lienerte/SentinelLite
GitHub: lienerte/SentinelLite
SentinelLite 是一款基于 Python 和 Flask 的轻量级本地 SIEM 框架,通过 Sigma 规则和本地 AI 对异构安全日志进行自动分类、威胁检测与响应编排。
Stars: 0 | Forks: 0
# SentinelLite // 模块化安全信息与事件管理框架
SentinelLite 是一款轻量级、高性能且与格式无关的 SIEM 和日志分析实用工具,专为处理异构安全遥测数据而构建。作为一个可插拔的分流 pipeline,该框架能够提取不同的结构化日志格式,将其与 3,100 多种原生 Sigma 签名启发式规则进行交叉比对,通过按需 SOAR 决策引擎编译修复序列,并应用异步本地 AI 协处理器进行上下文威胁分析。
该界面采用了自适应的 **UI 极简切换**功能,旨在通过即时过滤精细的框架指标,无缝打通非技术用户与 SOC 分析师之间的壁垒。
### 系统数据架构与 Pipeline 流程
```
graph TD
%% Define Styles & Palette
classDef source fill:#1a1c23,stroke:#7f8c8d,stroke-width:2px,color:#fff
classDef core fill:#2c3e50,stroke:#00adb5,stroke-width:2px,color:#fff
classDef logic fill:#1f4068,stroke:#16c79a,stroke-width:2px,color:#fff
classDef layman fill:#34495e,stroke:#bdc3c7,stroke-width:1px,style:dashed,color:#ecf0f1
classDef analyst fill:#2d132c,stroke:#ff5722,stroke-width:2px,color:#fff
%% Data Pipeline Nodes
A[Raw Telemetry Ingestion
e.g., mimikatz_test.txt] --> B(Engine Ingestion Layer) B --> C{Rule Compiler} %% Compilation Phase C -->|Index Scan| D[3,123 Sigma Signatures Compiled] D --> E{Incident Triggered?} %% Split Routing based on User Preference Toggle E -->|No| F[Clean Log Output] E -->|Yes| G{UI Simplicity Toggle} %% Layman View Path G -->|Layman Mode: Disabled| H[Standard Risk Summary] H --> H1[Culprit Actor Anchor IP] H --> H2[Risk Rationalization Description] %% Advanced Analyst Metrics Path G -->|Analyst Mode: Enabled| I[Advanced Security Metrics Matrix] I --> J[MITRE ATT&CK Mapping
e.g., T1003.001 LSASS] I --> K[NIST CSF Alignment
e.g., DETECT // DE.CM-1] I --> L[Normalized CVE Badges] %% Synthesis & Local Coprocessor Integration H2 --> M{AI Coprocessor Engaged?} J --> M K --> M L --> M M -->|Yes| N[Local AI Analytical Core
Sandbox Execution] M -->|No| O[Direct UI Render Output] N --> O %% Apply Classes to Node Blocks class A,B source class C,D,E core class G,M logic class H,H1,H2 layman class I,J,K,L,N analyst ``` ## 核心架构层 * 格式无关的分类器与解析核心:配备自动化 payload 路由引擎,可通过检查字节结构来识别遥测 schema(Binary PCAP、Auth/SSHD Syslog、Nginx Web Logs 和 Structured JSON),并支持逐行异常隔离,以确保在遇到畸形数据流时仍能正常运行。 * 3,123 签名 Sigma 编译矩阵:在 runtime 将数千套社区标准规则集直接编译为活动的内存映射,验证复杂的嵌套 MITRE ATT&CK 子技术(例如 T1003.001),并即时标准化多格式 CVE 结构。 * 自动化 SOAR 决策引擎:在匹配到签名后,立即生成实时、可直接复制粘贴的终端缓解脚本(iptables 拦截、路由封锁、进程隔离),以优化平均响应时间(MTTR)。 * 本地 AI 分析协处理器:通过零依赖 API 与本地模型环境集成,对复杂攻击序列执行按需战术审查,同时避免将敏感的企业遥测数据泄露给第三方商业云 endpoint。 ## 工作区设置与部署 请选择符合您工程需求的安装方式: 选项 A:一键桌面部署(非技术用户) 适用于不需要修改原始 Python 文件的标准审查环境。 ``` Download and unzip the SentinelLite.zip deployment package. Double-click Launch Dashboard.bat. The local analytical engine will spin up, compile signature catalogs, and automatically snap open your system's default browser directly to the dashboard canvas at http://127.0.0.1:5000. ``` 选项 B:开发者环境(高级设置) 前置条件 ``` Python 3.8+ Local administrative privileges (required for high-precision network packet capture bindings) 1. Clone & Prepare Environment git clone [https://github.com/your-username/sentinel-lite.git](https://github.com/your-username/sentinel-lite.git) cd sentinel-lite 2. Establish Virtual Environment & Dependencies # Create and activate environment python -m venv venv source venv/bin/activate # On Windows use: venv\Scripts\activate # Install third-party framework dependencies pip install -r requirements.txt 3. Run the Local AI Engine (Optional Integration) If utilizing the local