Enhancing SOC: Wazuh Security Event Response with RAG-Driven Copilot

Cyber threats are growing increasingly sophisticated, Security Operations Centers (SOCs) require more efficient and intelligent response tools to manage and mitigate incidents effectively. In response, organizations have adopted comprehensive frameworks to enhance their cybersecurity postures, notably the National Institute of Standards and Technology (NIST) Cybersecurity and MITRE’s ATT&CK framework. However, the process of effectively mitigating and responding by mapping the frameworks derived from real-time security events remains challenging. To address this, we developed a Security Event Response Copilot (SERC) which guides security analysts in order to respond and mitigate security breaches more effectively. The SERC consists of two components that are Security Event Data Extraction using Retrieval-Augmented Generation (RAG) methods, and LLM-based Incident Response Guidance. Those systems were integrated with Wazuh as a Security Information and Event Management (SIEM) platform to capture the security events on targeted endpoints. By combining Wazuh’s monitoring capabilities with the structured intelligence of MITRE ATT&CK, this system identifies adversarial tactics, techniques, and procedures (TTPs) relevant to security events, while NIST standards ensure adherence to best practices in incident handling. Utilizing the RAG approach, the Copilot retrieves context-specific information from historical and real-time data sources, enhancing the generation of actionable insights and response recommendations. The RAG data sources were clustered into 3 database vector collections that are (1) incident response general knowledge, providing various information across cybersecurity platform; (2) NIST cybersecurity-related framework (CSF) 2.0 which offers a lifecycle approach to managing cybersecurity issues; and (3) MITRE ATT&CK framework to identify the tactics and techniques associated with the incident. The complementary use of NIST's strategic breadth and MITRE’s tactical detail allows organizations to build a multi-layered defense that integrates high-level risk management with actionable intelligence. To this end, we conducted end-to-end simulation and evaluated RAG performance output using the semantic coherence method. Alongside this, we also measure the end-to-end task completion rate. Overall, this research amplifies the potential of combining structured threat intelligence frameworks and powerful AI models to meet the dynamic needs of SOCs in a rapidly changing cybersecurity environment.