Upload folder using huggingface_hub

.gitignore

@@ -0,0 +1,122 @@
+# ------------------------------
+# Python
+# ------------------------------
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+*.pyd
+*.dll
+
+# ------------------------------
+# Environments
+# ------------------------------
+.venv/
+venv/
+env/
+ENV/
+.venv*/
+venv*/
+env*/
+ENV*/
+.python-version
+
+# ------------------------------
+# Distribution / packaging
+# ------------------------------
+.Python
+build/
+dist/
+downloads/
+eggs/
+.eggs/
+sdist/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+pip-wheel-metadata/
+pip-log.txt
+pip-delete-this-directory.txt
+
+# ------------------------------
+# Unit test / coverage reports
+# ------------------------------
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.pytest_cache/
+junit*.xml
+
+# ------------------------------
+# Type checkers / linters
+# ------------------------------
+.mypy_cache/
+.dmypy.json
+dmypy.json
+.pyre/
+.pytype/
+.ruff_cache/
+
+# ------------------------------
+# PyInstaller
+# ------------------------------
+*.manifest
+*.spec
+
+# ------------------------------
+# Jupyter
+# ------------------------------
+.ipynb_checkpoints/
+
+# ------------------------------
+# Logs and runtime files
+# ------------------------------
+logs/
+*.log
+*.pid
+*.pid.lock
+
+# ------------------------------
+# Local environment variables & secrets
+# ------------------------------
+.env
+.env.*
+!.env.example
+
+# ------------------------------
+# Editors / IDEs / Tooling
+# ------------------------------
+.idea/
+*.iml
+.vscode/
+.history/
+.cursor/
+*.code-workspace
+
+# ------------------------------
+# OS-specific
+# ------------------------------
+.DS_Store
+Thumbs.db
+ehthumbs.db
+Desktop.ini
+
+# ------------------------------
+# Optional local data & temp
+# ------------------------------
+tmp/
+temp/
+data/
+

README.md

@@ -1,12 +1,100 @@
----
-title: Actionable
-emoji: 🦀
-colorFrom: red
-colorTo: red
-sdk: gradio
-sdk_version: 5.45.0
-app_file: app.py
-pinned: false
----
-
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
+---
+title: actionable
+app_file: app.py
+sdk: gradio
+sdk_version: 5.44.1
+---
+## SOC Dashboard – Live Random Alert Streaming
+
+A lightweight SOC-style dashboard that streams synthetic security alerts, enriches them with threat intel and GeoIP, classifies them using an LLM, and surfaces recommended actions. Built with Gradio for a simple, responsive UI.
+
+### Features
+- **Live alert stream**: Generates up to 10 synthetic logs per session.
+- **Enrichment**: Adds IP reputation and GeoIP context.
+- **AI classification**: Uses a Gemini-compatible OpenAI client to categorize alerts, set priority, and suggest actions.
+- **Export**: Saves the current session’s alerts to `alerts_export.csv`.
+- **Playbooks**: Simulates actions (e.g., block IP, quarantine host) based on AI suggestions.
+
+### Repository Structure
+- `app.py`: Gradio UI and app orchestration.
+- `config.py`: Environment loading and Gemini-compatible OpenAI client initialization.
+- `enrichment.py`: Threat intel and GeoIP enrichment.
+- `llm_classifier.py`: Prompting and parsing for LLM classification.
+- `log_generator.py`: Synthetic log generation.
+- `playbook.py`: Maps AI-recommended actions to simulated playbooks.
+- `utils.py`: Helper utilities for cleaning/parsing model output.
+- `alerts_export.csv`: Created after exporting from the UI.
+
+### Requirements
+- Python 3.9+
+- Pip
+
+Python dependencies are listed in `requirements.txt`:
+- `pandas`
+- `gradio`
+- `python-dotenv`
+- `openai`
+
+### Environment Variables
+Create a `.env` file in the project root with your Gemini API key. This project uses the OpenAI SDK pointed at Google’s Gemini-compatible endpoint.
+
+Example `.env`:
+```
+GOOGLE_API_KEY=your_gemini_api_key_here
+```
+
+### Installation
+1. Clone or download this repository.
+2. Open a terminal in the project directory.
+3. Create and activate a virtual environment (recommended).
+   - Windows (PowerShell):
+     ```powershell
+     py -m venv .venv
+     .\.venv\Scripts\Activate.ps1
+     ```
+   - macOS/Linux (bash):
+     ```bash
+     python3 -m venv .venv
+     source .venv/bin/activate
+     ```
+4. Install dependencies:
+   ```bash
+   pip install -r requirements.txt
+   ```
+5. Create the `.env` file as shown above.
+
+### Running Locally
+Start the Gradio app:
+```bash
+python app.py
+```
+Gradio will print a local URL (e.g., `http://127.0.0.1:7860`). Open it in your browser.
+
+### Using the App
+1. Click **Start Streaming** to begin generating alerts (up to 10 per session).
+2. Watch the table populate with enriched and classified alerts.
+3. Click **Stop Streaming** to halt early.
+4. Click **Export Alerts** to save the current table to `alerts_export.csv` in the project root, then download it from the UI.
+5. Click **Run Playbooks** to simulate actions suggested by the AI; results appear in the text box.
+
+### How It Works
+- `log_generator.generate_random_log` produces timestamped events with random IPs and messages.
+- `enrichment.enrich_alert` augments each log with IP reputation and GeoIP info from in-memory lookups.
+- `llm_classifier.classify_alert` sends a structured prompt to the Gemini-compatible endpoint via the OpenAI SDK and returns `{ category, priority, action }`.
+- `app.py` builds the session table and wires up the Gradio UI for starting/stopping, exporting, and running playbooks.
+
+### Troubleshooting
+- **No output / classification errors**: Verify `.env` contains a valid `GOOGLE_API_KEY` and you have network connectivity.
+- **Package errors**: Re-create/activate the virtual environment and re-run `pip install -r requirements.txt`.
+- **Port in use**: Set a different port when launching Gradio:
+  ```python
+  # in app.py main block
+  demo.queue().launch(server_port=7861)
+  ```
+
+### Notes
+- Exported CSV only includes alerts from the current session.
+- The playbook executions are simulated; no real systems are modified.
+- IP reputation and GeoIP data are in-memory examples for demonstration.
+
+

