Skip to content

ReubenGeorg/SOC-Copilot

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
App.jsx
App.jsx
 
 
README.md
README.md
 
 
index.html
index.html
 
 
main.jsx
main.jsx
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
vite.config.js
vite.config.js
 
 

Repository files navigation

⬡ SOC Copilot — Ollama Edition

A fully local, zero-cost, no-API-key SOC threat hunting copilot. All AI runs on your machine via Ollama. Nothing leaves your network.

Quick Start

1. Install Ollama

# Linux / macOS
curl -fsSL https://ollama.com/install.sh | sh

# Windows: download installer from https://ollama.com/download

2. Pull a model

ollama pull llama3          # recommended — good quality, ~4.7 GB
# or lighter alternatives:
ollama pull mistral         # ~4.1 GB, fast
ollama pull phi3            # ~2.3 GB, very fast on low-end hardware
ollama pull llama3.1:8b     # best quality for threat analysis

3. Start Ollama

ollama serve
# Ollama now listens on http://localhost:11434

4. Clone and run the app

git clone https://github.com/YOUR_USERNAME/soc-copilot
cd soc-copilot
npm install
npm run dev

Open http://localhost:5173 — done. No API keys, no costs, no data leaving your machine.

Changing the model

Edit the top of src/App.jsx:

const MODEL = "llama3";   // ← change to any model you've pulled

Run ollama list to see what you have installed.

Features

  • Alert Queue — Triage alerts from CrowdStrike, SentinelOne, VirusTotal, and custom sources
  • One-click investigation — Click any alert to auto-generate AI threat analysis
  • Streaming responses — See the model think in real time
  • MITRE ATT&CK mapping — Automatic TTP identification
  • KQL/SPL hunting queries — Generated on demand
  • Quick Actions — Pre-built prompts for common SOC workflows
  • Ollama status indicator — Know instantly if your local model is reachable

Connecting real alert sources

Replace MOCK_ALERTS in src/App.jsx with a polling function:

CrowdStrike

const res = await fetch('https://api.crowdstrike.com/detects/entities/detect/GET/v1', {
  headers: { Authorization: `Bearer ${CS_TOKEN}` }
});

SentinelOne

const res = await fetch(`${S1_URL}/web/api/v2.1/threats`, {
  headers: { Authorization: `ApiToken ${S1_TOKEN}` }
});

Custom webhook

Add an Express server (server.js) to receive webhook POSTs and forward them to the React app via a WebSocket or polling endpoint.

CORS fix (if needed)

If Ollama blocks requests from the browser, set this environment variable before running ollama serve:

# Linux/macOS
OLLAMA_ORIGINS="http://localhost:5173" ollama serve

# Windows (PowerShell)
$env:OLLAMA_ORIGINS="http://localhost:5173"; ollama serve

The Vite dev server also includes a built-in proxy (/ollama → localhost:11434) as a fallback.

Recommended models for SOC work

Model Size Best for
llama3.1:8b 4.9 GB Best overall threat analysis quality
llama3 4.7 GB Good balance of speed and quality
mistral 4.1 GB Fast, good at structured output
phi3 2.3 GB Low-end hardware, still useful
codellama 3.8 GB Writing detection rules / code

Stack

  • React 18 + Vite
  • Ollama (local LLM inference)
  • Space Mono + IBM Plex Sans fonts
  • Zero external dependencies for AI

License

MIT

About

AI-powered SOC threat hunting copilot — runs locally with Ollama

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages