RohitKumarReddySakam/sentinel-soar
GitHub: RohitKumarReddySakam/sentinel-soar
SENTINEL SOAR 是一款开源的企业级安全编排自动化与响应平台,通过机器学习告警优先级评分和可定制 Playbook 实现自动化事件响应,帮助 SOC 团队将平均响应时间从30分钟压缩至5分钟以内。
Stars: 0 | Forks: 0
# ⚔️ SENTINEL SOAR — 安全编排、自动化与响应平台
DATABASE_URL=
DEMO_MODE=false
VIRUSTOTAL_API_KEY=
ABUSEIPDB_API_KEY=
SLACK_WEBHOOK_URL=
```
## 📁 项目结构
```
sentinel-soar/
├── app.py # Flask application & REST API
├── config.py # Configuration management
├── wsgi.py # WSGI entry point
├── requirements.txt # Python dependencies
├── Dockerfile # Container definition
├── docker-compose.yml # Docker orchestration
├── Procfile # Render/Heroku deployment
│
├── core/
│ ├── alert_ingestion.py # Multi-source alert normalization
│ ├── playbook_engine.py # YAML playbook execution engine
│ ├── case_management.py # Incident lifecycle management
│ ├── ml_prioritizer.py # ML-powered alert scoring
│ └── integrations.py # VirusTotal / AbuseIPDB / Slack
│
├── playbooks/
│ ├── phishing_response.yaml
│ ├── ransomware_response.yaml
│ ├── brute_force_response.yaml
│ ├── data_breach_response.yaml
│ └── malware_containment.yaml
│
├── templates/ # Jinja2 HTML templates
├── static/ # CSS, JavaScript, assets
├── tests/ # Pytest test suite
└── .github/workflows/ # CI/CD pipeline
```
## 🛡️ MITRE ATT&CK 覆盖范围
| 战术 | 技术 | Playbook |
|--------|-----------|---------|
| Initial Access (初始访问) | T1566 - Phishing (钓鱼) | `phishing_response` |
| Execution (执行) | T1204 - User Execution (用户执行) | `malware_containment` |
| Credential Access (凭据访问) | T1110 - Brute Force (暴力破解) | `brute_force_response` |
| Lateral Movement (横向移动) | T1550 - Alt Auth Material (备用认证材料) | `malware_containment` |
| Exfiltration (渗出) | T1041 - Exfil Over C2 (通过 C2 渗出) | `data_breach_response` |
| Impact (影响) | T1486 - Data Encrypted (数据加密) | `ransomware_response` |
## 👨💻 作者
**Rohit Kumar Reddy Sakam** — DevSecOps 工程师 & 渗透测试员
[](https://linkedin.com/in/rohitkumarreddysakam)
[](https://github.com/srkrcyber)
[](https://srkrcyber.com)
## 📄 许可证
MIT 许可证 — 详情见 [LICENSE](LICENSE)。
[](https://www.python.org/downloads/)
[](https://flask.palletsprojects.com/)
[](https://opensource.org/licenses/MIT)
[](https://www.docker.com/)
[](https://github.com/features/actions)
**企业级事件响应自动化,将 MTTR 从数小时缩短至数分钟**
[在线演示](https://sentinel-soar.onrender.com) · [API 文档](#api-reference) · [架构](#architecture)
## 🎯 问题陈述
现代安全运营中心 面临着**警报疲劳** —— 分析师每天收到数千条警报,其中 45% 因数量过大而未被调查。人工分类每个事件耗时 30 分钟以上,且高压事件中的人为错误会导致遏制失败。
**SENTINEL SOAR 通过以下方式解决此问题:**
- 自动分类 90% 以上的常规警报,无需分析师干预
- 在 60 秒内执行响应 Playbook(手动需 30 分钟以上)
- 提供 ML 驱动的严重性评分,以揭示真正关键的威胁
- 维护完整的事件时间线,用于取证分析和合规性审计
## 📊 关键指标
| 指标 | 数值 |
|--------|-------|
| 警报分类自动化 | **90%** |
| 平均响应时间 (MTTR) | **< 5 分钟** |
| 响应时间缩短 | 比手动**快 85%** |
| 支持的 Playbook | **5 个企业级** |
| 威胁情报集成 | **VirusTotal, AbuseIPDB, Shodan** |
| 实时 WebSocket 更新 | **实时仪表盘** |
## 🏗️ 架构
```
┌────────────────────────────────────────────────────────────────┐
│ Alert Sources │
│ SIEM │ EDR Agent │ Email Gateway │ DLP │ WAF │ Firewall │
└──────────────────────────┬─────────────────────────────────────┘
│ Webhooks / REST API
▼
┌────────────────────────────────────────────────────────────────┐
│ Alert Ingestion Engine │
│ • Normalization • Deduplication • Source mapping │
└──────────────────────────┬─────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────────────┐
│ ML Alert Prioritization Engine │
│ • Random Forest scoring (type + severity + source + NLP) │
│ • CRITICAL / HIGH / MEDIUM / LOW labels │
│ • Confidence scores (0.0 – 1.0) │
└────────────┬─────────────────────────────────┬─────────────────┘
│ │
▼ ▼
┌────────────────────────┐ ┌──────────────────────────────┐
│ Playbook Engine │ │ Threat Intel Enrichment │
│ • YAML-defined steps │ │ • VirusTotal API │
