SoCMate is an AI-powered Security Operations Center (SOC) investigation platform. It enables security analysts to investigate incidents using natural language, automatically generating and executing KQL queries against Microsoft Sentinel while building a persistent knowledge graph of security entities and relationships.

Key Features

Natural Language Investigations

Ask questions in plain English. SoCMate translates them into optimized KQL queries, executes them against Sentinel, and returns structured investigation reports with risk scores, IOCs, and MITRE ATT&CK mappings.

Knowledge Graph

Every investigation enriches a persistent Neo4j knowledge graph of security entities — IPs, users, hosts, domains — and their relationships. Query the graph to discover connections across investigations.

Scheduled Investigations

Set up recurring investigations that run on a schedule. Monitor for brute force patterns, suspicious sign-ins, or anomalous network activity automatically, with notifications on findings.

Persona-Aware Reports

Get reports tailored to your role. SOC analysts receive technical IOCs, KQL queries, and MITRE mappings. CISOs receive executive summaries, business impact assessments, and compliance implications.

Real-Time Streaming

Watch investigations unfold in real time via Server-Sent Events. See each stage of the investigation pipeline — entity extraction, KQL generation, query execution, and summarization — as it happens.

Incident Sync

Automatically sync incidents from Microsoft Sentinel every 5 minutes. Enrich them with local notes, tags, and assignments. Launch investigations directly from incidents.

Architecture Overview

SoCMate is composed of four services that work together:
ServiceTechnologyPurpose
FrontendNext.js 15, React 19Web UI with chat interface, dashboards, and knowledge graph visualization
BackendFastAPI (Python 3.13)API gateway handling auth, RBAC, search, and knowledge graph queries
AgentFastAPI (Python 3.13)SOC investigation engine with a 9-state KQL state machine
Workerarq (Python 3.13)Background tasks for incident sync and scheduled investigations

How It Works

User Query                                    Investigation Report
    │                                                  ▲
    │  "Check IP 203.0.113.50                          │  Findings, entities,
    │   for malicious activity"                        │  risk scores, charts,
    │                                                  │  recommendations
    ▼                                                  │
┌──────────────────────────────────────────────────────────┐
│              KQL Agent State Machine (9 States)          │
│                                                          │
│  Intake → Entity Extraction → Intent → Planning →        │
│  KQL Generation → Execute → Assess Sufficiency →        │
│  Summarize → Finalize                                    │
│                                                          │
│  If evidence gaps found → loops back to Planning         │
└──────────────────────────────────────────────────────────┘

Infrastructure

SoCMate integrates with Azure-native services in production:
ComponentService
AuthenticationAzure Entra ID (OAuth2 + RBAC)
Document StoreAzure DocumentDB (vCore) via MongoDB API
Cache & QueueAzure Managed Redis
Knowledge GraphNeo4j AuraDB
SearchAzure AI Search (hybrid keyword + vector)
SIEMMicrosoft Sentinel (KQL via Azure Monitor)
LLM GatewayLiteLLM Proxy to Azure OpenAI and other providers

Who Is SoCMate For?

  • SOC Analysts who need to investigate security incidents faster, with natural language instead of manually writing KQL queries
  • Security Engineers who want to automate recurring investigation patterns and build institutional knowledge
  • CISOs and Security Leaders who need executive-level visibility into security posture and investigation outcomes
  • Security teams looking to integrate AI-powered investigation into their existing SOAR workflows via API

Next Steps

Quickstart

Log in, run your first investigation, and explore the platform.

API Reference

Integrate SoCMate into your workflows with the REST API.