analytical coprocessor feature, verify that your local instance is active and reachable via your environment's local loopback: ollama run llama3 # Or your specifically mapped local model target 4. Launch the Server python app.py Open your web browser and navigate to: http://127.0.0.1:5000 ``` ## 目录架构 ``` sentinel_lite/ │ ├── app.py # Flask Main Application Core & Worker Routine Initializer ├── requirements.txt # Framework Third-Party Application Dependencies ├── README.md # System Documentation Matrix ├── Launch Dashboard.bat # Asynchronous 1-Click Startup Automation Script │ ├── sigma_rules/ # Dynamic Signature Database Repository (3,123+ YAML Rules) │ ├── application/ │ ├── category/ │ ├── cloud/ │ ├── identity/ │ └── linux/ │ ├── core/ # Analytical Engine Logic Packages │ ├── __init__.py │ ├── parsers.py # Line-Isolated Ingestion Parsers (PCAP, Syslog, Web, JSON) │ ├── rules_engine.py # Resilient Regex-Driven Threat Intel Integration (MITRE / CVE) │ └── soar.py # Automated Playbook Generation & Remediation Compilers │ ├── artifacts/ # Volatile System Run Data │ └── playbooks/ # Hot-Compiled Operational Defense Scripts │ ├── templates/ # UI Presentation Layer │ └── index.html # Minimalist Dashboard Frontend (Featuring Simplicity Toggle) │ └── static/ # Layout Customizations & UI Assets ``` ## 生产安全标准 ``` Line-Level Invalidation Isolation: Every log parser enforces strict local try-except contexts per element row. If a single line contains corrupt data or anomalous byte injections, that row is safely flagged and dropped without compromising the runtime state of the active analysis cycle. Zero External Overhead: Telemetry logs and packet matrices are parsed entirely inside volatile memory constraints, and AI classification runs strictly on local hardware scopes. No operational data or cryptographic hashes are ever transmitted to external nodes or commercial cloud APIs. ``` ## 主要改进项: ``` Added the Dual-Onboarding Path: Documented the .bat file installation path right beside the raw developer python commands, ensuring any profile of user knows exactly how to light up the application. ```
e.g., mimikatz_test.txt] --> B(Engine Ingestion Layer) B --> C{Rule Compiler} %% Compilation Phase C -->|Index Scan| D[3,123 Sigma Signatures Compiled] D --> E{Incident Triggered?} %% Split Routing based on User Preference Toggle E -->|No| F[Clean Log Output] E -->|Yes| G{UI Simplicity Toggle} %% Layman View Path G -->|Layman Mode: Disabled| H[Standard Risk Summary] H --> H1[Culprit Actor Anchor IP] H --> H2[Risk Rationalization Description] %% Advanced Analyst Metrics Path G -->|Analyst Mode: Enabled| I[Advanced Security Metrics Matrix] I --> J[MITRE ATT&CK Mapping
e.g., T1003.001 LSASS] I --> K[NIST CSF Alignment
e.g., DETECT // DE.CM-1] I --> L[Normalized CVE Badges] %% Synthesis & Local Coprocessor Integration H2 --> M{AI Coprocessor Engaged?} J --> M K --> M L --> M M -->|Yes| N[Local AI Analytical Core
