Faried-8/sentinel-dfir

# 🛡️ Sentinel DFIR Platform **Enterprise Digital Forensics & Incident Response Workspace** A professional, portfolio-grade DFIR investigation platform built for blue team analysts, incident responders, and cybersecurity engineers. Designed to feel like a real enterprise DFIR tool — inspired by CrowdStrike Falcon, Microsoft Defender XDR, and Velociraptor. ## 🎯 What This Is Sentinel DFIR Platform is an investigation-focused workspace — **not** a SOC monitoring dashboard. It is designed around the analyst's workflow during active incident response operations: - Reconstruct attack timelines chronologically - Manage investigation cases with evidence and notes - Extract and triage Indicators of Compromise - Map detections to MITRE ATT&CK tactics and techniques - Analyze Windows Event Logs for malicious patterns - Generate professional IR reports for stakeholders ## ✨ Features ### 🔍 Incident Response Dashboard - Active investigation overview with severity classification - Animated stat counters (IOCs, hosts, alerts, events) - Threat activity trend charts (7-day view) - Compromised host tracker with containment status - Live analyst activity feed ### 📁 Case Management (Investigations) - Create, view, update, and close investigation cases - Evidence collection and notes system - Analyst assignment and severity tracking - Per-case IOC and MITRE technique inventory - Expandable investigation detail drawer ### ⏱️ Forensic Timeline Analysis - Chronological attack event reconstruction - Expandable event entries with raw detail - Process execution, registry, file, network, and auth events - Analyst annotations per event - IOC tagging directly from timeline - Attack phase markers (Initial Access → Impact) ### 🎯 IOC Center - Multi-type IOC tracking: IPs, domains, hashes, URLs, registry paths, file paths - Bulk text IOC extraction engine (paste logs → auto-extract) - Confidence scoring and threat classification - One-click copy and block actions - Per-IOC MITRE technique mapping ### 📋 Windows Event Log Analyzer - Drag-and-drop EVTX file upload - Automated detection of: - Brute-force login patterns (Event 4625) - Encoded PowerShell execution (Event 4104/4688) - Registry persistence (Event 13) - New user account creation (Event 4720) - Privilege escalation (Event 4672) - Lateral movement via RDP (Event 4648) - Service installation (Event 7045) - Interactive event log table with expand/collapse detail - Add-to-IOC and Add-to-Timeline actions per event ### 🧩 MITRE ATT&CK Mapping - Full ATT&CK enterprise matrix heatmap (12 tactics) - Detected technique highlighting (red = observed) - Cards view with technique details and event counts - Click-through to ATT&CK knowledge base - One-click add to investigation report ### 📊 Reports - Pre-built report templates: - Incident Response Report - IOC Intelligence Report - Executive Briefing - MITRE ATT&CK Report - Forensic Chain of Custody - Existing report library with PDF export - Draft / Final status tracking ### ⚙️ Settings - Dark/light mode toggle - Per-severity notification preferences - Slack and email integration config - API key management (VirusTotal, MISP) - Analyst team management ## 🛠️ Tech Stack | Layer | Technology | |-------|-----------| | Frontend | React 18 + Vite | | Styling | Tailwind CSS v3 | | Animations | Framer Motion | | Charts | Recharts | | Icons | Lucide React | | Backend | Python FastAPI | | Database | SQLite (via sqlite3) | | Fonts | Inter + JetBrains Mono | ## 📁 Project Structure sentinel-dfir/ ├── frontend/ │ ├── src/ │ │ ├── components/ │ │ │ ├── TopNav.jsx # Top navigation with search & alerts │ │ │ ├── UI.jsx # Shared Glass cards, badges, stat cards │ │ │ └── ToastContainer.jsx # Animated toast notifications │ │ ├── pages/ │ │ │ ├── Dashboard.jsx # IR overview with charts & stats │ │ │ ├── Investigations.jsx # Case management + detail drawer │ │ │ ├── Timeline.jsx # Forensic timeline analysis │ │ │ ├── IOCCenter.jsx # IOC tracking + bulk extraction │ │ │ ├── EventLogAnalyzer.jsx # EVTX upload + parsing │ │ │ ├── MitreMapping.jsx # ATT&CK matrix + technique cards │ │ │ ├── Reports.jsx # Report library + templates │ │ │ └── Settings.jsx # Platform configuration │ │ ├── data/ │ │ │ └── mockData.js # Realistic DFIR mock dataset │ │ ├── App.jsx # Root component + routing │ │ ├── main.jsx # React entry point │ │ └── index.css # Global styles + Tailwind │ ├── index.html │ ├── package.json │ ├── vite.config.js │ ├── tailwind.config.js │ └── postcss.config.js │ ├── backend/ │ ├── main.py # FastAPI app + all routes │ ├── requirements.txt │ └── sentinel.db # Auto-created SQLite database │ └── README.md ## 🚀 Quick Start ### Prerequisites - Node.js 18+ - Python 3.10+ - pip ### 1. Clone / Extract # If cloning from git git clone https://github.com/yourname/sentinel-dfir.git cd sentinel-dfir # Or extract the ZIP unzip sentinel-dfir.zip cd sentinel-dfir ### 2. Start the Backend cd backend # Create virtual environment (recommended) python -m venv venv source venv/bin/activate # Linux/macOS # venv\Scripts\activate # Windows # Install dependencies pip install -r requirements.txt # Start the API server uvicorn main:app --reload The API will be available at: **http://localhost:8000** Interactive API docs: **http://localhost:8000/docs** ### 3. Start the Frontend Open a new terminal tab: cd frontend # Install dependencies npm install # Start development server npm run dev The app will be available at: **http://localhost:5173** ## 🔌 API Endpoints | Method | Endpoint | Description | |--------|----------|-------------| | GET | `/api/stats` | Dashboard statistics | | GET | `/api/investigations` | List all investigations | | GET | `/api/investigations/{id}` | Get single investigation | | POST | `/api/investigations` | Create new investigation | | PATCH | `/api/investigations/{id}` | Update investigation | | GET | `/api/iocs` | List all IOCs | | POST | `/api/iocs` | Add new IOC | | POST | `/api/iocs/extract` | Extract IOCs from raw text | | GET | `/api/mitre` | List detected MITRE techniques | | POST | `/api/mitre/correlate` | Correlate text to ATT&CK | | POST | `/api/analyze/powershell` | Analyze PowerShell command | | POST | `/api/eventlogs/upload` | Upload EVTX for analysis | | GET | `/api/timeline/{inv_id}` | Get investigation timeline | | GET | `/api/notes/{inv_id}` | Get investigation notes | | POST | `/api/notes` | Add investigation note | ## 🧠 Backend Logic Highlights ### IOC Extraction (`extract_iocs_from_text`) Regex-based extraction supporting: IPv4 addresses (public only), domains, HTTP/HTTPS URLs, SHA-256 hashes, MD5 hashes, Windows registry paths, Windows file paths. ### MITRE ATT&CK Correlation (`correlate_mitre`) Pattern dictionary maps free-text keywords from logs/commands to relevant MITRE technique IDs. Returns matched techniques sorted by confidence. ### PowerShell Analysis (`analyze_powershell`) Scores PowerShell commands across 13 risk indicators: encoding, download cradles, credential tools, UAX bypass, token manipulation, AV exclusions, shadow copy deletion, etc. ### Brute-Force Detection (`detect_brute_force`) Groups Event 4625 failures by source IP + username, flags clusters exceeding threshold (default: 5 in 30s). ## 🎨 Design Philosophy - **Glassmorphism** — translucent cards with backdrop blur - **Deep gray background** — `#0d0f14` base with layered surfaces - **Violet / Indigo / Blue** accent palette — professional, not cyberpunk - **Top navigation** — workspace-style layout, not a traditional sidebar - **Expandable panels** — investigation drawers, timeline entries, event rows - **Animated counters** — subtle micro-interactions for a polished feel - **JetBrains Mono** — for all IOC values, hashes, log data, process names ## 📸 Pages Overview | Page | Description | |------|-------------| | Dashboard | KPI stats, threat trends chart, active investigation list, compromised host tracker | | Investigations | Full case list with drawer detail, create new case modal, MITRE + evidence tabs | | Timeline | Chronological event reconstruction with expandable entries and annotations | | IOC Center | Full IOC inventory, bulk extractor, confidence bars, block actions | | Event Log Analyzer | Drag-drop EVTX upload, detection cards, interactive event log table | | MITRE Mapping | ATT&CK matrix heatmap + technique cards, click-through detail modal | | Reports | Existing report library + 5 generation templates with export | | Settings | Theme toggle, notifications, analyst team, API key management | ## 🔮 Production Enhancements (Roadmap) - [ ] Real EVTX parsing with `python-evtx` or `evtx-rs` - [ ] VirusTotal / AbuseIPDB IOC enrichment API integration - [ ] MISP threat sharing integration - [ ] JWT authentication + analyst role-based access - [ ] PDF export using `weasyprint` or `reportlab` - [ ] PostgreSQL migration for production scale - [ ] Velociraptor / Elastic SIEM connector - [ ] Email alerting via SMTP ## 👤 Portfolio Context This project demonstrates: - **Blue Team / DFIR workflow** understanding - **Full-stack development** (React + FastAPI + SQLite) - **Enterprise UI/UX** design principles - **Windows forensics** knowledge (Event IDs, registry, process analysis) - **MITRE ATT&CK** framework familiarity - **Real-world DFIR tooling** awareness (Velociraptor, CrowdStrike, Defender XDR) *Built for the cybersecurity portfolio — Sentinel DFIR Platform v2.4.1*

标签：自定义脚本