jenishs524/SOAR-Incident-Response-Playbook-Automator

GitHub: jenishs524/SOAR-Incident-Response-Playbook-Automator

一个轻量级的 SOAR 引擎,通过 REST API 接收告警并匹配 YAML 剧本自动执行事件响应动作。

Stars: 0 | Forks: 0

📁 SOAR – 事件响应剧本自动化工具 描述 一个轻量级的 SOAR 引擎,通过 REST API 接收告警,将它们与 YAML 剧本进行匹配,并执行操作(shell 命令、Slack 消息、日志记录、电子邮件)。 主要功能 ``` REST endpoint /alert to receive JSON alerts. Playbooks defined in YAML with conditions and actions. Supports shell, Slack, email, and log actions. Jinja2 templating for dynamic values. Live dashboard showing recent activity. ``` 技术栈 ``` Flask, PyYAML, requests, Jinja2. ``` 前置条件 ``` Python 3, Flask, etc. ``` 安装 bash pip install flask pyyaml requests jinja2 使用方法 ``` Define playbooks.yaml. Run python soar_engine.py. Send a test alert: bash ``` curl -X POST http://127.0.0.1:5000/alert -H "Content-Type: application/json" -d '{"severity":"critical","attack_type":"port_scan","source_ip":"xxx.xxx.x.x"}' ``` Dashboard at http://127.0.0.1:5000/dashboard. ``` 示例输出 终端: text [*] 匹配到的剧本:Block Malicious IP 已执行的 shell 命令:iptables -A INPUT -s 192.168.1.100 -j DROP 仪表板显示了已执行的剧本。 注意事项 ``` Extend with more action types (e.g., VirusTotal lookup). Replace Slack webhook with your own URL. ```
标签:恶意代码分类, 逆向工具