st-mn/autodr
GitHub: st-mn/autodr
AUTODR 是一个集成了机器学习与 SOAR 编排的自动化威胁狩猎与事件响应平台,通过整合 Wazuh、Splunk 等多源数据实现智能检测与自动补救。
Stars: 0 | Forks: 0
# AUTODR:基于 Vertex AI 的自动化威胁狩猎与事件响应系统
**AUTODR** 是一个由机器学习驱动的安全编排与自动化响应平台,将威胁检测、狩猎、调查和补救统一为一个内聚系统。通过集成行业领先的安全工具——Wazuh 和 MISP(可选 Splunk 和 CrowdStrike)——以及 Google Vertex AI 机器学习、Shuffle SOAR 编排和 DFIR-IRIS 案例管理,AUTODR 将被动的安全运营转变为主动、智能的防御。
## 核心能力
### AI 驱动的威胁检测
AUTODR 利用 **Google Vertex AI** 进行先进的机器学习分析,提高检测准确率并减少误报:
- **异常检测**:无监督学习可识别网络流量、用户行为和系统活动中的异常模式
- **威胁分类**:多类别监督模型为警报和事件分配精确的威胁评分(0–1 概率)
- **实时推断**:通过 Cloud Run 进行基于云的模型部署,支持大规模亚秒级威胁评分
- **多源特征工程**:统一集成 Wazuh、Splunk 和 CrowdStrike 的数据,实现全面的可视性
- **智能响应触发**:基于 ML 置信度阈值驱动自动补救工作流
- **持续学习**:模型针对新威胁进行再训练,并融入分析师反馈
### 全面的数据收集
- **多源集成**:统一收集来自 Splunk SIEM、CrowdStrike Falcon EDR 和 Wazuh XDR 的数据
- **定制代理**:自主开发的代理,可调整并用于收集数据以及在定制操作系统或基础设施上执行操作
- **实时流式传输**:利用 Google Cloud Pub/Sub 和 Dataflow 进行高吞吐量事件处理
- **数据标准化**:跨所有安全源采用标准化架构,确保分析的一致性
- **BigQuery 数据湖**:集中式存储,支持历史分析和模型训练
### 自动化响应与编排
- **事件响应自动化**:用于终端隔离、IP 封禁、用户账户管理和威胁遏制预置的 Runbook
- **Shuffle SOAR 集成**:可视化工作流设计器,提供 100 多个应用集成,用于复杂的安全编排
- **零接触补救**:由 ML 置信度阈值触发的自动响应操作
- **映射 MITRE ATT&CK 的 Playbook**:大量与攻击框架对齐的响应程序集合
### 协作调查
AUTODR 集成 **DFIR-IRIS** 以实现多分析师调查工作流:
- **协作案例管理**:基于角色的访问控制,支持多用户调查工作空间
- **证据监管链**:取证级别的工件追踪和时间线分析
- **IOC 管理**:自动提取、追踪 IOC 以及与 MISP 同步
- **团队协调**:任务分配、共享笔记和实时协作
**集成管道**:`检测 (Wazuh) → 编排 (Shuffle) → 调查 (IRIS)`
### 威胁情报集成
- **MISP 平台**:双向威胁情报共享与丰富
- **自动化 IOC 丰富**:针对文件哈希、IP、域名和 URL 的实时查询
- **社区情报**:访问全球威胁情报源和指标共享
- **定制情报源**:支持私有及第三方威胁情报源
### 企业架构
- **模块化设计**:易于扩展新的狩猎、Runbook、数据源和集成
- **云原生可扩展性**:利用 Google Cloud Platform 实现横向扩展和高可用性
- **多平台支持**:跨 Windows、Linux、macOS 和云工作负载的统一安全运营
- **API 优先设计**:所有组件提供 RESTful API,支持定制集成
- **容器化部署**:使用 Docker Compose 编排,简化部署和管理
## 系统架构
```
%%{init: { 'theme': 'base', 'themeVariables': { 'fontSize': '23px', 'subgraphFontSize': '30px', 'edgeFontSize': '30px', 'nodeSpacing': 30, 'rankSpacing': 30, 'clusterPadding': 150, 'clusterBorderRadius': 60 } } }%%
graph TB
subgraph Endpoints["ENDPOINT AGENTS"]
MacOS["macOS Endpoint
Wazuh Agent"] Linux["Linux Endpoint
Wazuh Agent"] Debian["Debian Endpoint
Wazuh Agent"] Windows["Windows Endpoint
Wazuh Agent"] CustomAgent["Custom Endpoint
Custom Agent"] end subgraph SecurityTools["SECURITY TOOLS
"] MISP["MISP
Threat Intelligence"] WazuhManager["Wazuh Manager
Central Monitoring"] Splunk["Splunk SIEM
Log Analysis"] CrowdStrike["CrowdStrike Falcon
Endpoint Protection"] end subgraph DataCollection["DATA COLLECTION LAYER
"] WazuhCollector["wazuh/
Wazuh Collector"] SplunkCollector["splunk/
Splunk Collector"] CrowdStrikeCollector["crowdstrike/
CrowdStrike Collector"] end subgraph GCP["GOOGLE CLOUD PLATFORM
"] PubSub["Pub/Sub
Event Streaming"] Dataflow["Dataflow
Stream Processing"] BigQuery["BigQuery
