Security Event Intelligence Platform
End-to-end pipeline for collecting, enriching, and analysing Windows security events at scale. Sysmon events flow from Windows agents through Kafka into DynamoDB, where an LLM-powered analysis worker scores and classifies them in real time.
Model Context Protocol server. Exposes SEIP tools and resources to AI assistants, enabling agentic workflows over security event data.
LLM-powered analysis worker. Three-stage fingerprint pipeline (hash → semantic → Azure OpenAI) writes severity scores back to PostgreSQL.
Control panel for the Deep Mind worker pool. Shows KEDA scaling state, unprocessed event counts, and allows manual capacity overrides.
Unified LLM proxy. Routes chat requests to Azure OpenAI, Anthropic, and other providers. Tracks usage per model.
Reads Windows security events from Confluent Kafka and writes them to PostgreSQL. Entry point for all events into the pipeline.
Manage security event patterns, generate Lua noise filters via LLM, upload signed filter bundles to Azure Blob for hot-reload.
Azure Cost analysis. Shows cost breakdowns by service category across the SEIP infrastructure.
Windows agent. Collects security events via Sysmon + Fluent Bit and streams them to Confluent Kafka.
Terraform IaC: AKS (NAP + KEDA scale-to-zero), PostgreSQL Flexible Server, ACR, Key Vault, VNet + NAT Gateway.
ingestion
analysis output
agentic access
noise suppression loop