Serverless SOAR (Security Orchestration, Automation and Response) framework for automatic inspection and evaluation of security alert
Serverless SOAR (Security Orchestration, Automation and Response) framework for automatic inspection and evaluation of security alert.
DeepAlert receives a security alert that is event of interest from security view point and responses the alert automatically. DeepAlert has 3 parts of automatic response.
aws-cdk
>= 1.75.0go
>= 1.14node
>= 14.7.0npm
>= 6.14.9At first, you need to create AWS CDK repository and install deepalert as a npm module.
$ mkdir your-stack
$ cd your-stack
$ cdk init --language typescript
$ npm i @deepalert/deepalert
Then, edit ./bin/your-stack.ts
as following.
#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from '@aws-cdk/core';
import { DeepAlertStack } from '@deepalert/deepalert';
const app = new cdk.App();
new DeepAlertStack(app, 'YourDeepAlert', {});
$ cdk deploy
{
"detector": "your-anti-virus",
"rule_name": "detected malware",
"rule_id": "detect-malware-by-av",
"alert_key": "xxxxxxxx",
"timestamp": "2006-01-02T15:03:04Z",
"attributes": [
{
"type": "ipaddr",
"key": "IP address of detected machine",
"value": "10.2.3.4",
"context": [
"local",
"client"
],
},
]
}
detector
: Subject name of monitoring systemrule_id
: Machine readable rule identitytimestamp
: Detected timestamprule_name
(optional): Human readable rule namealert_key
(optional): Alert aggregation key if you needattributes
(optional): List of attribute
type
: Choose from ipaddr
, domain
, username
, filehashvalue
, json
and url
key
: Label of the valuevalue
: Actual valuecontext
: One or multiple tags describe context of the attribute. See AttrContext
in alert.go
apikey.json
is created in CWD when running cdk deploy
and it has X-API-KEY
to access deepalert API.
$ export AWS_REGION=ap-northeast-1 # set your region
$ export API_KEY=`cat apikey.json | jq '.["X-API-KEY"]' -r`
$ export API_ID=`aws cloudformation describe-stack-resources --stack-name YourDeepAlert | jq -r '.StackResources[] | select(.ResourceType == "AWS::ApiGateway::RestApi") | .PhysicalResourceId'`
$ curl -X POST \
-H "X-API-KEY: $API_KEY" \
https://$API_ID.execute-api.$AWS_REGION.amazonaws.com/prod/api/v1/alert \
-d '{
"detector": "your-anti-virus",
"rule_name": "detected malware",
"rule_id": "detect-malware-by-av",
"alert_key": "xxxxxxxx"
}'
$ export QUEUE_URL=`aws cloudformation describe-stack-resources --stack-name YourDeepAlert | jq -r '.StackResources[] | select(.LogicalResourceId | startswith("alertQueue")) | .PhysicalResourceId'`
$ aws sqs send-message --queue-url $QUEUE_URL --message-body '{
"detector": "your-anti-virus",
"rule_name": "detected malware",
"rule_id": "detect-malware-by-av",
"alert_key": "xxxxxxxx"
}'
See examples and deploy it as Lambda Function.
$ go test ./...
Move to ./test/workflow/
and run below. Then deploy test stack and execute integration test.
$ npm i
$ make deploy
$ make test
MIT License