Spaces:
Sleeping
Sleeping
| name: soc-incident-response | |
| version: "1.0.0" | |
| description: > | |
| A Security Operations Center (SOC) environment where an AI agent acts as a | |
| tier-1 analyst. The agent triages SIEM alerts, reconstructs attack chains | |
| using the MITRE ATT&CK framework, isolates compromised endpoints, and | |
| manages real business constraints during active incidents. | |
| author: "Ankit Kumar & Jayanth" | |
| tags: | |
| - openenv | |
| - cybersecurity | |
| - soc | |
| - incident-response | |
| - mitre-attack | |
| - real-world | |
| tasks: | |
| - id: alert_triage | |
| name: "Alert triage (easy)" | |
| description: > | |
| Given a single SIEM alert with indicators of compromise, classify it as | |
| true positive or false positive and recommend the correct immediate action. | |
| difficulty: easy | |
| max_steps: 10 | |
| score_range: [0.0, 1.0] | |
| - id: attack_chain_reconstruction | |
| name: "Attack chain reconstruction (medium)" | |
| description: > | |
| Correlate 15 alerts across 4 hosts over a 2-hour window. Identify the | |
| full MITRE ATT&CK kill chain, locate patient zero, and contain the threat | |
| before it reaches the crown jewel asset. | |
| difficulty: medium | |
| max_steps: 25 | |
| score_range: [0.0, 1.0] | |
| - id: constrained_incident_response | |
| name: "Constrained incident response (hard)" | |
| description: > | |
| Respond to an active breach with business constraints: CEO laptop involved | |
| cannot isolate, domain controller at risk, legal hold required, and a | |
| customer-facing API is degrading. Balance security, business continuity, | |
| and compliance simultaneously. | |
| difficulty: hard | |
| max_steps: 40 | |
| score_range: [0.0, 1.0] | |
| observation_space: | |
| type: object | |
| description: > | |
| Structured snapshot of the SOC environment at each step. Contains the | |
| current alert queue, network topology state, active sessions, investigation | |
| history, and any business constraint flags. | |
| action_space: | |
| type: object | |
| description: > | |
| Seven analyst actions: enrich_alert, correlate_alerts, isolate_endpoint, | |
| disable_account, collect_forensics, escalate_to_tier2, create_ticket. | |
| reward: | |
| type: float | |
| range: [-1.0, 1.0] | |
| description: > | |
| Dense reward signal. Positive for correct classifications, chain coverage, | |
| and successful containment. Negative for false positive isolations, | |
| missed true positives, and per-minute dwell time penalties. | |
| endpoints: | |
| reset: POST /reset | |
| step: POST /step | |
| state: GET /state | |