AI SOC Analyst Assistant: Chat with your SIEM n8n + MCP + Ollama Local AI | Wazuh SOC Automation

What if you could investigate alerts, get IOCs, and pull SIEM data just by asking questions in plain English? In this demo, I showcase a local SOC AI assistant that helps analysts investigate security data faster by querying alerts, vulnerabilities, agent health, compliance, and suspicious activity through a chat interface. The solution is built using n8n, a local Ollama-hosted LLM, and MCP tools connected to a SIEM, allowing correlation and retrieval of data across multiple sources without manually navigating dashboards. To make the demo realistic, I simulated attacks across Linux and Windows systems, including SSH brute force, persistence via systemd and cron, Mimikatz credential dumping, DCSync and Golden Ticket attacks, domain admin creation, and vulnerability exposure. Throughout the demo, the assistant is used to: Summarize high-severity alerts Reconstruct multi-host attack chains Extract IOCs Review processes, ports, and agent health Assess risk and compliance posture Surface suspicious low-level activity The goal is to augment investigations by quickly summarizing, correlating, and surfacing the information that matters so the analyst can move into deeper investigation with better context. Stack: n8n • Ollama • Local LLM • MCP Server • Wazuh • Linux, Windows & Active Directory lab ------------------------------------------------------------------------------------------------ 📌Table of Contents 0:00 Summary – SOC Data Problem (3 Vs Overview) 1:04 Summary – AI SOC Assistant Overview 2:04 Architecture Overview – N8N + Ollama + SIEM Integration 3:03 Summary – Benefits of Running SOC AI Locally 4:01 Environment Overview – Demo Setup & Attack Simulation 5:01 Architecture Details – N8N Workflow & Chat Integration 6:03 Asset Inventory – All Registered Agents Overview 7:43 Health Check – Disconnected Agent Analysis 10:10 Endpoint Analysis – Running Processes on Endpoint 13:10 Network Exposure – Open Ports on AD Server 16:48 Alert Summary – Security Events (Last 6 Hours) 18:23 Critical Incident – Multi-Stage Attack Detection 20:23 Incident Breakdown – DMZ Server (Initial Access & Persistence) 23:06 Incident Breakdown – Windows Host (Mimikatz, DC Sync, Golden Ticket) 26:21 Indicators of Compromise – Full Environment IOC Summary 29:13 Incident Summary – Domain Compromise Overview 30:06 Recommended Actions – Incident Response Plan 32:38 Vulnerability Assessment – Critical CVEs Across Environment 37:12 Risk Assessment – DMZ Server (Score 100/100) 39:48 Compliance Status – NIST / CIS Benchmark Results 44:22 Threat Hunting – Low-Level Discovery Activity Analysis 50:36 Recommended Actions – Final Remediation Plan 51:43 Summary – AI SOC Assistant Value & Conclusion #SOC #CyberSecurity #SIEM #ThreatHunting #BlueTeam #n8n #Ollama #LLM #DFIR #SecurityOperations #aichatbot #ai