Aakash02A/SentinelX

GitHub: Aakash02A/SentinelX

一个云原生 AI-SOC 平台，提供实时威胁检测、端点保护和自动化事件响应能力。

Stars: 5 | Forks: 0

# SentinelX AI-SOC [![CI](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/636828a391120503.svg)](https://github.com/Aakash02A/Personal-Firewall/actions) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE) [![Python](https://img.shields.io/badge/Python-3.12-blue)](https://python.org) [![Next.js](https://img.shields.io/badge/Next.js-15-black)](https://nextjs.org) ## 概述 SentinelX AI-SOC 是一个企业级、云原生的安全平台，它结合了： | 功能 | 技术 | |-----------|-----------| | **SIEM** | OpenSearch + OpenSearch Dashboards | | **EDR** | Python/Rust 端点 agent | | **基于规则的检测** | Sigma + YARA + IOC 匹配 | | **ML 检测** | Isolation Forest + XGBoost | | **威胁情报** | VirusTotal, AbuseIPDB, AlienVault OTX, MISP, NVD | | **AI SOC 分析师** | LangGraph + GPT-4o | | **自动化响应** | 终止进程，隔离，封锁 IP，隔离主机 | | **可观测性** | Prometheus + Grafana + OpenTelemetry | ## 架构 ``` ┌──────────────────────────────────────────────────────────────────────┐ │ Endpoint Agents (Python / Rust) │ │ Process Monitor │ File Monitor │ Network Monitor │ Registry Monitor │ └───────────────────────────────┬──────────────────────────────────────┘ │ HTTPS + JWT ▼ ┌─────────────────────┐ │ API Gateway │ (NGINX / Kong) │ Port 8080 │ └──────┬──────────────┘ │ ┌────────────┼────────────────────────┐ ▼ ▼ ▼ ┌──────────┐ ┌──────────┐ ┌──────────────┐ │ Auth │ │Telemetry │ │ Other APIs │ │ :8000 │ │ :8001 │ │ :8002-8007 │ └──────────┘ └────┬─────┘ └──────────────┘ │ Kafka ┌───────────┼──────────────────────┐ ▼ ▼ ▼ ┌──────────┐ ┌──────────┐ ┌──────────────┐ │ Rule │ │ ML │ │ Threat Intel│ │ Engine │ │ Engine │ │ Service │ └─────┬────┘ └────┬─────┘ └──────┬───────┘ └───────────┴──────────────────────┘ │ Kafka (alerts topic) ▼ ┌───────────────┐ │ Alert Engine │ ← Correlation + Scoring └───────┬───────┘ │ ┌───────────┼─────────────────┐ ▼ ▼ ▼ ┌──────────┐ ┌──────────┐ ┌─────────────┐ │Response │ │ AI SOC │ │ Dashboard │ │ Engine │ │ Analyst │ │ (Next.js) │ └──────────┘ └──────────┘ └─────────────┘ ``` ## 项目结构 ``` sentinelx/ ├── .github/workflows/ # GitHub Actions CI/CD ├── backend/ │ ├── shared/ # Shared Python library (DB, Kafka, JWT, models) │ └── services/ │ ├── auth/ # JWT + OAuth2 + MFA + RBAC │ ├── telemetry/ # Agent event ingestion → Kafka │ ├── rule-engine/ # Sigma + YARA + IOC detection │ ├── ml-engine/ # Isolation Forest + XGBoost │ ├── threat-intel/ # VirusTotal, AbuseIPDB, OTX, MISP, NVD │ ├── alert-engine/ # Correlation + scoring + incidents │ ├── response-engine/ # Automated response actions │ └── ai-analyst/ # LangGraph SOC analyst ├── frontend/ # Next.js 15 + TypeScript + Tailwind + ShadCN ├── agent/ │ ├── python/ # Python MVP agent (psutil + watchdog) │ └── rust/ # Rust agent (Phase 2) ├── infra/ │ ├── terraform/ # AWS infrastructure (VPC, EKS, RDS, etc.) │ └── k8s/ # Kubernetes manifests ├── ml/ # Notebooks, datasets, model artifacts ├── docs/ # Architecture + API docs ├── docker-compose.yml # Full local dev stack ├── Makefile # Developer commands └── .env.example # All environment variables documented ``` ## 快速开始 ### 前置条件 - Docker + Docker Compose - Node.js 20+ - Python 3.12+ ### 1. 克隆并配置 ``` git clone https://github.com/Aakash02A/sentinelX.git cd SentinelX make setup # copies .env.example → .env # 使用你的 API keys 编辑 .env ``` ### 2. 启动整个技术栈 ``` make dev # Dashboard: http://localhost:3000 # API Gateway: http://localhost:8080 # Kafka UI: http://localhost:8090 # Grafana: http://localhost:3001 (admin/admin) ``` ### 3. 安装并运行 Agent ``` cd agent/python pip install -e . sentinelx-agent ``` ## 微服务 | 服务 | 端口 | 描述 | |---------|------|-------------| | Auth | 8000 | JWT, OAuth2, MFA, RBAC | | Telemetry | 8001 | Agent 事件摄取 | | Rule Engine | 8002 | Sigma/YARA/IOC 检测 | | ML Engine | 8003 | 异常 + 恶意软件检测 | | Threat Intel | 8004 | IOC 富化源 | | Alert Engine | 8005 | 关联 + 评分 | | Response Engine | 8006 | 自动化响应 | | AI Analyst | 8007 | LangGraph SOC agent | | Frontend | 3000 | Next.js dashboard | | Gateway | 8080 | NGINX API gateway | ## 检测能力 ### 基于规则的 (Sigma + YARA + IOC) - PowerShell 滥用 (T1059.001) - LOLBin 执行 - 勒索软件扩展名模式 (T1486) - 注册表持久化 (T1547) - 凭据转储 (T1003) - C2 信标检测 ### 机器学习 - 异常检测 (Isolation Forest) - 恶意软件分类 (XGBoost) - 综合威胁评分 (0–100) ### 威胁情报 - IP、domain、hash、URL IOC 匹配 - CVE 漏洞关联 - 实时源更新 ## 技术栈 | 层级 | 技术 | |-------|-----------| | 后端 | FastAPI, Python 3.12, SQLAlchemy 2.0 | | 数据库 | MySQL 8.3 (主要), OpenSearch (SIEM) | | 缓存 | Redis 7.2 | | 流处理 | Apache Kafka | | 前端 | Next.js 15, TypeScript, Tailwind CSS, ShadCN UI | | AI | LangGraph, LangChain, GPT-4o | | ML | scikit-learn, XGBoost, LightGBM | | Agent | Python (psutil, watchdog) / Rust (计划中) | | 基础设施 | Kubernetes, Terraform, AWS EKS | | 可观测性 | Prometheus, Grafana, OpenTelemetry, Jaeger | | 安全 | JWT, MFA (TOTP), RBAC, TLS 1.3, Vault | | DevSecOps | GitHub Actions, Trivy, Semgrep, Gitleaks | ## 开发 ``` make test # Run all service tests make lint # Lint all Python services make format # Auto-format all Python make test-service s=auth # Test a single service make logs # Tail all container logs make migrate # Run DB migrations ``` ## 路线图 - **阶段 1 (MVP)** — Auth, Agent, Telemetry, Rule Engine, Dashboard, Alerting - **阶段 2** — 威胁情报，ML 检测，自动化响应 - **阶段 3** — AI SOC 分析师，威胁狩猎，事件响应 - **阶段 4** — 多租户 SaaS, SOAR, 企业合规 ## 许可证 MIT License — 详情请见 [LICENSE](LICENSE)

标签：AI-SOC, AMSI绕过, DNS 反向解析, EDR, IP 地址批量处理, 可视化界面, 威胁检测, 子域名突变, 安全运营, 扫描框架, 搜索引擎查询, 无线安全, 网络信息收集, 脆弱性评估, 自动响应, 自定义请求头, 软件成分分析, 逆向工具