macRAG SecCopilot is a local, containerized Retrieval-Augmented Generation (RAG)-based AI Security Investigator designed to streamline the process of security incident triage, alert analysis, and mean time to resolution (MTTR) reduction.
- 🧠 AI-augmented Chat for incident interpretation
- 📊 Risk Scoring and Anomaly Detection
- 🗺️ Markdown to Mindmap generation for incident reports
- ⏱️ MTTD/MTTR analytics for leadership dashboards
- 🐳 Self-healing Dockerized Setup for Apple Silicon
chmod +x setup.sh
./setup.shThis will:
- Clean up existing containers
- Download Ollama + LLMs
- Launch Streamlit app at
http://localhost:8501
| Feature | Description |
|---|---|
| 🔐 AI Assistant | Ask “What happened before the alert?” or “How to prevent this?” |
| 📄 Markdown Summary | LLM-generated incident summary |
| 🧠 Mindmap Export | Visualize incident story as interactive mindmap |
| 📈 Risk Score | Classifies threat severity |
| ⏱️ MTTR Metrics | Auto-derived Mean Time To Detect / Resolve |
| 🛠️ Streamlit Tabs | Home, Chat, Mindmap, Report |
| 🐳 Docker Ready | Self-healing, fast rebuilds, Apple Silicon optimized |
| 🧪 Supports multiple LLMs | Ollama, OpenAI, etc. via .env toggle |
Create a .env file or modify .env.example:
LLM_BACKEND=ollama
VECTOR_DB=faiss
EMBEDDING_MODEL=sentence-transformers/all-MiniLM-L6-v2
STREAMLIT_SERVER_PORT=8501
OPENAI_API_KEY=your-key-here # (if using OpenAI backend)├── docker-compose.yml
├── setup.sh
├── .env.example
├── streamlit_app/
│ ├── Home.py
│ ├── chat.py
│ ├── report_mindmap.py
│ └── ...
├── src/
│ ├── loaders/
│ ├── chunkers/
│ ├── parsers/
│ └── utils/
├── data/
│ ├── mock_security_incidents.csv
│ └── ...
├── notebooks/
│ └── threat_analysis.ipynb
└── README.md ← you are here
Click 📥 Generate Mindmap in the Streamlit app to download .html and open in Chrome.
- Reducing SOC analyst fatigue with guided interpretation
- Helping CISO teams quantify alert impact
- Quickly reviewing threat narratives across time
- Integrating with CloudTrail / Syslog / Sentinel alerts
Here’s a curated list of smart, realistic questions you can ask in the Chat section of macRAG SecCopilot to simulate stakeholder usage or demonstrate LLM-powered investigation value:
- “What happened before this alert?”
- “Why is this login attempt flagged?”
- “Was this IP seen in past incidents?”
- “Show me events 5 minutes before and after the alert.”
- “When did the suspicious user activity start?”
- “Where was this user logged in from?”
- “Has this user ever accessed from this country before?”
- “Which sensitive files were accessed?”
- “Was data exfiltration attempted?”
- “What is the risk score of this incident?”
- “What factors increased the risk?”
- “Is this a false positive?”
- “How severe is this threat compared to others today?”
- “How can we prevent this type of alert?”
- “What controls should be enabled?”
- “Which playbook applies here?”
- “Recommend a response plan.”
- “Summarize this incident.”
- “Explain this alert like I’m a CISO.”
- “How often does this type of alert occur?”
- “Is this part of a pattern?”
- “Link this alert to any past similar alerts.”
- “What user behaviors preceded this event?”
- “Generate a mindmap for this threat.”
- LangSmith + Weights & Biases observability
- NIST tagging and MITRE ATT&CK classification
- CI/CD integration and test automation
Built by Saurabh Chhatwal, powered by LangChain and OLLAMA
MIT License — use freely with attribution.