soc-triage-env / README.md
vasanthfeb13's picture
Upload folder using huggingface_hub
6297f9f verified
|
Raw
History Blame Contribute Delete
3.52 kB
metadata
title: SOC Triage OpenEnv
emoji: 🛡️
colorFrom: blue
colorTo: red
sdk: docker
app_port: 7860
pinned: false
tags:
  - openenv
  - cybersecurity
  - triage
base_path: /web

SOC Triage Environment

A real-world cybersecurity SOC analyst triage environment for agent training and evaluation.

Overview

This environment simulates tier-1 SOC workflow where an agent must:

  • investigate evidence with SOC tools
  • classify alert severity only after evidence gathering
  • prioritize alert queues under uncertainty
  • identify multi-stage kill chains in noisy timelines

Architecture now follows OpenEnv reference patterns:

  • SOCTriageEnv subclasses Environment
  • server uses create_app(...) from openenv-core
  • standard endpoints (/reset, /step, /state, /schema, /ws) are auto-generated
  • custom endpoints (/tasks, /grader, /baseline) remain available

Action Space

  • tool_name: one of list_tools, query_siem, get_threat_intel, pivot_alert, submit_verdict
  • tool_args: JSON object for tool parameters (query strings, IOC, alert id, etc.)
  • classification: required for submit_verdict
  • recommended_action: required for submit_verdict
  • reasoning: analyst rationale for traceability

Observation Space

  • task_id, difficulty, step_num, max_steps
  • prompt and context_history
  • available_tools for guided interaction
  • investigation_notes, known_iocs, last_tool_result
  • task evidence (alert or alerts or events)
  • reward, done, and feedback

Tasks

  • easy: single alert severity classification
  • medium: alert queue prioritization
  • hard: kill-chain event correlation

Graders

  • easy: severity-distance score
  • medium: Kendall-tau rank correlation normalized to [0,1]
  • hard: F1 score on selected kill-chain events

Reward Design

Reward is shaped as:

  • investigation step rewards for useful evidence gathering
  • base grader score on submit_verdict
  • partial credit for directionally correct outcomes
  • investigation bonus when tool usage improves trace quality
  • penalties for false positives and premature/no-investigation verdicts

Run Locally

pip install -r requirements.txt
uvicorn soc_triage_env.server.app:app --host 0.0.0.0 --port 8000

Docker

docker build -t soc-triage-env:latest -f server/Dockerfile .
docker run -p 8000:8000 soc-triage-env:latest

Required Endpoints

  • POST /reset
  • POST /step
  • GET /state
  • GET /tasks
  • POST /grader
  • POST /baseline
  • GET /health

Latest Verification Snapshot

Validated locally against the current code state:

  • diagnostics: no workspace errors
  • grader contract/bounds suite: test_grader_bounds.py passed (127/127)
  • OpenEnv validator: ready for multi-mode deployment
  • endpoint smoke checks: /health, /schema, /reset, /step, /tasks, /grader, /logs all returned HTTP 200

Reference Alignment Summary

Compared against OpenEnv reference repos and templates (calendar, reasoning_gym, tbench2, carla, repl):

  • app creation follows create_app(...) factory pattern used by reference env servers
  • environment implementation follows Environment contract (reset, step, state)
  • supports multi-turn progression and deterministic grading-friendly behavior
  • custom SOC routes (/tasks, /grader, /baseline) are additive and do not break standard OpenEnv API shape

Intentional environment-specific extension:

  • request-log capture middleware and /logs endpoint for triage/debug observability