alerts_export.csv

@@ -0,0 +1,8 @@
+Timestamp,Event,Source IP,Reputation,Location,Category,Priority,Action
+2025-09-15 22:35:39,Suspicious admin privilege escalation,185.234.219.45,malicious,Russia,System Compromise / Post-Exploitation,High,"Immediately isolate the affected system(s) from the network, initiate full incident response procedures, block the malicious source IP (185.234.219.45) at the perimeter, and begin forensic analysis to determine the scope and root cause of the privilege escalation and C2 communication."
+2025-09-15 22:36:39,Normal login from corporate network,10.0.0.15,suspicious,China,Compromised Host,High,"Initiate incident response: Immediately isolate host 10.0.0.15 from the network, investigate the specific 'unusual activity' flagged by the honeypot, review associated login details, and begin forensic analysis to determine the scope and impact of the compromise."
+2025-09-15 22:37:39,Excessive DNS queries from single host,185.234.219.45,malicious,Russia,Malware (Command & Control),High,"Immediately isolate the affected internal host. Block the malicious source IP (185.234.219.45) at all perimeter security devices (firewall, DNS sinkhole, IPS/IDS). Initiate a full incident response investigation on the affected host to determine the compromise vector, malware payload, scope of infection, and potential data exfiltration. Scan the internal network for other indicators of compromise related to this C2 server."
+2025-09-15 22:38:39,Normal login from corporate network,192.168.1.10,clean,Private Network (Internal),Benign,Low,Close alert as a normal/expected event.
+2025-09-15 22:39:39,Multiple failed login attempts,192.168.1.10,clean,Private Network (Internal),Brute Force Attempt,Medium,"Investigate the source host (192.168.1.10) to identify the system/user. Review local logs on 192.168.1.10 for any signs of compromise or unusual activity. Identify the target account(s) of the failed login attempts and check their respective authentication logs (e.g., Active Directory, application logs) for the full scope of the attempts (count, frequency, targeted usernames). Contact the identified user/owner of 192.168.1.10 to rule out user error (e.g., forgotten password, misconfigured application)."
+2025-09-15 22:40:39,Normal login from corporate network,10.0.0.15,suspicious,China,Initial Access / Unauthorized Access Attempt,High,Initiate full incident response. Investigate potential IP spoofing or internal host compromise of 10.0.0.15. Immediately isolate the host 10.0.0.15. Review all authentication logs for success/failure related to this timestamp and identify the targeted user account. Conduct comprehensive network and endpoint forensics on 10.0.0.15. Alert Security Operations Center (SOC) team lead and relevant stakeholders.
+2025-09-15 22:41:39,User downloaded large file from unknown domain,192.168.1.10,clean,Private Network (Internal),Benign,Low,"Initiate an investigation into the unknown domain's legitimacy and current reputation (e.g., check with additional threat intelligence sources, perform a sandbox analysis if feasible). Engage directly with the user (192.168.1.10) to understand the purpose and necessity of the large file download. Review organizational policies concerning downloads from unclassified or untrusted sources."

