Your Open Source SOC Assistant!

Welcome to ASK SOCFortress, your open source SOC assistant.

Get started by visiting the SOCFortress Knowledge Base Integration repo.

INTRO

In the world of cybersecurity, one common thread ties together the concerns of clients and end users alike — the looming question, “How should we respond to an alert?” At SOCFortress, this question echoes in our ears countless times, a refrain in the endless symphony of cybersecurity management. SOC (Security Operations Center) operations are no cookie-cutter tasks — each one is as unique as a snowflake in its complexity and individuality. This constant stream of queries, borne from the complexities of each unique alert, highlights a significant gap in the current cybersecurity landscape. Here at SOCFortress, we hope we can help bridge this gap. Our goal is to bring forth recommended actions, tailored to each specific alert, enabling our users to not just react but respond strategically, thereby creating a robust, resilient, and proactive cybersecurity ecosystem.

Response

Integrated into our Favorite Tools

SOCFortress is all about automation, that’s why we have developed a ASK SOCFortress API that can be invoked in real time via either a 💪Wazuh Integration or 🚀Graylog (we prefer Graylog).

Get started by visiting the SOCFortress Knowledge Base Integration repo.

How Does it Work?

❗ Currently the ASK SOCFortress API only accepts requests for SIGMA detection alerts invoked via the Wazuh / Chainsaw integration ❗ We hope to bring more capabilities in the future, but hey got to start somewhere 😉

✅ Wazuh and Chainsaw integration for near real time SIGMA detection✅

1. Wazuh detects a high / critical SIGMA rule detection via the Chainsaw integration.
2. The SIGMA rule name is URL encoded and sent to the ASK SOCFortress API — I.E: Suspicious%20Program%20Location%20with%20Network%20Connections

3. The ASK SOCFortress API generates a response with some suggested actions and additional questions to help get your SOC analysts thinking in the right direction.

4. If using Graylog, the original alert is populated with the response in the ask_socfortress_message field.

If using Wazuh, rule id 200986 is triggered (WAZUH-RULES).

Get started by visiting the SOCFortress Knowledge Base Integration repo.