Isolation Forest for anomaly detection in auth logs; LLM-powered SOC triage for alert investigation.
AI-Powered Threat Detection
# ML for anomaly detection in security logs
import pandas as pd
from sklearn.ensemble import IsolationForest
from sklearn.preprocessing import StandardScaler
# Feature engineering from auth logs
def extract_features(log_df: pd.DataFrame) -> pd.DataFrame:
return log_df.groupby("user_id").agg(
login_count = ("timestamp","count"),
unique_ips = ("ip","nunique"),
failed_attempts = ("success", lambda x: (~x).sum()),
unusual_hours = ("hour", lambda x: ((x<6)|(x>22)).sum()),
avg_session_minutes= ("session_duration","mean")
).fillna(0)
# Train anomaly detector
features = extract_features(train_logs)
scaler = StandardScaler()
X_scaled = scaler.fit_transform(features)
model = IsolationForest(contamination=0.01, random_state=42)
model.fit(X_scaled)
# Score new users
def score_user(user_log: pd.DataFrame) -> dict:
features = extract_features(user_log)
scaled = scaler.transform(features)
score = model.decision_function(scaled)[0] # lower = more anomalous
is_anomaly = model.predict(scaled)[0] == -1
return {"score": float(score), "is_anomaly": is_anomaly}
# LLM-based log analysis
def llm_triage_alert(alert_context: str) -> dict:
resp = client.messages.create(
model="claude-opus-4-5", max_tokens=500,
system="You are a SOC analyst. Triage security alerts.",
messages=[{"role":"user","content":f"Analyse this alert: {alert_context}
Return JSON: {{severity, likely_cause, recommended_action}}"}]
)
return json.loads(resp.content[0].text)