Security-SOAR is a production-ready automation engine designed to eliminate the time gap between Detection and Response. By integrating Global Threat Intelligence (VirusTotal) with OS-level telemetry, this system executes high-fidelity containment protocols autonomously.
- Heuristic-Based Analysis: Queries multi-engine threat intelligence to validate alerts.
- Process Quarantining: Real-time suspension of malicious PIDs to halt Ransomware execution or data exfiltration.
- Resilient Pipeline: Implements session persistence and robust exception handling.
- Audit Logging: Generates a detailed soar_execution.log for post-mortem forensic analysis.
This engine acts as the central intelligence of a security ecosystem:
- Telemetry Ingestion: Consumes JSON-structured events from detection agents like SentinelSoc.
- Context Enrichment: Performs automated lookups of file reputations using the VirusTotal API.
- Automated Remediation: If threat thresholds are met (>3 malicious engines), the engine isolates the offending process at the OS level.
- Instant Notification: Direct alerts to the SOC team via Telegram Bot API with full incident context.
Ensure you have the required dependencies installed:
pip install requests psutil
For security best practices, this project uses environment variables:
VT_API_KEY: Your VirusTotal API Key.TG_TOKEN: Your Telegram Bot Token.TG_CHAT_ID: Your personal or group Chat ID.
- Reduced MTTR: Decreases the Mean Time to Respond from minutes to milliseconds.
- Improved Accuracy: Filters false positives by cross-referencing global threat databases.
- Operational Efficiency: Automates Tier 1 incident response tasks.
Developed by Jorge Otero - Full Stack & Security Automation Engineer.