13 at 11 12 30 AM

Overview

ACI is an AI agent that triages security alerts and investigates them like an analyst would: forming hypotheses, querying logs, confirming or ruling out leads, and writing up what it found with the evidence to back it up. Point it at your SIEM/SOAR, and it turns raw alerts into structured, traceable incident reports.

Under the hood: Django 5, LangGraph, MCP, and WebSocket-driven real-time streaming.

Why ACI

The asymmetry between attack and defense

A single attacker can trigger a security incident that demands the simultaneous attention of many skilled defenders. Launching an attack is a concentrated act; investigating one is a distributed, multi-disciplinary effort. A single intrusion can span initial access, credential abuse, lateral movement, and data exfiltration — each phase leaving traces in different log sources, requiring different expertise to interpret. No individual analyst covers all of it with equal depth.

Depth over speed

Most AI SOC tools optimize for speed across the full alert-to-response lifecycle — triage, enrichment, risk scoring, containment. ACI optimizes for depth: investigation before conclusion. It breaks a case into discrete tasks, runs iterative SIEM queries, preserves intermediate evidence, and anchors every finding to retrieved log events rather than case narrative. The output is a traceable investigation record — what happened, which evidence supports it, which claims are still unconfirmed, and what follow-up is needed — that analysts, responders, and auditors can independently verify.

How It Works

Triage agent: First-line lightweight SOC triage agent. Accepts a case / alert id, reads the relevant evidence, diagnoses severity and category, and returns a triage report with a prioritized investigation plan.

Investigtion agent: Deep SOC investigation agent. Performs in-depth SIEM analysis, enriches artifacts, and produces a grounded report.

Example workflow:

alert / case -> triage -> investigation -> report

Features

  • Evidence-anchored findings: Confirmed facts, working hypotheses, and extracted artifacts are tracked across tasks and tied to specific retrieved log events — not just narrative summary.
  • Task-driven investigation: Cases are decomposed into discrete, prioritized tasks worked one at a time, keeping investigation focused and progress auditable.
  • Live reasoning stream: Real-time visibility into agent intent, tool calls, and results as the investigation happens.
  • Local inference support: Sending internal security logs to external AI services isn't acceptable in every regulated environment. ACI supports locally deployed models so sensitive data never leaves your organization.
  • Extensible via MCP: Pluggable integrations with SIEM, SOAR, workspace, and memory providers through the Model Context Protocol — swap or add tool providers without touching the agent logic.

Example Investigation

Click to Expand

The following is an privilege escalation alert in scenario fox in the AIT-ADS dataset:

### @timestamp
| key | val |
| ------ | ------ |
| @timestamp | 2022-01-18T13:14:31.000000Z |
### Agent
| key | val |
| ------ | ------ |
| agent.id | 27 |
| agent.ip | 10.35.35.206 |
| agent.name | wazuh-client |
### Decoder
| key | val |
| ------ | ------ |
| decoder.name | pam |
### Full_log
| key | val |
| ------ | ------ |
| full_log | Jan 18 13:14:31 intranet-server su[28816]: pam_unix(su:session): session opened for user phopkins by (uid=33) |
### Id
| key | val |
| ------ | ------ |
| id | 1700000000.110417 |
### Input
| key | val |
| ------ | ------ |
| input.type | log |
### Location
| key | val |
| ------ | ------ |
| location | /var/log/auth.log |
### Manager
| key | val |
| ------ | ------ |
| manager.name | wazuh.manager |
### Predecoder
| key | val |
| ------ | ------ |
| predecoder.hostname | intranet-server |
| predecoder.program_name | su |
| predecoder.timestamp | Jan 18 13:14:31 |
### Rule
| key | val |
| ------ | ------ |
| rule.description | PAM: Login session opened. |
| rule.firedtimes | 4 |
| rule.gdpr.0 | IV_32.2 |
| rule.gpg13.0 | 7.8 |
| rule.gpg13.1 | 7.9 |
| rule.groups.0 | pam |
| rule.groups.1 | syslog |
| rule.groups.2 | authentication_success |
| rule.hipaa.0 | 164.312.b |
| rule.id | 5501 |
| rule.level | 3 |
| rule.mail | False |
| rule.nist_800_53.0 | AU.14 |
| rule.nist_800_53.1 | AC.7 |
| rule.pci_dss.0 | 10.2.5 |
| rule.tsc.0 | CC6.8 |
| rule.tsc.1 | CC7.2 |
| rule.tsc.2 | CC7.3 |
### Timestamp
| key | val |
| ------ | ------ |
| timestamp | 2022-01-18T13:14:31.000+0000 |

The investigation correctly identified multiple related attack phases prior and after the privilege escalation alert:

Verdict

Compromise confirmed; critical; active.

