Key Features • How To Use • Configuration file • Credits • Support • License
SOCAI is an innovative project designed to automate and streamline the incident response process for SOC teams. By integrating multiple tools and leveraging AI, SOCAI enables security teams to manage incidents efficiently and effectively. Here’s how it works:
- Data Gathering from a Platform(Rapid7IDR, Splunk, etc):
- SOCAI collects data from various sources, including Rapid7 IDR, Splunk, and other platforms.
- The data is then analyzed to identify potential security incidents.
- Detailed Incident Description:
- SOCAI provides a detailed description of each incident, including the type of incident, the affected systems, and the potential impact.
- This information helps security teams prioritize incidents based on their severity.
- Task Suggestions for SOC Analysts:
- SOCAI suggests tasks for SOC analysts to perform based on the type of incident.
- These tasks help analysts investigate the incident further and take appropriate action to mitigate the threat.
- Centralized Case Management in The Hive:
- SOCAI integrates with The Hive, a popular case management platform used by SOC teams.
- Incidents identified by SOCAI are automatically created as cases in The Hive, streamlining the incident response process.
- Observable Extraction and Analysis:
- SOCAI extracts observables from the incident data and analyzes them to identify potential indicators of compromise (IOCs).
- This information helps security teams identify other systems that may be affected by the same threat.
- Service Integration(Jira, Slack, etc):
- SOCAI automatically posts a comment in Jira, detailing the security incident and providing a direct link to the case in The Hive for further investigation.
- This ensures seamless communication and collaboration between security and development teams.
To clone and run this application, you'll need Git and Docker installed on your computer. From your command line:
# Clone this repository
$ git clone https://github.com/licitrasimone/SOCAI.git
# Go into the repository
$ cd SOCAI
# Create a config folder
$ mkdir config & cd config
# create a config.ini file
# look at the configuration file section for more information
$ vim config.ini
# Build project
$ docker build -t socai .
# Run the app
$ docker-compose upNote
Remember to change the Dockerfile, configuration file and Docker Compose as you need.
In SOCAI you can use the following command line arguments:
So, change the CMD in the Dockerfile as you need.
FROM python:3.9
ADD . .
RUN pip install requests thehive4py openai
# Change configuration as you need
CMD [ "python", "-u", "./main.py", "-p", "r7", "-s", "jira"]The configuration file is a simple config.ini file that contains the following parameters:
[auth]
the_hive_api_key = your_api_key
r7_api_key = your_api_key
jira_email_address = your_email_address
jira_api_key = your_api_key
openai_api_key = your_api_key
[url]
the_hive_url = http://thehive:9000
jira_url = jira_url
r7_url = r7_url
r7_logs_url = r7_logs_urlThis software uses the following open source packages:
- The Hive - Security Incident Response Platform
- Cortex - Observable Analysis and Active Response Engine
MIT
simonelicitra.com · GitHub @licitrasimone · Linkedin Simone Licitra