Sandbox Execution] M -->|No| O[Direct UI Render Output] N --> O %% Apply Classes to Node Blocks class A,B source class C,D,E core class G,M logic class H,H1,H2 layman class I,J,K,L,N analyst ``` ## 核心架构层 * 格式无关的分类器与解析核心:配备自动化 payload 路由引擎,可通过检查字节结构来识别遥测 schema(Binary PCAP、Auth/SSHD Syslog、Nginx Web Logs 和 Structured JSON),并支持逐行异常隔离,以确保在遇到畸形数据流时仍能正常运行。 * 3,123 签名 Sigma 编译矩阵:在 runtime 将数千套社区标准规则集直接编译为活动的内存映射,验证复杂的嵌套 MITRE ATT&CK 子技术(例如 T1003.001),并即时标准化多格式 CVE 结构。 * 自动化 SOAR 决策引擎:在匹配到签名后,立即生成实时、可直接复制粘贴的终端缓解脚本(iptables 拦截、路由封锁、进程隔离),以优化平均响应时间(MTTR)。 * 本地 AI 分析协处理器:通过零依赖 API 与本地模型环境集成,对复杂攻击序列执行按需战术审查,同时避免将敏感的企业遥测数据泄露给第三方商业云 endpoint。 ## 工作区设置与部署 请选择符合您工程需求的安装方式: 选项 A:一键桌面部署(非技术用户) 适用于不需要修改原始 Python 文件的标准审查环境。 ``` Download and unzip the SentinelLite.zip deployment package. Double-click Launch Dashboard.bat. The local analytical engine will spin up, compile signature catalogs, and automatically snap open your system's default browser directly to the dashboard canvas at http://127.0.0.1:5000. ``` 选项 B:开发者环境(高级设置) 前置条件 ``` Python 3.8+ Local administrative privileges (required for high-precision network packet capture bindings) 1. Clone & Prepare Environment git clone [https://github.com/your-username/sentinel-lite.git](https://github.com/your-username/sentinel-lite.git) cd sentinel-lite 2. Establish Virtual Environment & Dependencies # Create and activate environment python -m venv venv source venv/bin/activate # On Windows use: venv\Scripts\activate # Install third-party framework dependencies pip install -r requirements.txt 3. Run the Local AI Engine (Optional Integration) If utilizing the local analytical coprocessor feature, verify that your local instance is active and reachable via your environment's local loopback: ollama run llama3 # Or your specifically mapped local model target 4. Launch the Server python app.py Open your web browser and navigate to: http://127.0.0.1:5000 ``` ## 目录架构 ``` sentinel_lite/ │ ├── app.py # Flask Main Application Core & Worker Routine Initializer ├── requirements.txt # Framework Third-Party Application Dependencies ├── README.md # System Documentation Matrix ├── Launch Dashboard.bat # Asynchronous 1-Click Startup Automation Script │ ├── sigma_rules/ # Dynamic Signature Database Repository (3,123+ YAML Rules) │ ├── application/ │ ├── category/ │ ├── cloud/ │ ├── identity/ │ └── linux/ │ ├── core/ # Analytical Engine Logic Packages │ ├── __init__.py │ ├── parsers.py # Line-Isolated Ingestion Parsers (PCAP, Syslog, Web, JSON) │ ├── rules_engine.py # Resilient Regex-Driven Threat Intel Integration (MITRE / CVE) │ └── soar.py # Automated Playbook Generation & Remediation Compilers │ ├── artifacts/ # Volatile System Run Data │ └── playbooks/ # Hot-Compiled Operational Defense Scripts │ ├── templates/ # UI Presentation Layer │ └── index.html # Minimalist Dashboard Frontend (Featuring Simplicity Toggle) │ └── static/ # Layout Customizations & UI Assets ``` ## 生产安全标准 ``` Line-Level Invalidation Isolation: Every log parser enforces strict local try-except contexts per element row. If a single line contains corrupt data or anomalous byte injections, that row is safely flagged and dropped without compromising the runtime state of the active analysis cycle. Zero External Overhead: Telemetry logs and packet matrices are parsed entirely inside volatile memory constraints, and AI classification runs strictly on local hardware scopes. No operational data or cryptographic hashes are ever transmitted to external nodes or commercial cloud APIs. ``` ## 主要改进项: ``` Added the Dual-Onboarding Path: Documented the .bat file installation path right beside the raw developer python commands, ensuring any profile of user knows exactly how to light up the application. ```
标签:AI风险缓解, PB级数据处理, Python/Flask, Sigma规则, SOAR, 安全运维, 目标导入, 逆向工具