RohitKumarReddySakam/arise-soar

GitHub: RohitKumarReddySakam/arise-soar

一款面向 SOC 的 SOAR 平台,通过机器学习与剧本自动化降低告警疲劳并加速响应。

Stars: 0 | Forks: 0

[![Python](https://img.shields.io/badge/Python-3.11+-3776AB?style=for-the-badge&logo=python&logoColor=white)](https://python.org) [![Flask](https://img.shields.io/badge/Flask-3.0-000000?style=for-the-badge&logo=flask&logoColor=white)](https://flask.palletsprojects.com) [![MITRE](https://img.shields.io/badge/MITRE-ATT%26CK-FF0000?style=for-the-badge)](https://attack.mitre.org) [![Docker](https://img.shields.io/badge/Docker-Ready-2496ED?style=for-the-badge&logo=docker&logoColor=white)](https://docker.com) [![License](https://img.shields.io/badge/License-MIT-22C55E?style=for-the-badge)](LICENSE) [![Automation](https://img.shields.io/badge/Triage_Automation-90%25-64ffda?style=flat-square)](.) [![MTTR](https://img.shields.io/badge/MTTR-%3C5_Minutes-64ffda?style=flat-square)](.) [![Playbooks](https://img.shields.io/badge/Playbooks-5_Enterprise-64ffda?style=flat-square)](.) [![Reduction](https://img.shields.io/badge/Response_Time-85%25_Faster-22c55e?style=flat-square)](.) ## 🎯 问题陈述 现代 SOC 面临 **告警疲劳** — 分析师每天接收数千条告警,其中 45% 未被调查。手动分类每起事件需 30 分钟以上。 **ARISE SOAR 通过以下方式解决此问题:** - 自动分类 **90%+ 的常规告警**,无需分析师干预 - 在 **60 秒内** 执行响应剧本 - 通过 ML 驱动的严重性评分突出真正关键威胁 - 提供完整的入侵时间线用于取证分析和合规审计 | 指标 | 值 | |------|----| | **告警分类自动化** | **90%** | | **平均响应时间** | **< 5 分钟** | | **响应时间减少** | **快 85%** | | **内置剧本数量** | **5 个企业级** | | **威胁情报 API** | VirusTotal、AbuseIPDB、Shodan | ## 🏗️ 架构 ``` Alert Sources: SIEM │ EDR │ Email GW │ DLP │ WAF │ Firewall │ ▼ ┌────────────────────────┐ │ Alert Ingestion Engine │ │ Normalize │ Dedup │ └────────────┬───────────┘ │ ┌────────────▼───────────┐ │ ML Prioritization │ │ Random Forest scoring │ │ CRITICAL/HIGH/MED/LOW │ └──────┬─────────────────┘ │ ┌──────────┴──────────┐ ▼ ▼ ┌──────────────────┐ ┌─────────────────────┐ │ Playbook Engine │ │ Threat Intel │ │ YAML steps │ │ VirusTotal │ │ Auto-trigger │ │ AbuseIPDB │ │ Background exec │ │ Shodan │ └────────┬─────────┘ └─────────────────────┘ │ ▼ ┌──────────────────────┐ │ Case Management │ │ Full lifecycle │ │ MITRE mapping │ │ Timeline tracking │ └──────────────────────┘ ``` ## 🎭 剧本 | 剧本 | 触发条件 | 步骤 | 耗时 | |------|----------|------|------| | `phishing_response` | `phishing` | 7 步 | 35 秒 | | `ransomware_response` | `ransomware` | 9 步 | 60 秒 | | `brute_force_response` | `brute_force` | 6 步 | 20 秒 | | `data_breach_response` | `data_exfiltration` | 9 步 | 90 秒 | | `malware_containment` | `malware` | 8 步 | 45 秒 |
🔴 示例:勒索软件响应执行 ``` Step 1/9 ✅ Isolated WORKSTATION-042 from all network segments Step 2/9 ✅ Terminated svchost.exe (PID 4892) via EDR agent Step 3/9 ✅ Memory dump collected (2.1 GB) — SHA256: a4f2... Step 4/9 ✅ Network scan: 2 additional hosts flagged Step 5/9 ✅ Session tokens revoked for 3 compromised accounts Step 6/9 ✅ Slack alert sent to #soc-alerts and #ciso Step 7/9 ✅ Digital evidence preserved and hash-chained Step 8/9 ✅ Jira ticket IR-4821 created (P0) Step 9/9 ✅ Legal team notified — breach disclosure initiated ⏱️ Total execution time: 58.3 seconds ```
