Argus — Agentic SOC Platform
Argus is an AI-native Security Operations Center (SOC) platform that unifies alert ingestion, incident investigation, detection engineering, and automated response under a single operational interface. Built for modern security teams, it replaces fragmented toolchains with a coherent, evidence-driven workflow powered by AI agents and a flexible SOAR engine.
Key Capabilities
| Capability | Description |
|---|---|
| Unified Alert Ingestion | Connects to Elasticsearch (ELK), EDR, SIEM, and other sources via a configurable data pipeline |
| AI-Assisted Investigation | Per-ticket AI assistant provides alert explanations, risk assessment, IOC extraction, and recommended actions |
| Detection Engineering | Sigma rule library with field mapping management, multi-backend publishing (Splunk, Elastic), and publish history audit |
| Automated Response (SOAR) | Visual workflow editor for no-code playbooks with scheduling, webhook triggers, and Prefect orchestration |
| SLA Tracking | Automatic MTTA / MTTI / MTTC / MTTR calculation with color-coded compliance indicators |
| Collaborative War Room | Per-ticket workspace for analyst notes, file evidence, handle logs, and AI-generated task lists |
| MCP Tool Framework | Extensible Model Context Protocol layer enabling AI agents to invoke external security tools at runtime |
Platform Architecture
┌─────────────────────────────────────────────────────────┐
│ Argus Platform │
├──────────────┬──────────────────┬───────────────────────┤
│ Frontend │ Backend │ Data Pipeline │
│ (Next.js) │ (Django REST) │ ES → Orchestrator → │
│ Port 3000 │ Port 8000 │ Correlation → Alerts │
└──────────────┴────────┬─────────┴───────────────────────┘
│
┌───────────┼───────────┐
│ │ │
PostgreSQL AI Layer Prefect
(Data Store) (OpenAI (Workflow
compat.) Engine)
The platform is fully containerized and deployable via Docker Compose. All three tiers — frontend, backend, and database — run as isolated services with well-defined network boundaries.
Module Index
| # | Module | Purpose |
|---|---|---|
| 1 | Overview | Platform introduction and navigation guide (this page) |
| 2 | Installation | Docker-based quick-start deployment |
| 3 | Dashboard | Real-time monitoring overview and alert statistics |
| 4 | Ticket Handling | Incident lifecycle management, SLA tracking, War Room, Workflows |
| 5 | Alerts | Alert ingestion, list view, triage, and correlation |
| 6 | Use Case Management | Sigma rule library, field mappings, publish history |
| 7 | Data Onboarding | ELK integration setup, Orchestrator scheduling, Correlation policy |
| 8 | Docker Deployment | Production-grade Docker Compose orchestration |
| 9 | AI Agent | AI assistant configuration, MCP tool management, Skills |
Quick Reference
| Item | Value |
|---|---|
| Platform URL | https://siem.seclink.info/ |
| Login Method | Internal Login (username / password) |
| Default Landing Page | Monitor → Overview (Dashboard) |
| Target Users | SOC Analysts, Detection Engineers, SIEM Administrators |
After login the system lands on Dashboard Overview. If no data source has been configured, all statistics display as zero. Start at Data Onboarding to connect your first source.