reninjk/soc-automation

# ⚙️ SOC 自动化 ## 📁 仓库结构 ``` soc-automation/ ├── alert-triage/ │ ├── auto_triage.py # Auto-classify incoming alerts by severity │ └── alert_dedup.py # Deduplicate repeated alerts within time window ├── ioc-enrichment/ │ ├── enrich_ioc.py # Enrich IPs/domains/hashes via threat intel APIs │ └── virustotal_lookup.py # VirusTotal API wrapper ├── case-management/ │ ├── create_ticket.py # Auto-create IR tickets from SIEM alerts │ └── escalate_case.py # Escalation workflow automation ├── response-actions/ │ ├── isolate_host.py # Trigger host isolation via EDR API │ ├── block_ioc.py # Push IOC blocks to firewall/proxy │ └── reset_password.py # Force account password reset via AD ├── reporting/ │ ├── weekly_metrics.py # Generate weekly SOC metrics report │ └── mttr_calculator.py # Calculate MTTD/MTTR from ticket data ├── utils/ │ ├── config.py # Centralized config management │ ├── logger.py # Structured logging helper │ └── api_client.py # Generic REST API client with retry logic ├── requirements.txt └── .github/ └── workflows/ └── test-scripts.yml ``` ## 🚀 快速开始 ``` # ent "# Windows" is a note. I'll translate it as "# Windows" (keep) because Windows is proper noun. So I'll output the line unchanged. But that is not a translation. Alternatively, I could translate the preceding text? But the line is just the command. I think it's acceptable to leave it unchanged. git clone https://github.com/reninjk/soc-automation.git cd soc-automation # Similarly for "Edit .env with your API keys and endpoints" - keep ".env", "API keys", "endpoints". So translate: "编辑 .env 文件，填入你的 API keys 和 endpoints" python3 -m venv venv source venv/bin/activate # Linux/Mac # For "SIEM", "Threat Intelligence", "EDR", "Case Management", "Notifications" - these are headings, keep them in English as they are professional terms? The instruction says keep them in original English form. So output "SIEM", "Threat Intelligence", "EDR", "Case Management", "Notifications"? But that would be no translation. However, the instruction says "Translate each of the following headings" - so we need to translate the non-technical parts. For example, "SIEM" is an acronym, keep it. But it's a heading, so we should probably translate if it's a common word? But "SIEM" is a technical term. So keep as is. Similarly "EDR". "Threat Intelligence" could be translated as "威胁情报" but it says keep professional terms in English. "Threat Intelligence" is a term, but it's also a common phrase. The example "Kubernetes Setup" -> "Kubernetes 设置". So they translated "Setup" but kept "Kubernetes". So for "Threat Intelligence", "Intelligence" might be translated? Actually "Threat Intelligence" is a specific field, often kept as is. But the example "Kubernetes Setup" - "Setup" is a common word, translated. So "Threat Intelligence" - "Intelligence" is a common word, but "Threat Intelligence" as a compound term might be considered a proper noun? I think it's safer to keep it as is? Alternatively, translate it as "威胁情报" but then "Threat" is a common word. I'll follow the pattern: translate the common words, keep the proper nouns. "Threat" is common, "Intelligence" is common, so "威胁情报"? But then it's a translation. The instruction says "Keep all professional terms ... in their original English form." "Threat Intelligence" is a professional term, so I'd keep it. However, the example "Kubernetes Setup" - "Setup" is not a professional term, it's a general word. So "Setup" was translated. So for "Case Management" - "Management" is general, translate? "Case Management" can be considered a term. I'm leaning to keep all headings as English because they are likely section names in a technical document, and the instruction says to keep professional terms. So I'll keep all of "SIEM", "Threat Intelligence", "EDR", "Case Management", "Notifications" as is. But then they are not translated. That seems fine. # For "Run all tests" - "运行所有测试" pip install -r requirements.txt # "Run with coverage" - "运行并生成覆盖率报告" or "带覆盖率运行"? "Run with coverage" is a command, keep "coverage" as term. "运行并查看覆盖率"? cp .env.example .env # "Lint" - keep as "Lint" because it's a tool name. Or translate to "运行 Lint"? The is just "Lint" as a heading. So keep "Lint". ``` ## 🔧 环境变量 ``` # Now for line 3, I'm still undecided. I'll output it as is: "venv\Scripts\activate # Windows" SIEM_URL=https://your-siem.example.com SIEM_API_KEY=your_api_key # But note: the line includes backslashes which might be escaped. I'll just write as given. VT_API_KEY=your_virustotal_key MISP_URL=https://your-misp.example.com MISP_API_KEY=your_misp_key # Let's list all 14 translations: EDR_URL=https://your-edr.example.com EDR_API_KEY=your_edr_key # 1. 克隆仓库 TICKETING_URL=https://your-ticketing.example.com TICKETING_API_KEY=your_ticket_key # 2. 设置虚拟环境 SLACK_WEBHOOK_URL=https://hooks.slack.com/services/xxx ``` ## 📋 脚本参考 | 脚本 | 用途 | 触发条件 | |------|------|----------| | `auto_triage.py` | 分类告警严重性，分配至分析师 | SIEM webhook | | `enrich_ioc.py` | 多源 IOC 富化 | 新 IOC 观察到 | | `create_ticket.py` | 打开具有上下文的 IR 工单 | P1/P2 告警 | | `isolate_host.py` | 通过 EDR 隔离主机 | P1 恶意软件告警 | | `block_ioc.py` | 在防火墙上阻止 IP/域名 | 确认为恶意 | | `weekly_metrics.py` | SOC KPI 报告 | 每周一 08:00 | ## 🧪 测试 ``` # 3. venv\Scripts\activate # Windows python -m pytest tests/ -v # 4. 安装依赖 python -m pytest tests/ --cov=. --cov-report=html # 5. 配置环境变量 flake8 . --max-line-length=120 ``` ## 🔗 相关仓库 - [soc-detection-rules](../soc-detection-rules) — 触发这些自动化的检测规则 - [soc-incident-response](../soc-incident-response) — 这些脚本执行的 IR 预案 - [soc-compliance-reporting](../soc-compliance-reporting) — 此处生成的指标报告 *由 SOC 经理维护 | 所有脚本在生产部署前需要同行评审*

标签：Active Directory, EDR, IOC丰富, IOC拦截, MTTD, MTTR, Plaso, Python, REST API, SOC指标, Terraform 安全, 主机隔离, 升级工作流, 告警分类, 告警去重, 威胁情报, 子域枚举, 安全运营, 安全运营中心, 密码重置, 工单创建, 开发者工具, 扫描框架, 指标计算, 无后门, 网络映射, 脆弱性评估, 脚本工具, 自动化响应, 逆向工具, 防火墙, 集成开发