Spaces:
Sleeping
Sleeping
| title: SOC Triage OpenEnv | |
| emoji: "🛡️" | |
| colorFrom: blue | |
| colorTo: red | |
| sdk: docker | |
| app_port: 7860 | |
| pinned: false | |
| tags: | |
| - openenv | |
| - cybersecurity | |
| - triage | |
| base_path: /web | |
| ## SOC Triage Environment | |
| A real-world cybersecurity SOC analyst triage environment for agent training and evaluation. | |
| ## Overview | |
| This environment simulates tier-1 SOC workflow where an agent must: | |
| - investigate evidence with SOC tools | |
| - classify alert severity only after evidence gathering | |
| - prioritize alert queues under uncertainty | |
| - identify multi-stage kill chains in noisy timelines | |
| Architecture now follows OpenEnv reference patterns: | |
| - `SOCTriageEnv` subclasses `Environment` | |
| - server uses `create_app(...)` from `openenv-core` | |
| - standard endpoints (`/reset`, `/step`, `/state`, `/schema`, `/ws`) are auto-generated | |
| - custom endpoints (`/tasks`, `/grader`, `/baseline`) remain available | |
| ## Action Space | |
| - `tool_name`: one of `list_tools`, `query_siem`, `get_threat_intel`, `pivot_alert`, `submit_verdict` | |
| - `tool_args`: JSON object for tool parameters (query strings, IOC, alert id, etc.) | |
| - `classification`: required for `submit_verdict` | |
| - `recommended_action`: required for `submit_verdict` | |
| - `reasoning`: analyst rationale for traceability | |
| ## Observation Space | |
| - `task_id`, `difficulty`, `step_num`, `max_steps` | |
| - `prompt` and `context_history` | |
| - `available_tools` for guided interaction | |
| - `investigation_notes`, `known_iocs`, `last_tool_result` | |
| - task evidence (`alert` or `alerts` or `events`) | |
| - `reward`, `done`, and `feedback` | |
| ## Tasks | |
| - easy: single alert severity classification | |
| - medium: alert queue prioritization | |
| - hard: kill-chain event correlation | |
| ## Graders | |
| - easy: severity-distance score | |
| - medium: Kendall-tau rank correlation normalized to [0,1] | |
| - hard: F1 score on selected kill-chain events | |
| ## Reward Design | |
| Reward is shaped as: | |
| - investigation step rewards for useful evidence gathering | |
| - base grader score on `submit_verdict` | |
| - partial credit for directionally correct outcomes | |
| - investigation bonus when tool usage improves trace quality | |
| - penalties for false positives and premature/no-investigation verdicts | |
| ## Run Locally | |
| ```bash | |
| pip install -r requirements.txt | |
| uvicorn soc_triage_env.server.app:app --host 0.0.0.0 --port 8000 | |
| ``` | |
| ## Docker | |
| ```bash | |
| docker build -t soc-triage-env:latest -f server/Dockerfile . | |
| docker run -p 8000:8000 soc-triage-env:latest | |
| ``` | |
| ## Required Endpoints | |
| - POST /reset | |
| - POST /step | |
| - GET /state | |
| - GET /tasks | |
| - POST /grader | |
| - POST /baseline | |
| - GET /health | |
| ## Latest Verification Snapshot | |
| Validated locally against the current code state: | |
| - diagnostics: no workspace errors | |
| - grader contract/bounds suite: `test_grader_bounds.py` passed (`127/127`) | |
| - OpenEnv validator: ready for multi-mode deployment | |
| - endpoint smoke checks: `/health`, `/schema`, `/reset`, `/step`, `/tasks`, `/grader`, `/logs` all returned HTTP 200 | |
| ## Reference Alignment Summary | |
| Compared against OpenEnv reference repos and templates (calendar, reasoning_gym, tbench2, carla, repl): | |
| - app creation follows `create_app(...)` factory pattern used by reference env servers | |
| - environment implementation follows `Environment` contract (`reset`, `step`, `state`) | |
| - supports multi-turn progression and deterministic grading-friendly behavior | |
| - custom SOC routes (`/tasks`, `/grader`, `/baseline`) are additive and do not break standard OpenEnv API shape | |
| Intentional environment-specific extension: | |
| - request-log capture middleware and `/logs` endpoint for triage/debug observability | |