-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
95 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| # AI-Powered Security Alert Analysis System | ||
|
|
||
| An automated system that leverages AI to analyze security alerts from Elastic Security, providing intelligent triage and analysis through GPT-4. | ||
|
|
||
| ## π Features | ||
|
|
||
| - **Automated Alert Analysis**: Processes security alerts from Elastic Security using GPT-4 | ||
| - **Intelligent Triage**: Provides severity assessments and actionable insights | ||
| - **MITRE ATT&CK Integration**: Analyzes alerts in context of MITRE ATT&CK framework | ||
| - **Detailed Documentation**: AI generates comprehensive analysis notes for each alert | ||
| - **Seamless Integration**: Works with Elasticsearch and Kibana APIs | ||
| - **Debug Logging**: Detailed logging for troubleshooting and audit trails | ||
|
|
||
| ## π Getting Started | ||
|
|
||
| ### Prerequisites | ||
|
|
||
| - Python 3.8+ | ||
| - Access to OpenAI API | ||
| - Elasticsearch/Kibana instance | ||
| - Required Python packages (see Installation) | ||
|
|
||
| ### Installation | ||
|
|
||
| 1. Clone the repository | ||
| 2. Install required packages: | ||
|
|
||
| ``` | ||
| pip install openai elasticsearch python-dotenv pyyaml | ||
| ``` | ||
|
|
||
| 3. Create a `.env` file with your credentials: | ||
| ``` | ||
| ELASTIC_URL=https://your-elasticsearch-instance | ||
| KIBANA_URL=https://your-kibana-instance | ||
| ELASTIC_USERNAME=your-username | ||
| ELASTIC_PASSWORD=your-password | ||
| OPENAI_API_KEY=your-openai-key | ||
| ``` | ||
|
|
||
| ## π§ Configuration | ||
|
|
||
| The system uses three main connector classes: | ||
|
|
||
| 1. **KibanaConnector**: Interfaces with Kibana API for rule management and note addition | ||
| 2. **ElasticsearchConnector**: Retrieves security signals from Elasticsearch | ||
| 3. **AISecurityAnalyst**: Processes alerts using OpenAI's GPT-4 | ||
|
|
||
| ### AI Analysis Configuration | ||
|
|
||
| The AI analyst can be configured with: | ||
| - Custom OpenAI model selection | ||
| - Temperature adjustment for response randomness | ||
| - Customizable prompt templates | ||
|
|
||
| ## πββοΈ Usage | ||
|
|
||
| Run the main script to start processing alerts: | ||
|
|
||
| ```python main.py``` | ||
|
|
||
| The system will: | ||
| 1. Fetch detection rules from Kibana | ||
| 2. Retrieve security signals from Elasticsearch | ||
| 3. Process each signal with AI analysis | ||
| 4. Add detailed notes back to Kibana | ||
|
|
||
| ## π Output Format | ||
|
|
||
| The AI analysis includes: | ||
| - Severity Assessment | ||
| - Rule Description | ||
| - Host and User Context | ||
| - Detailed Technical Analysis | ||
| - Recommended Actions | ||
|
|
||
| ## π Security Considerations | ||
|
|
||
| - SSL verification can be configured for both Elasticsearch and Kibana connections | ||
| - Credentials are stored securely in environment variables | ||
| - Debug logs are saved in NDJSON format for audit trails | ||
|
|
||
| ## π€ Contributing | ||
|
|
||
| Contributions are welcome! Please feel free to submit a Pull Request. | ||
|
|
||
| ## π License | ||
|
|
||
| This project is licensed under the MIT License - see the LICENSE file for details. | ||
|
|
||
| ## π Acknowledgments | ||
|
|
||
| - OpenAI for GPT-4 API | ||
| - Elastic for Elasticsearch and Kibana | ||
| - MITRE for the ATT&CK framework |