### Executive Summary

The alert is confirmed malicious activity on intranet-server: a web-delivered foothold led to an interactive su from www-data to phopkins, followed immediately by sudo-to-root execution and credential-access behavior. The observed sequence is tightly time-bounded and consistent with post-exploitation activity rather than routine administration. Evidence also shows a reverse-shell payload in the WordPress uploads path, which strongly supports initial access via web content.
Scope & impact: impact=active, scope=isolated
Confirmed Timeline
- 2022-01-18T13:13:28Z — LZde6XUMxOoFOQsiscyu: HTTP GET / on intranet-server from 172.17.130.196.
- 2022-01-18T13:14:18Z — qDqTUjp7_4q5yqmXwtAG: HTTP request from 172.17.130.196 for a PHP file under /wp-content/uploads/2022/01/ with decoded reverse-shell content targeting 192.168.130.77:51898.
- 2022-01-18T13:14:31Z — yhsIAsmqq9UiqY8jl4yX: successful su for phopkins by www-data on pts/1.
- 2022-01-18T13:14:31Z — 5F5M9VOrlxFOdAocUKd5: PAM session opened for phopkins by uid=0.
- 2022-01-18T13:14:41Z — 93U42Z2IP5NGEG-s3apq: successful sudo to root by phopkins from /var/www/intranet.price.fox.org/wp-content/uploads/2022/01.
- 2022-01-18T13:14:43Z — r7CyyqWsZCjejfvpJO4B: successful sudo to root by phopkins running /bin/ls -laR /root/.
- 2022-01-18T13:14:49Z — 3kp8gZqt29xgUPf7VD3i: successful sudo to root by phopkins running /bin/cat /etc/shadow.

### Phase-by-Phase Findings

**Initial Access**
The evidence shows a web request from source IP 172.17.130.196 to a PHP file in the WordPress uploads directory, and the decoded payload contains a bash reverse-shell command to 192.168.130.77:51898. This is the strongest confirmed upstream access mechanism in the dataset and directly precedes the www-data-to-phopkins transition. Confidence: high.
Evidence→conclusion link: qDqTUjp7_4q5yqmXwtAG proves the web-delivered reverse-shell mechanism; LZde6XUMxOoFOQsiscyu provides the immediate preceding web access context. The source IP does not match the reverse-shell callback target, so attribution to a single origin host is not established.

**Execution**
The reverse-shell payload and subsequent interactive session show attacker-controlled code execution in a web context on intranet-server. The session was interactive on pts/1, indicating live operator activity rather than a one-off automated request. Confidence: high.
Evidence→conclusion link: qDqTUjp7_4q5yqmXwtAG and yhsIAsmqq9UiqY8jl4yX together support executed web payload followed by an interactive shell.

**Persistence**
No persistence mechanism is confirmed in the retrieved telemetry. The post-escalation activity is short-lived and the sampled window did not reveal cron, service, SSH key, or other durable changes. Confidence: medium.
Evidence→conclusion link: the absence of follow-on auth or persistence artifacts after the burst supports a short session, but absence of evidence is not proof of absence.

**Privilege Escalation**
www-data successfully transitioned into phopkins, and phopkins then successfully used sudo to root three times in the same terminal session. The working directory remained under /var/www/intranet.price.fox.org/wp-content/uploads/2022/01, tying the escalation to a web-root context. Confidence: high.
Evidence→conclusion link: yhsIAsmqq9UiqY8jl4yX confirms the www-data → phopkins handoff; 93U42Z2IP5NGEG-s3apq confirms sudo-to-root activity from the same session context.

**Defense Evasion**
No specific defense-evasion artifact is confirmed beyond the use of a web-delivered reverse shell and immediate privilege escalation. There is no evidence in the retrieved telemetry of log tampering, agent tampering, or other suppression actions. Confidence: low.
Evidence→conclusion link: the dataset is insufficient to confirm evasion behavior.

**Credential Access**
The command /bin/cat /etc/shadow is confirmed, which is direct credential-file access. This is a clear post-escalation impact action and is consistent with credential theft intent. Confidence: high.
Evidence→conclusion link: 3kp8gZqt29xgUPf7VD3i directly proves the shadow-file read.

