Building a SOC Assistant CLI with GitHub Copilot to Detect Real Attack Patterns

This is a submission for the GitHub Copilot CLI Challenge In modern SOC environments, every second matters. What if Windows Security Events could be explained, mapped, classified, and correlated instantly — directly from your terminal? What I Built I built a Python-based SOC (Security Operations Center) Assistant CLI that helps analysts quickly understand Windows Security Events, map them to MITRE ATT&CK, assess severity, and follow recommended investigation steps — all from the command line. In real-world SOC environments, analysts often waste time searching documentation to understand event IDs like 4625, 1102, or 4769. My goal was to reduce triage time and provide structured investigation guidance instantly. This CLI tool: Explains Windows Security Event IDs Maps events to MITRE ATT&CK techniques and tactics Assigns severity levels (LOW / MEDIUM / HIGH / CRITICAL) Provides step-by-step investigation guidance Detects attack patterns using event correlation Works fully offline Covers