## ⚡ 快速开始 ### 🐳 Docker ``` git clone https://github.com/RohitKumarReddySakam/arise-soar.git cd arise-soar docker-compose up --build # → http://localhost:5000 ``` ## 🔌 API 参考 ``` # 创建告警 POST /api/alerts { "type": "ransomware", "severity": "CRITICAL", "source": "edr_agent", "description": "Ransomware on WORKSTATION-042", "indicators": {"host": "WORKSTATION-042", "c2_ip": "185.220.101.47"} } # → {"id": "...", "ml_priority": 0.9847, "playbook_triggered": "ransomware_response"} # 模拟攻击场景 POST /api/simulate {"scenario": "ransomware"} # 场景:钓鱼 | 勒索软件 | 暴力破解 | 数据外泄 | 横向移动 # 丰富 IOC POST /api/enrich {"ioc": "185.220.101.47", "type": "ip"} # 平台指标 GET /api/metrics ``` ## 🛡️ MITRE ATT&CK 覆盖 | 战术 | 技术 | 剧本 | |------|--------|------| | 初始访问 | T1566 钓鱼 | `phishing_response` | | 执行 | T1204 用户执行 | `malware_containment` | | 凭证访问 | T1110 暴力破解 | `brute_force_response` | | 横向移动 | T1550 替代认证 | `malware_containment` | | 渗出 | T1041 C2 渗出 | `data_breach_response` | | 影响 | T1486 数据加密 | `ransomware_response` | ## 📁 项目结构 ``` arise-soar/ ├── app.py # Flask + SocketIO application ├── wsgi.py # Gunicorn entry point ├── config.py ├── requirements.txt ├── Dockerfile ├── docker-compose.yml │ ├── core/ │ ├── alert_ingestion.py # Multi-source normalization │ ├── playbook_engine.py # YAML playbook executor │ ├── case_management.py # Incident lifecycle │ ├── ml_prioritizer.py # ML severity scoring │ └── integrations.py # VirusTotal / AbuseIPDB / Slack │ ├── playbooks/ │ ├── phishing_response.yaml │ ├── ransomware_response.yaml │ ├── brute_force_response.yaml │ ├── data_breach_response.yaml │ └── malware_containment.yaml │ ├── templates/ # Jinja2 web UI ├── static/ # CSS, JavaScript └── tests/ # pytest test suite ``` ## 👨‍💻 作者
**Rohit Kumar Reddy Sakam** *DevSecOps 工程师与安全研究员* [![LinkedIn](https://img.shields.io/badge/LinkedIn-Rohit_Kumar_Reddy_Sakam-0077B5?style=for-the-badge&logo=linkedin&logoColor=white)](https://linkedin.com/in/rohitkumarreddysakam) [![GitHub](https://img.shields.io/badge/GitHub-RohitKumarReddySakam-181717?style=for-the-badge&logo=github&logoColor=white)](https://github.com/RohitKumarReddySakam) [![Portfolio](https://img.shields.io/badge/Portfolio-srkrcyber.com-64FFDA?style=for-the-badge&logo=safari&logoColor=black)](https://srkrcyber.com)
MIT License © 2025 Rohit Kumar Reddy Sakam
S-Rank Hunter — Blue Team
S-Rank Hunter — 蓝队
标签:AbuseIPDB, Apex, Ask搜索, Cloudflare, DLP, Docker, EDR集成, Flask, FTP漏洞扫描, Incident Timeline, MITRE ATT&CK, MTTR优化, Playbooks, Playbook编排, Python, Response Time Reduction, SIEM集成, SOAR平台, SOC自动化, Threat Intel APIs, Triage Automation, VirusTotal, WAF, 企业级响应, 告警 triage, 威胁情报, 安全编排, 安全运营, 安全防御评估, 开发者工具, 快速响应, 扫描框架, 无后门, 机器学习, 自动化分析, 自动化响应, 请求拦截, 跨站脚本, 逆向工具, 防火墙