app.py

@@ -0,0 +1,88 @@
+import time
+import pandas as pd
+import gradio as gr
+from datetime import datetime
+
+from enrichment import enrich_alert
+from llm_classifier import classify_alert
+from log_generator import generate_random_log
+from playbook import run_playbook
+
+stop_streaming = False
+results_store = []
+
+def stream_logs():
+    global stop_streaming, results_store
+    stop_streaming = False
+    results_store = []
+
+    base_time = datetime.now()
+
+    for i in range(10):
+        if stop_streaming:
+            break
+
+        log = generate_random_log(base_time, i)
+        enriched = enrich_alert(log.copy())
+        ai_result = classify_alert(enriched)
+
+        row = {
+            "Timestamp": enriched.get("timestamp"),
+            "Event": enriched.get("event"),
+            "Source IP": enriched.get("source_ip"),
+            "Reputation": enriched.get("ip_reputation"),
+            "Location": enriched.get("geo_location"),
+            "Category": ai_result.get("category"),
+            "Priority": ai_result.get("priority"),
+            "Action": ai_result.get("action"),
+        }
+        results_store.append(row)
+
+        yield pd.DataFrame(results_store)
+        time.sleep(3)
+
+def stop_logs():
+    global stop_streaming
+    stop_streaming = True
+    return None
+
+def export_alerts():
+    global results_store
+    if not results_store:
+        return None
+    df = pd.DataFrame(results_store)
+    export_path = "alerts_export.csv"
+    df.to_csv(export_path, index=False)
+    return export_path
+
+def execute_playbooks():
+    global results_store
+    if not results_store:
+        return "No alerts to act on."
+    actions = [run_playbook(alert) for alert in results_store]
+    return "\n".join(actions)
+
+with gr.Blocks(theme=gr.themes.Soft()) as demo:
+    gr.Markdown("## 🛡️ Actionable : SOC Dashboard – Live Alert Prioritization & Triage")
+
+    with gr.Row():
+        start_btn = gr.Button("▶ Start Streaming", variant="primary")
+        stop_btn = gr.Button("⏹ Stop Streaming", variant="stop")
+        export_btn = gr.Button("💾 Export Alerts", variant="huggingface")
+        playbook_btn = gr.Button("⚡ Run Playbooks")
+
+    output_table = gr.Dataframe(
+        headers=["Timestamp", "Event", "Source IP", "Reputation", "Location", "Category", "Priority", "Action"],
+        wrap=True
+    )
+
+    download_file = gr.File(label="Download Exported Alerts")
+    playbook_output = gr.Textbox(label="Playbook Execution Log", lines=8)
+
+    start_btn.click(fn=stream_logs, outputs=output_table)
+    stop_btn.click(fn=stop_logs, outputs=None)
+    export_btn.click(fn=export_alerts, outputs=download_file)
+    playbook_btn.click(fn=execute_playbooks, outputs=playbook_output)
+
+if __name__ == "__main__":
+    demo.queue().launch()

config.py

@@ -0,0 +1,12 @@
+import os
+from dotenv import load_dotenv
+from openai import OpenAI
+
+load_dotenv(override=True)
+
+GOOGLE_API_KEY = os.getenv("GOOGLE_API_KEY")
+
+client = OpenAI(
+    api_key=GOOGLE_API_KEY,
+    base_url="https://generativelanguage.googleapis.com/v1beta/openai/"
+)

