This is a submission for the GitHub Copilot CLI Challenge
In modern SOC environments, every second matters.
What if Windows Security Events could be explained, mapped, classified, and correlated instantly โ directly from your terminal?
What I Built
I built a Python-based SOC (Security Operations Center) Assistant CLI that helps analysts quickly understand Windows Security Events, map them to MITRE ATT&CK, assess severity, and follow recommended investigation steps โ all from the command line.
In real-world SOC environments, analysts often waste time searching documentation to understand event IDs like 4625, 1102, or 4769. My goal was to reduce triage time and provide structured investigation guidance instantly.
This CLI tool:
- Explains Windows Security Event IDs
- Maps events to MITRE ATT&CK techniques and tactics
- Assigns severity levels (LOW / MEDIUM / HIGH / CRITICAL)
- Provides step-by-step investigation guidance
- Detects attack patterns using event correlation
- Works fully offline
- Covers Top 10 common SOC Windows Events
It is ideal for:
- SOC Tier 1 / Tier 2 Analysts
- Blue Team beginners
- Cybersecurity students
- Incident response labs & competitions
The most powerful feature is the built-in attack chain correlation engine.
Instead of analyzing single events in isolation, the CLI detects real-world attack patterns across multiple event IDs โ such as brute force attempts followed by successful logons.
This transforms raw security logs into actionable intelligence within seconds.
Demo
GitHub Repository:
https://github.com/krishnadangi-alt/soc-assistant-cli
Example Commands
Explain an event:
python soc.py explain 4625
MITRE mapping:
python soc.py mitre 1102
Severity check:
python soc.py severity 4732
Correlation detection:
python soc.py correlate 4625 4625 4625 4624
Example Output
Detected Pattern: Brute Force โ Successful Login
Risk Level: HIGH
Reason: Multiple failed logons followed by success.
Recommended SOC Actions:
- Investigate source IP
- Force password reset
- Check for lateral movement
Screenshots
๐ Explain Command Output
๐ง MITRE Mapping Output
๐จ Severity Assessment
๐ Correlation Detection
๐ค My Experience with GitHub Copilot CLI
GitHub Copilot CLI dramatically accelerated development.
I used it to:
- Generate structured event intelligence templates
- Refine MITRE ATT&CK mappings
- Improve severity reasoning logic
- Design the correlation detection mechanism
- Debug CLI argument handling
- Optimize investigation steps
Instead of repeatedly searching documentation, I used Copilot CLI prompts like:
"SOC investigation steps for Windows Event ID 4625"
"MITRE ATT&CK mapping for Kerberos ticket request event"
Copilot helped me iterate faster, while I focused on structuring real SOC logic.
This project showcases how GitHub Copilot CLI can move beyond coding assistance โ and help build intelligent security tooling.
๐ง Architecture
- Python argparse for command structure
- Structured event intelligence dictionary
- MITRE ATT&CK mapping integration
- Severity classification logic
- Attack chain correlation engine
All lightweight. No external dependencies. Fully offline.
๐ฏ Why This Project Matters
Security teams are overloaded with dashboards, alerts, and noise.
But during triage, what they really need is clarity.
This tool reduces cognitive load by transforming raw Windows Event IDs into structured intelligence โ immediately.
It empowers analysts to move from detection to action in seconds.
๐ฎ Future Improvements
- Accept raw Windows log exports
- JSON output for SIEM ingestion
- Timeline-based attack visualization
- Expanded MITRE coverage
- Integration with Splunk / ELK
๐ Final Thoughts
This project reflects how GitHub Copilot CLI can empower developers to build intelligent, real-world tools faster.\
From concept to functional SOC intelligence CLI โ built faster, smarter, and more confidently with GitHub Copilot CLI.
Thank you for reviewing my submission! ๐
Top comments (0)