**Discovery**
Root directory enumeration is confirmed through /bin/ls -laR /root/ and the initial list command under root. This indicates immediate discovery activity after escalation. Confidence: high.
Evidence→conclusion link: r7CyyqWsZCjejfvpJO4B and 93U42Z2IP5NGEG-s3apq show root-level enumeration in the same short burst.

**Lateral Movement**
No lateral movement is confirmed. The retrieved evidence is confined to intranet-server, with no corroborated pivot to another host. Confidence: medium.
Evidence→conclusion link: all confirmed events remain host-local; no separate destination host is evidenced.

**Command and Control**
A reverse-shell command to 192.168.130.77:51898 is confirmed, which establishes a callback channel. However, the retrieved evidence does not confirm whether that address also served as the initial attacker source or whether any additional C2 activity followed. Confidence: high for callback existence, medium for broader C2 scope.
Evidence→conclusion link: qDqTUjp7_4q5yqmXwtAG proves the reverse-shell target. Attribution remains unconfirmed because the callback address is not linked to the source IP in the evidence.

**Actions on Objectives**
The confirmed sequence includes root enumeration and a read of /etc/shadow, indicating post-exploitation access to sensitive credential material. This is malicious impact, not benign administration. Confidence: high.
Evidence→conclusion link: 3kp8gZqt29xgUPf7VD3i is the clearest objective-bearing action in the burst.

### Open Gaps
- The exact upstream mechanism that allowed www-data to su into phopkins is not proven by the retrieved events alone.
- The reverse-shell callback target 192.168.130.77:51898 is confirmed, but whether that address is also the attacker source is unconfirmed.
- No direct evidence identifies a unique external attacker host beyond the web source IP 172.17.130.196.
- Persistence is not confirmed or disproven; the sampled telemetry does not show durable changes, but that does not rule them out elsewhere.
- Lateral movement is not confirmed because no second host is evidenced in the retrieved dataset.
- The full impact of the /etc/shadow read is unconfirmed; credential extraction or reuse was not directly observed.
- The source IP for the first suspicious login/session is available for the web request flow, but not for a separate direct authentication to phopkins; a direct remote login was not shown.

### Recommended Actions
- Isolate intranet-server immediately to stop any remaining attacker access.
- Disable or rotate credentials for phopkins and review sudoers exposure on the host.
- Remove or quarantine the malicious PHP file under /wp-content/uploads/2022/01/ and inspect adjacent uploads for additional web shells.
- Investigate and contain the web-access source 172.17.130.196 and the reverse-shell callback endpoint 192.168.130.77:51898.
- Review /etc/shadow, sudo, su, web server, and authentication logs for additional compromise indicators and possible credential theft.
- Search for persistence mechanisms on intranet-server, including cron, systemd units, authorized keys, and web root modifications.
- Reset any credentials that may have been exposed on the host, prioritizing accounts with sudo access.
- Perform a full host-based forensic review and compare with other telemetry sources to determine whether lateral movement occurred.

Getting Started

Documentation

License

See each repository's license for details.

Citations

  • Landauer, M., Skopik, F., Wurzenberger, M. (2024): Introducing a New Alert Data Set for Multi-Step Attack Analysis. Proceedings of the 17th Cyber Security Experimentation and Test Workshop. [PDF]
  • Landauer M., Skopik F., Frank M., Hotwagner W., Wurzenberger M., Rauber A. (2023): Maintainable Log Datasets for Evaluation of Intrusion Detection Systems. IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 4, pp. 3466-3482. [PDF]

Popular repositories Loading

  1. SOC-Stack SOC-Stack Public

    The SOC technology stack used for testing

    Dockerfile

  2. .github .github Public

  3. Jupyterhub_Stack Jupyterhub_Stack Public

    Jupyterhub stack for AI development with tensorflow and cuda preconfigured

    Python

  4. ACI_Home_Page ACI_Home_Page Public

    Public facing home page of ACI

    TypeScript

  5. ACI_Training_Experiment ACI_Training_Experiment Public

    An experiment examining ACI_Cyber_Base_GPT_OSS_20B's capability in SOC investigation planning applications.

    Python

  6. ACI ACI Public

    An on-premise AI SOC analyst platform

    Python

Repositories

Showing 6 of 6 repositories

People

This organization has no public members. You must be a member to see who’s a part of this organization.

Top languages

Loading…

Most used topics

Loading…