Data Warehouse"] VertexAI["Vertex AI
ML Platform
Continous Training "] CloudRun["Cloud Run
Inference Service"] end subgraph AutomationLayer["AUTOMATION & ORCHESTRATION
"] AUTODR["AUTODR Engine
autodr.py"] AutoHunt["autohunt/
Threat Hunting"] AutoBook["autobook/
IR Runbooks"] Shuffle["shuffle/
SOAR Workflows"] end subgraph CaseManagement["CASE MANAGEMENT
"] IRIS["iris/
DFIR-IRIS Platform"] IRISWeb["IRIS Web UI
Collaborative Investigation"] IRISTimeline["Timeline Analysis
Evidence Tracking"] end subgraph ResponseActions["RESPONSE & ACTIONS
"] AlertQueue["Alert Queue
ML Scoring"] ShuffleWorkflows["Shuffle Workflows
Visual Automation"] ResponsePlaybooks["AutoBook Runbooks
Automated Remediation"] NotificationEngine["Notification Engine
Alerts & Updates"] CrowdStrikeResponse["crowdstrike/
Host Isolation"] SplunkAlert["splunk/
High Priority Alerts"] MISPIntegration["misp/
IOC Management"] end %% Logic Connections MISP --> WazuhCollector WazuhManager --> WazuhCollector Splunk --> SplunkCollector CrowdStrike --> CrowdStrikeCollector WazuhCollector & SplunkCollector & CrowdStrikeCollector --> PubSub PubSub --> Dataflow --> BigQuery --> VertexAI --> CloudRun CloudRun <--> AUTODR AUTODR --> AutoHunt & AutoBook & Shuffle & IRIS MacOS & Linux & Debian & Windows & CustomAgent --> WazuhManager AutoBook & AutoHunt --> AlertQueue Shuffle --> ShuffleWorkflows --> AlertQueue AlertQueue --> ResponsePlaybooks & IRIS ResponsePlaybooks --> NotificationEngine & CrowdStrikeResponse & SplunkAlert & MISPIntegration IRIS --> IRISWeb & IRISTimeline %% Styling with forced height to prevent overlap classDef endpoint fill:#e1f5ff,stroke:#01579b,stroke-width:1px,padding:0px,min-height:0px classDef security fill:#fff3e0,stroke:#e65100,stroke-width:1px,padding:0px,min-height:0px classDef gcp fill:#e8f5e9,stroke:#1b5e20,stroke-width:1px,padding:0px,min-height:0px classDef response fill:#ffe0b2,stroke:#e65100,stroke-width:1px,padding:0px,min-height:0px classDef casemanagement fill:#e3f2fd,stroke:#0d47a1,stroke-width:1px,padding:0px,min-height:0px class MacOS,Linux,Debian,Windows endpoint class WazuhManager,Splunk,CrowdStrike,MISP security class PubSub,Dataflow,BigQuery,VertexAI,CloudRun gcp class IRIS,IRISWeb,IRISTimeline,IRISIOC casemanagement class AlertQueue,ShuffleWorkflows,ResponsePlaybooks,NotificationEngine,CrowdStrikeResponse,SplunkAlert,MISPIntegration response ``` ## 模块 ### AutoBook:事件响应模块 示例 Runbook(也可在 [github.com/st-mn/autobook](https://github.com/st-mn/autobook) 获取): - `00_wannacry_ir_runbook.ipynb` — Wannacry 事件响应自动化 ### AutoHunt:威胁狩猎模块 示例狩猎(也可在 [github.com/st-mn/autohunt](https://github.com/st-mn/autohunt) 获取): - `00_wannacry_hunt.py` — Wannacry 威胁狩猎自动化 ## 运行特定工作流 ### ML 管道操作 **运行完整的 ML 管道** ``` python ml_pipeline.py ``` **从安全源收集数据** ``` python