Skip to content

Multi-Provider LLM Support with Manual Analysis API #1971

Open
Feature
Open
Multi-Provider LLM Support with Manual Analysis API#1971
Feature
Assignees
AlexSanchez-bitKbayero
Labels
goPull requests that update go codejavaPull requests that update java codejavascriptPull requests that update javascript code
@Kbayero

Description

@Kbayero
Kbayero
opened on Apr 3, 2026

Describe the feature

Enable SOC-AI plugin to work with multiple LLM providers (OpenAI, Anthropic, Ollama, Azure, custom) instead of being hardcoded to OpenAI. Additionally, expose an HTTP API endpoint for manual alert analysis submissions, independent of the automatic gRPC pipeline.

Use Case

  • Organizations using Anthropic Claude or self-hosted Ollama instead of OpenAI
  • Security analysts who need to manually submit specific alerts for AI analysis
  • Environments where automatic analysis is disabled but on-demand analysis is needed
  • Teams requiring custom LLM endpoints with specific authentication headers

Proposed Solution

  1. Generic LLM configuration: URL, model, authType (custom-headers/none), maxTokens, customHeaders
  2. Auto-detect provider from URL (e.g., "anthropic.com" → Anthropic format)
  3. Support different request/response formats per provider
  4. Add HTTP API server on port 8090:
    • POST /api/v1/analyze - Submit alert for analysis (async)
    • GET /health - Health check
    • GET /api/v1/metrics - API metrics
  5. AutoAnalyze config flag to enable/disable automatic processing (manual API always works)

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

Metadata

Metadata

Assignees

Labels

goPull requests that update go codejavaPull requests that update java codejavascriptPull requests that update javascript code

Type

Feature

Projects

UTMStack OSS

Status

🏗 In progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions