soc-triage-env / README.md
vasanthfeb13's picture
Upload folder using huggingface_hub
6297f9f verified
|
Raw
History Blame Contribute Delete
3.52 kB
---
title: SOC Triage OpenEnv
emoji: "🛡️"
colorFrom: blue
colorTo: red
sdk: docker
app_port: 7860
pinned: false
tags:
- openenv
- cybersecurity
- triage
base_path: /web
---
## SOC Triage Environment
A real-world cybersecurity SOC analyst triage environment for agent training and evaluation.
## Overview
This environment simulates tier-1 SOC workflow where an agent must:
- investigate evidence with SOC tools
- classify alert severity only after evidence gathering
- prioritize alert queues under uncertainty
- identify multi-stage kill chains in noisy timelines
Architecture now follows OpenEnv reference patterns:
- `SOCTriageEnv` subclasses `Environment`
- server uses `create_app(...)` from `openenv-core`
- standard endpoints (`/reset`, `/step`, `/state`, `/schema`, `/ws`) are auto-generated
- custom endpoints (`/tasks`, `/grader`, `/baseline`) remain available
## Action Space
- `tool_name`: one of `list_tools`, `query_siem`, `get_threat_intel`, `pivot_alert`, `submit_verdict`
- `tool_args`: JSON object for tool parameters (query strings, IOC, alert id, etc.)
- `classification`: required for `submit_verdict`
- `recommended_action`: required for `submit_verdict`
- `reasoning`: analyst rationale for traceability
## Observation Space
- `task_id`, `difficulty`, `step_num`, `max_steps`
- `prompt` and `context_history`
- `available_tools` for guided interaction
- `investigation_notes`, `known_iocs`, `last_tool_result`
- task evidence (`alert` or `alerts` or `events`)
- `reward`, `done`, and `feedback`
## Tasks
- easy: single alert severity classification
- medium: alert queue prioritization
- hard: kill-chain event correlation
## Graders
- easy: severity-distance score
- medium: Kendall-tau rank correlation normalized to [0,1]
- hard: F1 score on selected kill-chain events
## Reward Design
Reward is shaped as:
- investigation step rewards for useful evidence gathering
- base grader score on `submit_verdict`
- partial credit for directionally correct outcomes
- investigation bonus when tool usage improves trace quality
- penalties for false positives and premature/no-investigation verdicts
## Run Locally
```bash
pip install -r requirements.txt
uvicorn soc_triage_env.server.app:app --host 0.0.0.0 --port 8000
```
## Docker
```bash
docker build -t soc-triage-env:latest -f server/Dockerfile .
docker run -p 8000:8000 soc-triage-env:latest
```
## Required Endpoints
- POST /reset
- POST /step
- GET /state
- GET /tasks
- POST /grader
- POST /baseline
- GET /health
## Latest Verification Snapshot
Validated locally against the current code state:
- diagnostics: no workspace errors
- grader contract/bounds suite: `test_grader_bounds.py` passed (`127/127`)
- OpenEnv validator: ready for multi-mode deployment
- endpoint smoke checks: `/health`, `/schema`, `/reset`, `/step`, `/tasks`, `/grader`, `/logs` all returned HTTP 200
## Reference Alignment Summary
Compared against OpenEnv reference repos and templates (calendar, reasoning_gym, tbench2, carla, repl):
- app creation follows `create_app(...)` factory pattern used by reference env servers
- environment implementation follows `Environment` contract (`reset`, `step`, `state`)
- supports multi-turn progression and deterministic grading-friendly behavior
- custom SOC routes (`/tasks`, `/grader`, `/baseline`) are additive and do not break standard OpenEnv API shape
Intentional environment-specific extension:
- request-log capture middleware and `/logs` endpoint for triage/debug observability