splunk_data_collector.py # Splunk python crowdstrike_data_collector.py # CrowdStrike python wazuh_data_collector.py # Wazuh ``` **处理并训练 ML 模型** ``` python data_normalizer.py # Normalize collected data python feature_engineering.py # Extract features python vertex/ml_model.py # Train ML model ``` ### 威胁狩猎与事件响应 **列出并运行狩猎** ``` python autodr.py --list-hunts # List available hunts python autodr.py hunt 00_dns_tunneling # Run specific hunt ``` **列出并运行 Runbook** ``` python autodr.py --list-runbooks # List available runbooks python autodr.py runbook 00_isolate_endpoint --step # Run stepwise python autodr.py runbook 00_isolate_endpoint --full # Run full automation ``` ### 自动化响应测试 ``` python crowdstrike/crowdstrike_response.py # Test CrowdStrike integration python splunk/splunk_alert.py # Test Splunk alert creation python misp/misp_integration.py # Test MISP IOC addition ``` © 2026 Stan Toman
Wazuh Agent"] Linux["Linux Endpoint
Wazuh Agent"] Debian["Debian Endpoint
Wazuh Agent"] Windows["Windows Endpoint
Wazuh Agent"] CustomAgent["Custom Endpoint
Custom Agent"] end subgraph SecurityTools["SECURITY TOOLS
"] MISP["MISP
Threat Intelligence"] WazuhManager["Wazuh Manager
Central Monitoring"] Splunk["Splunk SIEM
Log Analysis"] CrowdStrike["CrowdStrike Falcon
Endpoint Protection"] end subgraph DataCollection["DATA COLLECTION LAYER
"] WazuhCollector["wazuh/
Wazuh Collector"] SplunkCollector["splunk/
Splunk Collector"] CrowdStrikeCollector["crowdstrike/
CrowdStrike Collector"] end subgraph GCP["GOOGLE CLOUD PLATFORM
"] PubSub["Pub/Sub
Event Streaming"] Dataflow["Dataflow
Stream Processing"] BigQuery["BigQuery
Data Warehouse"] VertexAI["Vertex AI
ML Platform
Continous Training "] CloudRun["Cloud Run
Inference Service"] end subgraph AutomationLayer["AUTOMATION & ORCHESTRATION
"] AUTODR["AUTODR Engine
autodr.py"] AutoHunt["autohunt/
Threat Hunting"] AutoBook["autobook/
IR Runbooks"] Shuffle["shuffle/
SOAR Workflows"] end subgraph CaseManagement["CASE MANAGEMENT
"] IRIS["iris/
DFIR-IRIS Platform"] IRISWeb["IRIS Web UI
Collaborative Investigation"] IRISTimeline["Timeline Analysis
Evidence Tracking"] end subgraph ResponseActions["RESPONSE & ACTIONS
"] AlertQueue["Alert Queue
ML Scoring"] ShuffleWorkflows["Shuffle Workflows
Visual Automation"] ResponsePlaybooks["AutoBook Runbooks
Automated Remediation"] NotificationEngine["Notification Engine
Alerts & Updates"] CrowdStrikeResponse["crowdstrike/
Host Isolation"] SplunkAlert["splunk/
High Priority Alerts"] MISPIntegration["misp/
