SentinelIQ is an autonomous Security Operations Center (SOC) intelligence platform that performs real-time threat detection, attack correlation, UEBA risk scoring, dynamic attack graph generation, and automated incident response.
The platform simulates core capabilities commonly found in enterprise security solutions such as Splunk, Microsoft Sentinel, CrowdStrike, and SentinelOne while remaining lightweight, transparent, and fully self-hosted.
SentinelIQ ingests security telemetry, enriches events through behavioral analytics, maps activity to MITRE ATT&CK techniques, builds evolving attack graphs, and triggers autonomous defensive actions.
Public Deployment (Nosana Cloud)
https://4u8pgm9fagp9ah4al48agqdvwoxypvsvn9rutoeccsvn.node.k8s.prd.nos.ci/docs
The live deployment exposes an interactive Swagger UI where events can be submitted and attack graphs generated in real time.
- User & Entity Behavior Analytics (UEBA)
- Risk-based scoring engine
- Login anomaly detection
- Failed authentication detection
- Behavioral deviation analysis
- Threat classification
- Real-time node creation
- User-to-IP relationship mapping
- Weighted attack paths
- Attack chain reconstruction
- Graph summary analytics
- Relationship tracking
- Multi-event attack correlation
- MITRE ATT&CK mapping
- Brute force attack detection
- Threat confidence scoring
- Attack escalation analysis
- Behavioral pattern recognition
- Automatic IP blocking simulation
- User quarantine simulation
- Escalation workflows
- Incident memory tracking
- Risk-based response actions
- Real-time monitoring
- Threat visualization
- Live graph updates
- Security event tracking
- SOC-style operational interface
Security Events
β
βΌ
FastAPI API Layer
β
βΌ
UEBA Risk Engine
β
βΌ
Correlation Engine
β
βΌ
MITRE ATT&CK Mapping
β
βΌ
Attack Graph Builder
β
βΌ
Autonomous Response Engine
β
βΌ
SOC Dashboard
{
"user_id": "admin",
"event_type": "LOGIN_FAILURE",
"ip_address": "8.8.8.8"
}{
"risk": 65,
"correlation": "CONFIRMED_ATTACK (T1110 - Brute Force)"
}Build the image:
docker build -t sentineliq .Run the container:
docker run -p 8000:8000 sentineliqOpen:
http://localhost:8000/docs
Clone repository:
git clone https://github.com/Drechi3/SentinelIQ.git
cd SentinelIQInstall dependencies:
pip install -r requirements.txtRun application:
python -m uvicorn main:app --reloadOpen Swagger UI:
http://localhost:8000/docs
- User repeatedly fails authentication.
- Risk score increases.
- Correlation engine maps activity to MITRE ATT&CK T1110.
- Attack graph expands dynamically.
- Autonomous response engine reacts.
- Incident is stored for future analysis.
SentinelIQ/
β
βββ agents/
βββ backend/
βββ frontend/
βββ threat_intel/
βββ alerts/
βββ storage/
βββ tests/
β
βββ main.py
βββ attack_graph.py
βββ correlation_engine.py
βββ response_engine.py
βββ ai_risk_engine.py
βββ dashboard.html
βββ Dockerfile
βββ requirements.txt
β
βββ screenshots/
- LLM-Powered SOC Analyst
- AI Incident Summaries
- Threat Intelligence Enrichment
- Multi-Tenant Dashboard
- Graph Database Integration
- Vector Memory Search
- Kubernetes Deployment
- Cloud SIEM Integrations
- Real-Time Threat Feeds
- Python 3.12
- FastAPI
- Docker
- HTML/CSS/JavaScript
- MITRE ATT&CK Framework
- UEBA Analytics
- Attack Graph Modeling
- Nosana Cloud Deployment
Igboanugo David Ugochukwu
Cybersecurity Researcher | Technical Writer | Security Engineer
GitHub: https://github.com/Drechi3
LinkedIn: https://www.linkedin.com/in/igboanugo-david-ugochukwu-73136220b
MIT License