│ • Auto-trigger rules │ │ • AbuseIPDB API │
│ • Background threads │ │ • Shodan API │
│ • Step-by-step logs │ │ • Risk score calculation │
└────────────┬───────────┘ └──────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────────────┐
│ Case Management │
│ • Full incident lifecycle • MITRE ATT&CK mapping │
│ • Timeline tracking • Evidence chain │
│ • Auto-case from critical • Analyst assignment │
└──────────────────────────┬─────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────────────┐
│ Notification Hub │
│ Slack Webhooks │ Jira Tickets │ PagerDuty (configurable) │
└────────────────────────────────────────────────────────────────┘
```
## ⚡ 快速开始
### 选项 1:本地运行(< 2 分钟)
```
# 克隆 repository
git clone https://github.com/srkrcyber/sentinel-soar.git
cd sentinel-soar
# 创建 virtual environment
python3 -m venv venv
source venv/bin/activate # Linux/macOS
# venv\Scripts\activate # Windows
# 安装 dependencies
pip install -r requirements.txt
# 配置 environment(可选 - 无需 API keys 即可运行)
cp .env.example .env
# 运行 application
python wsgi.py
# 打开 http://localhost:5000 🚀
```
### 选项 2:Docker(单条命令)
```
git clone https://github.com/srkrcyber/sentinel-soar.git
cd sentinel-soar
docker-compose up --build
# 打开 http://localhost:5000 🚀
```
## 🎭 包含的 Playbook
| Playbook | 触发器 | 步骤 | 平均耗时 |
|---------|---------|-------|----------|
| `phishing_response` | `phishing` 警报 | 7 个自动化步骤 | 35s |
| `ransomware_response` | `ransomware` 警报 | 9 个自动化步骤 | 60s |
| `brute_force_response` | `brute_force` 警报 | 6 个自动化步骤 | 20s |
| `data_breach_response` | `data_exfiltration` | 9 个自动化步骤 | 90s |
| `malware_containment` | `malware` / `lateral_movement` | 8 个自动化步骤 | 45s |
**示例:勒索软件响应执行**
```
Step 1/9 ✅ Isolated WORKSTATION-042 from all network segments
Step 2/9 ✅ Terminated svchost.exe (PID 4892) via EDR agent
Step 3/9 ✅ Memory dump collected (2.1 GB) — SHA256: a4f2...
Step 4/9 ✅ Network scan: 2 additional hosts flagged
Step 5/9 ✅ Session tokens revoked for 3 compromised accounts
Step 6/9 ✅ Slack alert sent to #soc-alerts and #ciso
Step 7/9 ✅ Digital evidence preserved and hash-chained
Step 8/9 ✅ Jira ticket IR-4821 created (P0)
Step 9/9 ✅ Legal team notified — breach disclosure assessment initiated
⏱️ Total execution time: 58.3 seconds
```
## 🔌 API 参考
### 创建警报
```
POST /api/alerts
Content-Type: application/json
{
"type": "ransomware",
"severity": "CRITICAL",
"source": "edr_agent",
"description": "Ransomware activity on WORKSTATION-042",
"indicators": {
"host": "WORKSTATION-042",
"process": "svchost.exe",
"c2_ip": "185.220.101.47"
}
}
# Response: 201 Created
{
"id": "uuid",
"ml_priority": 0.9847,
"ml_label": "CRITICAL",
"playbook_triggered": "ransomware_response"
}
```
### 模拟攻击
```
POST /api/simulate
{"scenario": "ransomware"}
# Scenarios: phishing | ransomware | brute_force | data_exfil | lateral_movement
```
### 富化 IOC
```
POST /api/enrich
{"ioc": "185.220.101.47", "type": "ip"}
```
### 获取指标
```
GET /api/metrics
# Returns: severity distribution, type distribution, MTTR, automation rate
```
## 🔒 安全特性
- 所有 API 端点均进行**输入验证**
- 通过 SQLAlchemy ORM 实现 **SQL 注入防护**
- **非 root Docker 执行** (UID 1000)
- **基于环境变量的密钥管理**(无硬编码凭据)
- **速率限制**就绪(兼容 flask-limiter)
- CI/CD 中通过 Safety + Bandit 进行**依赖扫描**
## 🚀 部署
### Render.com(推荐 — 免费层)
1. Fork 本仓库
2. 连接到 [render.com](https://render.com)
3. New → Web Service → 连接仓库
4. 构建命令:`pip install -r requirements.txt`
5. 启动命令:`gunicorn --worker-class eventlet -w 1 --bind 0.0.0.0:$PORT wsgi:app`
6. 部署 ✅
### 生产环境变量
```
SECRET_KEY=标签:AbuseIPDB, Apex, Ask搜索, Cloudflare, DevSecOps, Docker, Flask, incident response, MITRE ATT&CK, MTTR, Python, SOAR平台, VirusTotal, WebSocket, 上游代理, 企业安全, 依赖分析, 告警分类, 威胁情报, 安全编排与自动化响应, 安全运营中心, 安全防御评估, 平均响应时间, 开发者工具, 无后门, 机器学习, 网络安全, 网络映射, 网络资产管理, 自动化剧本, 请求拦截, 逆向工具, 隐私保护