jenishs524/SOAR-Incident-Response-Playbook-Automator
GitHub: jenishs524/SOAR-Incident-Response-Playbook-Automator
一个轻量级的 SOAR 引擎,通过 REST API 接收告警并匹配 YAML 剧本自动执行事件响应动作。
Stars: 0 | Forks: 0
📁 SOAR – 事件响应剧本自动化工具
描述
一个轻量级的 SOAR 引擎,通过 REST API 接收告警,将它们与 YAML 剧本进行匹配,并执行操作(shell 命令、Slack 消息、日志记录、电子邮件)。
主要功能
```
REST endpoint /alert to receive JSON alerts.
Playbooks defined in YAML with conditions and actions.
Supports shell, Slack, email, and log actions.
Jinja2 templating for dynamic values.
Live dashboard showing recent activity.
```
技术栈
```
Flask, PyYAML, requests, Jinja2.
```
前置条件
```
Python 3, Flask, etc.
```
安装
bash
pip install flask pyyaml requests jinja2
使用方法
```
Define playbooks.yaml.
Run python soar_engine.py.
Send a test alert:
bash
```
curl -X POST http://127.0.0.1:5000/alert -H "Content-Type: application/json" -d '{"severity":"critical","attack_type":"port_scan","source_ip":"xxx.xxx.x.x"}'
```
Dashboard at http://127.0.0.1:5000/dashboard.
```
示例输出
终端:
text
[*] 匹配到的剧本:Block Malicious IP
已执行的 shell 命令:iptables -A INPUT -s 192.168.1.100 -j DROP
仪表板显示了已执行的剧本。
注意事项
```
Extend with more action types (e.g., VirusTotal lookup).
Replace Slack webhook with your own URL.
```
标签:恶意代码分类, 逆向工具