IOC Management"] end %% Logic Connections MISP --> WazuhCollector WazuhManager --> WazuhCollector Splunk --> SplunkCollector CrowdStrike --> CrowdStrikeCollector WazuhCollector & SplunkCollector & CrowdStrikeCollector --> PubSub PubSub --> Dataflow --> BigQuery --> VertexAI --> CloudRun CloudRun <--> AUTODR AUTODR --> AutoHunt & AutoBook & Shuffle & IRIS MacOS & Linux & Debian & Windows & CustomAgent --> WazuhManager AutoBook & AutoHunt --> AlertQueue Shuffle --> ShuffleWorkflows --> AlertQueue AlertQueue --> ResponsePlaybooks & IRIS ResponsePlaybooks --> NotificationEngine & CrowdStrikeResponse & SplunkAlert & MISPIntegration IRIS --> IRISWeb & IRISTimeline %% Styling with forced height to prevent overlap classDef endpoint fill:#e1f5ff,stroke:#01579b,stroke-width:1px,padding:0px,min-height:0px classDef security fill:#fff3e0,stroke:#e65100,stroke-width:1px,padding:0px,min-height:0px classDef gcp fill:#e8f5e9,stroke:#1b5e20,stroke-width:1px,padding:0px,min-height:0px classDef response fill:#ffe0b2,stroke:#e65100,stroke-width:1px,padding:0px,min-height:0px classDef casemanagement fill:#e3f2fd,stroke:#0d47a1,stroke-width:1px,padding:0px,min-height:0px class MacOS,Linux,Debian,Windows endpoint class WazuhManager,Splunk,CrowdStrike,MISP security class PubSub,Dataflow,BigQuery,VertexAI,CloudRun gcp class IRIS,IRISWeb,IRISTimeline,IRISIOC casemanagement class AlertQueue,ShuffleWorkflows,ResponsePlaybooks,NotificationEngine,CrowdStrikeResponse,SplunkAlert,MISPIntegration response ``` ## 模块 ### AutoBook:事件响应模块 示例 Runbook(也可在 [github.com/st-mn/autobook](https://github.com/st-mn/autobook) 获取): - `00_wannacry_ir_runbook.ipynb` — Wannacry 事件响应自动化 ### AutoHunt:威胁狩猎模块 示例狩猎(也可在 [github.com/st-mn/autohunt](https://github.com/st-mn/autohunt) 获取): - `00_wannacry_hunt.py` — Wannacry 威胁狩猎自动化 ## 运行特定工作流 ### ML 管道操作 **运行完整的 ML 管道** ``` python ml_pipeline.py ``` **从安全源收集数据** ``` python splunk_data_collector.py # Splunk python crowdstrike_data_collector.py # CrowdStrike python wazuh_data_collector.py # Wazuh ``` **处理并训练 ML 模型** ``` python data_normalizer.py # Normalize collected data python feature_engineering.py # Extract features python vertex/ml_model.py # Train ML model ``` ### 威胁狩猎与事件响应 **列出并运行狩猎** ``` python autodr.py --list-hunts # List available hunts python autodr.py hunt 00_dns_tunneling # Run specific hunt ``` **列出并运行 Runbook** ``` python autodr.py --list-runbooks # List available runbooks python autodr.py runbook 00_isolate_endpoint --step # Run stepwise python autodr.py runbook 00_isolate_endpoint --full # Run full automation ``` ### 自动化响应测试 ``` python crowdstrike/crowdstrike_response.py # Test CrowdStrike integration python splunk/splunk_alert.py # Test Splunk alert creation python misp/misp_integration.py # Test MISP IOC addition ``` © 2026 Stan Toman
标签:Apex, BigQuery, Cloud Run, CrowdStrike, Dataflow, DFIR-IRIS, EDR, FTP漏洞扫描, Google Vertex AI, Gradle集成, JSONLines, Shuffle, SOAR, Wazuh, 威胁分类, 安全编排, 安全运营, 实时推理, 异常检测, 扫描框架, 数据湖, 机器学习, 脆弱性评估, 自动化事件响应, 自定义代理, 自定义脚本, 行为检测, 误报率降低, 请求拦截, 逆向工具, 零信任