enrichment.py

@@ -0,0 +1,19 @@
+threat_intel_db = {
+    "185.234.219.45": {"reputation": "malicious", "reason": "Known command & control server"},
+    "10.0.0.15": {"reputation": "suspicious", "reason": "Unusual activity flagged in honeypot"},
+}
+
+geoip_db = {
+    "192.168.1.10": "Private Network (Internal)",
+    "185.234.219.45": "Russia",
+    "10.0.0.15": "China",
+    "172.16.0.5": "Private Network (Internal)"
+}
+
+def enrich_alert(log_entry):
+    ip = log_entry.get("source_ip", "")
+    threat_info = threat_intel_db.get(ip, {"reputation": "clean", "reason": "No malicious activity reported"})
+    log_entry["ip_reputation"] = threat_info["reputation"]
+    log_entry["intel_note"] = threat_info["reason"]
+    log_entry["geo_location"] = geoip_db.get(ip, "Unknown Location")
+    return log_entry

llm_classifier.py

@@ -0,0 +1,31 @@
+from config import client
+from utils import clean_ai_response, parse_json_safe
+
+def classify_alert(log_entry):
+    prompt = f"""
+    You are a SOC (Security Operations Center) AI assistant.
+    Analyze the following security alert and classify it.
+
+    Alert details:
+    Timestamp: {log_entry.get('timestamp')}
+    Source IP: {log_entry.get('source_ip')}
+    Event: {log_entry.get('event')}
+    Threat Intelligence: Reputation = {log_entry.get('ip_reputation')}, Note = {log_entry.get('intel_note')}
+    GeoIP: {log_entry.get('geo_location')}
+
+    Tasks:
+    1. Categorize the attack type (e.g., brute force, malware, data exfiltration, benign).
+    2. Assign a priority (High, Medium, Low).
+    3. Suggest next action.
+
+    Return response in JSON with keys: category, priority, action.
+    """
+
+    response = client.chat.completions.create(
+        model="gemini-2.5-flash",
+        messages=[{"role": "user", "content": prompt}],
+    )
+
+    raw_output = response.choices[0].message.content
+    cleaned = clean_ai_response(raw_output)
+    return parse_json_safe(cleaned)

log_generator.py

@@ -0,0 +1,18 @@
+import random
+from datetime import datetime, timedelta
+ips = ["192.168.1.10", "185.234.219.45", "10.0.0.15", "172.16.0.5"]
+events = [
+    "Multiple failed login attempts",
+    "Unusual outbound traffic to known bad IP",
+    "User downloaded large file from unknown domain",
+    "Normal login from corporate network",
+    "Suspicious admin privilege escalation",
+    "Excessive DNS queries from single host"
+]
+
+def generate_random_log(base_time, i):
+    return {
+        "timestamp": (base_time + timedelta(minutes=i)).strftime("%Y-%m-%d %H:%M:%S"),
+        "source_ip": random.choice(ips),
+        "event": random.choice(events)
+    }

playbook.py

@@ -0,0 +1,14 @@
+def run_playbook(alert):
+    action = alert.get("Action", "").lower()
+    ip = alert.get("Source IP", "Unknown")
+
+    if "block ip" in action:
+        return f"🔒 Simulated: Blocking IP {ip} in firewall"
+    elif "quarantine" in action:
+        return f"🛡️ Simulated: Quarantining host {ip} via EDR"
+    elif "escalate" in action or "alert" in action:
+        return f"📢 Simulated: Escalating alert for {ip} to Tier-2 SOC"
+    elif "no action" in action or "benign" in action:
+        return f"✅ Simulated: No action needed for {ip}"
+    else:
+        return f"⚙️ Simulated: Generic action executed for {ip}"

requirements.txt

@@ -0,0 +1,4 @@
+pandas
+gradio
+python-dotenv
+openai

utils.py

@@ -0,0 +1,15 @@
+import re
+import json
+
+def clean_ai_response(text: str) -> str:
+    if not text:
+        return text
+    text = re.sub(r"^```[a-zA-Z]*\n?", "", text.strip())
+    text = re.sub(r"\n?```$", "", text.strip())
+    return text.strip()
+
+def parse_json_safe(text: str) -> dict:
+    try:
+        return json.loads(text)
+    except Exception:
+        return {"category": "Unknown", "priority": "Unknown", "action": "Parsing failed"}