GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → cookpad → deepalert

cookpad / deepalert

Licence: other
Serverless SOAR (Security Orchestration, Automation and Response) framework for automatic inspection and evaluation of security alert

Programming Languages

go
31211 projects - #10 most used programming language
typescript
32286 projects
Makefile
30231 projects
javascript
184084 projects - #8 most used programming language

Labels

awssecurityserverlesssoar

Projects that are alternatives of or similar to deepalert

seal
django-base-templates 主要为 django 开发DEMO, 支持 非前后端分离 和 前后端分离模式 。
Stars: ✭ 118 (+227.78%)
Mutual labels:  soar
soar-php
SQL optimizer and rewriter. - SQL 优化、重写器(辅助 SQL 调优)。
Stars: ✭ 140 (+288.89%)
Mutual labels:  soar
resilient-python-api
Python Library for the IBM SOAR REST API, a Python SDK for developing Apps for IBM SOAR and more...
Stars: ✭ 29 (-19.44%)
Mutual labels:  soar
postee
Simple message routing system that receives input messages through a webhook interface and can enforce actions using predefined outputs via integrations.
Stars: ✭ 160 (+344.44%)
Mutual labels:  soar
Elkeid-HUB
Elkeid HUB is a rule/event processing engine maintained by the Elkeid Team that supports streaming/offline (not yet supported by the community edition) data processing. The original intention is to solve complex data/event processing and external system linkage requirements through standardized rules.
Stars: ✭ 62 (+72.22%)
Mutual labels:  soar
altprobe
collector for XDR and security posture service
Stars: ✭ 62 (+72.22%)
Mutual labels:  soar
catalyst
Catalyst is an open source SOAR system that helps to automate alert handling and incident response processes
Stars: ✭ 91 (+152.78%)
Mutual labels:  soar
GDPatrol
A Lambda-powered Security Orchestration framework for AWS GuardDuty
Stars: ✭ 50 (+38.89%)
Mutual labels:  soar

DeepAlert

Serverless SOAR (Security Orchestration, Automation and Response) framework for automatic inspection and evaluation of security alert.

Overview

DeepAlert receives a security alert that is event of interest from security view point and responses the alert automatically. DeepAlert has 3 parts of automatic response.

  • Inspector investigates entities that are appeared in the alert including IP address, Domain name and store a result: reputation, history of malicious activities, associated cloud instance and etc. Following components are already provided to integrate with your DeepAlert environment. Also you can create own inspector to check logs that is stored into original log storage or log search system.
  • Reviewer receives the alert with result(s) of Inspector and evaluate severity of the alert. Reviewer should be written by each security operator/administrator of your organization because security policies are differ from organization to organization.
  • Emitter finally receives the alert with result of Reviewer's severity evaluation. After that, Emitter sends external integrated system. E.g. PagerDuty, Slack, Github Enterprise, etc. Also automatic quarantine can be configured by AWS Lambda function.

Overview

Deployment

Prerequisite

  • Tools
    • aws-cdk >= 1.75.0
    • go >= 1.14
    • node >= 14.7.0
    • npm >= 6.14.9
  • Credential
    • AWS CLI credential to deploy CloudFormation. See here for more detail.

Configure your stack

At first, you need to create AWS CDK repository and install deepalert as a npm module.

$ mkdir your-stack
$ cd your-stack
$ cdk init --language typescript
$ npm i @deepalert/deepalert

Then, edit ./bin/your-stack.ts as following.

#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from '@aws-cdk/core';
import { DeepAlertStack } from '@deepalert/deepalert';

const app = new cdk.App();
new DeepAlertStack(app, 'YourDeepAlert', {});

Deploy your stack

$ cdk deploy

Alerting

Alert data schema

{
  "detector": "your-anti-virus",
  "rule_name": "detected malware",
  "rule_id": "detect-malware-by-av",
  "alert_key": "xxxxxxxx",
  "timestamp": "2006-01-02T15:03:04Z",
  "attributes": [
    {
      "type": "ipaddr",
      "key": "IP address of detected machine",
      "value": "10.2.3.4",
      "context": [
        "local",
        "client"
      ],
    },
  ]
}
  • detector: Subject name of monitoring system
  • rule_id: Machine readable rule identity
  • timestamp: Detected timestamp
  • rule_name (optional): Human readable rule name
  • alert_key (optional): Alert aggregation key if you need
  • attributes (optional): List of attribute
    • type: Choose from ipaddr, domain, username, filehashvalue, json and url
    • key: Label of the value
    • value: Actual value
    • context: One or multiple tags describe context of the attribute. See AttrContext in alert.go

Emit alert via API

apikey.json is created in CWD when running cdk deploy and it has X-API-KEY to access deepalert API.

$ export AWS_REGION=ap-northeast-1 # set your region
$ export API_KEY=`cat apikey.json  | jq '.["X-API-KEY"]' -r`
$ export API_ID=`aws cloudformation describe-stack-resources --stack-name YourDeepAlert | jq -r '.StackResources[] | select(.ResourceType == "AWS::ApiGateway::RestApi") | .PhysicalResourceId'`
$ curl -X POST \
  -H "X-API-KEY: $API_KEY" \
  https://$API_ID.execute-api.$AWS_REGION.amazonaws.com/prod/api/v1/alert \
  -d '{
  "detector": "your-anti-virus",
  "rule_name": "detected malware",
  "rule_id": "detect-malware-by-av",
  "alert_key": "xxxxxxxx"
}'

Emit alert via SQS

$ export QUEUE_URL=`aws cloudformation describe-stack-resources --stack-name YourDeepAlert | jq -r '.StackResources[] | select(.LogicalResourceId | startswith("alertQueue")) | .PhysicalResourceId'`
$ aws sqs send-message --queue-url $QUEUE_URL --message-body '{
  "detector": "your-anti-virus",
  "rule_name": "detected malware",
  "rule_id": "detect-malware-by-av",
  "alert_key": "xxxxxxxx"
}'

Build and deploy Reviewer

See examples and deploy it as Lambda Function.

Development

Architecture

architecture overview

Unit Test

$ go test ./...

Integration Test

Move to ./test/workflow/ and run below. Then deploy test stack and execute integration test.

$ npm i
$ make deploy
$ make test

License

MIT License

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].