π¦
Cisco Security Incident Response AI
An agentic AI system that autonomously monitors Cisco ISE security logs, analyzes threats with an LLM, and proposes sandboxed firewall rules β all coordinated through a custom MCP (Model Context Protocol) server.
0 installs
Trust: 34 β Low
Agents
Ask AI about Cisco Security Incident Response AI
Powered by Claude Β· Grounded in docs
I know everything about Cisco Security Incident Response AI. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Loading tools...
Reviews
Documentation
π‘οΈ Cisco Security - Incident Response AI
Spring Boot + Spring AI + Custom MCP Server
An agentic AI system that autonomously monitors Cisco ISE security logs, analyzes threats with an LLM, and proposes sandboxed firewall rules β all coordinated through a custom MCP (Model Context Protocol) server.
Architecture
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β REST API + SSE Stream β
β POST /api/incidents/trigger GET /api/incidents/stream β
β GET /api/incidents/{id} POST /api/incidents/{id}/approve β
βββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββΌββββββββββββββ
β IncidentResponseWorkflow β (Orchestrator)
βββββββββββββββ¬ββββββββββββββ
β Sequential Pipeline
βββββββββββββββββββΌβββββββββββββββββββ
β β β
βββββββΌβββββββ ββββββββΌββββββ βββββββββΌβββββββ
β MONITOR β β ANALYZER β β REMEDIATOR β
β Agent 1 ββββΆβ Agent 2 ββββΆβ Agent 3 β
β β β β β β
β Scan ISE β β FP detect β β Sandbox rule β
β logs via β β + LLM β β + block IP β
β MCP tool β β reasoning β β via MCP β
ββββββββββββββ ββββββββββββββ ββββββββββββββββ
β β β
ββββββββββββββββββ΄βββββββββββββββββββ
β MCP Tool Calls
ββββββββββββββΌβββββββββββββββββββββββ
β CiscoIseMcpServer (MCP) β
β @Tool getSecurityLogs() β
β @Tool getEndpointStatus() β
β @Tool blockEndpoint() β
β @Tool testRuleInSandbox() β
β @Tool getActivePolicies() β
βββββββββββββββββββββββββββββββββββββ
β
ββββββββββββββΌβββββββββββββ
β Anthropic Claude β
β (claude-sonnet-4) β
β via Spring AI β
βββββββββββββββββββββββββββ
Project Structure
incident-response-ai/
βββ pom.xml
βββ src/main/java/com/security/incident/
βββ IncidentResponseApplication.java β Spring Boot entry point
β
βββ mcp/
β βββ service/
β β βββ CiscoIseMcpServer.java β MCP Server wrapper
β β βββ CiscoIseClient.java β [NEW] Gateway interface
β β βββ RestCiscoIseClient.java β [NEW] Real REST API impl
β βββ model/
β βββ LogEntry.java β ISE log event model
β βββ SecurityModels.java β Endpoint/Block/Sandbox models
β
βββ agents/
β βββ MonitorAgent.java β Agent 1: Log scanning
β βββ AnalyzerAgent.java β Agent 2: Threat analysis
β βββ RemediatorAgent.java β Agent 3: Rule + block
β
βββ workflow/
β βββ IncidentResponseWorkflow.java β Pipeline orchestrator
β βββ IncidentReport.java β Shared state carrier
β
βββ events/
β βββ AgentEvent.java β SSE broadcast events
β
βββ config/
β βββ AgentConfig.java β Spring AI + MCP wiring
β
βββ controller/
βββ IncidentController.java β REST + SSE endpoints
Tech Stack
| Component | Technology |
|---|---|
| Framework | Spring Boot 3.3 + Java 21 |
| AI Orchestration | Spring AI 1.0.0 |
| LLM | Anthropic Claude (claude-sonnet-4) |
| HTTP Client | Spring RestClient (modern & fluent) |
| MCP Server | Spring AI MCP Server Starter |
| MCP Protocol | @Tool annotations + stdio/SSE |
| Streaming | Spring MVC SSE (SseEmitter) |
| Build | Maven |
Setup & Run
1. Prerequisites
- Java 21+
- Maven 3.9+
- Anthropic API Key
2. Set your API key
export ANTHROPIC_API_KEY=sk-ant-...
