README_EN.md

SOC-Copilot

🤖 AI-Powered Security Operations Center Assistant

English | 简体中文

An AI-powered SOC assistant built on Agent-Skills technology for intelligent alert triage, investigation, and automated incident response.

#AgenticSOC #NextGenSIEM #AICyberSecurity #IncidentResponse #SecurityAutomation

---

📖 Table of Contents

• ✨ Key Features
• 🏗️ Architecture
• 🚀 Quick Start
• 📋 Workflow
• 🎯 Capabilities & Limitations
• 📸 Screenshots
• 📁 Project Structure
• 🤝 Contributing
• 📄 License
• 🙏 Acknowledgments

---

✨ Key Features

Feature	Description
🔍 Intelligent Triage	Automated alert triage based on experience library, supporting both rule matching and AI analysis
🕵️ Deep Investigation	Automated threat hunting, correlation analysis, and investigation script generation
🛡️ Automated Response	Intelligent response script generation (Bash/PowerShell) for one-click remediation
📊 Report Generation	Automatic professional analysis report output in multiple formats
🧠 Self-Learning	Analysis results automatically固化 as rules, continuously improving triage capabilities
⚡ Efficiency Boost	Computational cost gradually decreases as rules accumulate

---

🏗️ Architecture

SOC-Copilot employs an innovative dual-track processing mechanism:

• Predictable Alerts → Rule Matching → Script-based Automated Response
• Unpredictable Alerts → LLM Analysis → Generate New Rules & Scripts → User Review &固化

---

🚀 Quick Start

Installation

Method 1: For Claude Code Users

# Clone the repository
git clone https://github.com/G4rb3n/SOC-Copilot.git

# Install to Claude Skills directory
mv SOC-Copilot ~/.claude/skills/
cd ~/.claude/skills/SOC-Copilot

Method 2: For OpenClaw Users

If you're using the OpenClaw platform:

# Clone to OpenClaw Skills directory
git clone https://github.com/G4rb3n/SOC-Copilot.git ~/.openclaw/skills/SOC-Copilot

💡 Tip: After installation, start a new session (run /new) to load the skill.

Usage

# Start Claude
claude

# Run SOC-Copilot
/soc-copilot ./samples/

---

📋 Workflow

┌─────────────┐    ┌─────────────┐    ┌─────────────┐    ┌─────────────┐
│ Alert Input │ -> │   Triage    │ -> │ Investigation│ -> │  Response   │
└─────────────┘    └─────────────┘    └─────────────┘    └─────────────┘
                          │                  │                  │
                          v                  v                  v
                   ┌─────────────┐    ┌─────────────┐    ┌─────────────┐
                   │Generate Rules│    │Generate Script│   │Generate Script│
                   └─────────────┘    └─────────────┘    └─────────────┘
                          │                  │                  │
                          └──────────────────┴──────────────────┘
                                            │
                                            v
                                    ┌─────────────┐
                                    │ User Review │
                                    └─────────────┘

Detailed Process

1. Triage Phase

   • Read alert logs from specified directory
   • Analyze using experience library at reference/triage/triage.md
   • Generate triage rules and save to scripts/triage_rules/

2. Investigation Phase

   • Deep analysis using reference/investigation/investigation.md
   • Generate Python investigation scripts to scripts/investigation/

3. Response Phase

   • Remediation using reference/incident_response/incident_response.md
   • Generate Bash/PowerShell response scripts to scripts/incident_response/

4. Reporting Phase

   • Output analysis report based on assets/analysis_report.md template
   • Save to reports/ directory

---

🎯 Capabilities & Limitations

⚠️ Understanding boundaries helps maximize value

✅ Supported Capabilities	❌ Unsupported Capabilities
Alert triage analysis	Raw log detection
Threat hunting & investigation	Real-time massive alert processing
Automated incident response	Replacing security analysts
Self-learning rule generation	-

---

📸 Screenshots

Triage Phase

Investigation Phase

Response Phase

Report Phase

---

📁 Project Structure

SOC-Copilot/
├── assets/                 # Template resources
│   ├── triage_rule.yml     # Triage rule template
│   └── analysis_report.md  # Analysis report template
├── reference/              # Experience knowledge base
│   ├── triage/             # Triage experience
│   │   ├── endpoint/       # Endpoint security
│   │   └── network/        # Network security
│   ├── investigation/      # Investigation experience
│   └── response/           # Response experience
├── scripts/                # Generated scripts
│   ├── triage_rules/       # Triage rules
│   ├── investigation/      # Investigation scripts
│   └── incident_response/  # Response scripts
├── samples/                # Sample alerts
└── reports/                # Analysis reports

---

🤝 Contributing

Contributions are welcome! See CONTRIBUTING.md to learn how to:

• 🐛 Report bugs
• 💡 Suggest new features
• 📝 Improve documentation
• 🔧 Submit code

Adding New Experience Knowledge

You can actively input SKILL files to train the SOC sub-engine:

1. Create experience documents in the corresponding reference/ directory
2. Write analysis experience following existing formats
3. Submit a PR to merge into the main branch

---

📄 License

This project is licensed under the MIT License.

---

🙏 Acknowledgments

Thanks to all contributors!

---

If this project helps you, please give it a ⭐ Star!