3. Build & run
cd incident-response-ai
mvn clean package -DskipTests
java -jar target/incident-response-ai-1.0.0.jar
API Usage
Trigger the 3-agent pipeline
curl -X POST http://localhost:8080/api/incidents/trigger
Response:
{
"status": "PIPELINE_STARTED",
"message": "Incident response pipeline is running...",
"stream": "/api/incidents/stream"
}
Watch real-time SSE events (in another terminal)
curl -N http://localhost:8080/api/incidents/stream
You'll see events like:
event: agent-event
data: {"agent":"MonitorAgent","status":"STARTED","message":"Scanning Cisco ISE logs..."}
event: agent-event
data: {"agent":"MonitorAgent","status":"COMPLETED","message":"Found 2 suspicious IPs: [185.220.101.47, 198.199.67.82]"}
event: agent-event
data: {"agent":"AnalyzerAgent","status":"STARTED","message":"Analyzing IP 185.220.101.47..."}
event: agent-event
data: {"agent":"RemediatorAgent","status":"COMPLETED","message":"Sandbox APPROVED, block applied, rollback: RBK-1002"}
Get incident report
curl http://localhost:8080/api/incidents/INC-ABC12345
Approve the AI's recommended remediation (human-in-the-loop)
curl -X POST http://localhost:8080/api/incidents/INC-ABC12345/approve
Agent Decision Logic
MonitorAgent
β Calls: getSecurityLogs(50, "ALL")
β Flags IPs with: auth_attempts > 5, EventType IN [BRUTE_FORCE, PORT_SCAN...]
βΌ
Suspicious IPs found?
βββ NO β Close incident: CLEAN
βββ YES βΌ
AnalyzerAgent
β Calls: getEndpointStatus(primaryIp)
β LLM evaluates: threat score, posture, compliance tags, ISE profile
βΌ
Verdict?
βββ FALSE_POSITIVE β Close: FALSE_POSITIVE (no action)
βββ confidence < 0.6 β Close: ESCALATED (human SOC review)
βββ GENUINE_THREAT βΌ
RemediatorAgent
β Designs FTD block rule
β Calls: testRuleInSandbox(...)
β Sandbox result?
β REJECT / false_positives found β DEFERRED (human review)
β APPROVE βΌ
β Calls: blockEndpoint(ip, reason, QUARANTINE)
βΌ
Status: AWAITING_APPROVAL
(human must call /approve to push to production)
MCP Server Tools
The CiscoIseMcpServer exposes 5 tools via @Tool annotations:
| Tool | Description |
|---|---|
getSecurityLogs | RADIUS/TACACS log stream with auth events |
getEndpointStatus | ISE endpoint profile + posture + threat score |
blockEndpoint | Quarantine via ISE CoA + assign quarantine VLAN |
testRuleInSandbox | Validate FTD ACL rule against simulated traffic |
getActivePolicies | List ISE AuthZ policies + FTD ACL rules |
These tools are auto-registered by Spring AI's MCP Server Starter and available:
- In-process: via
MethodToolCallbackProvider(used by agents in this app) - Via MCP stdio: any external MCP client (Claude Desktop, etc.) can connect
Extending to Production
| Area | Implementation Status |
|---|---|
| Cisco ISE | β
Implemented via RestCiscoIseClient (ERS API) |
| Firewall | Integrate with Cisco FMC REST API for real FTD rule pushes |
| Persistence | Replace in-memory store with PostgreSQL or Redis |
| Auth | Add OAuth2/JWT to the REST API |
| Notifications | Add PagerDuty / Slack webhooks on ESCALATED status |
| Audit log | Write to Splunk or Elastic for SIEM integration |
Learning Outcomes (SDE Transition)
This project demonstrates:
- β Spring Boot 3 β REST APIs, SSE streaming, async processing
- β Spring AI β ChatClient, tool calling, agentic loops
- β MCP Protocol β Custom server with @Tool annotations
- β Agent Design Patterns β Monitor β Analyze β Remediate pipeline
- β Human-in-the-loop β Safety gate before production changes
- β Domain-Driven Design β Rich domain model (IncidentReport)
- β Event-Driven β ApplicationEventPublisher + @EventListener