完整且清晰的一个多Agent SOC实现,可用于快速原型实现及SOC项目学习💡。
github链接:https://github.com/NathanCavalcanti/Multi-Agent-Automated-SOC-Analyst
主要功能
🔍 威胁指标提取 – 自动识别IP地址、域名、URL、文件哈希、电子邮件及文件路径
🦠 VirusTotal集成 – 结合威胁情报增强的自动化哈希分析
🎯 MITRE ATT&CK映射 – 依据官方企业版ATT&CK框架验证并映射攻击技术
🔐 真实CVE情报 – 从NVD API获取实际漏洞信息
📋 数字取证与事件响应规划 – 生成调查与遏制行动计划
📊 安全运营中心级报告 – 生成结构化JSON和易读的文本报告
💾 持久化输出 – 所有报告均按时间戳保存在/output/目录下
🔄 多智能体编排 – 基于LangGraph流水线构建的5个专用智能体系统
关键实现
1.威胁指标提取
使用few-shot的方式提取用户输入中的威胁指标。指令还是比较简单的,给定了角色、任务和输出格式。
💻系统提示词
<code> system_prompt = ( "You are a SOC analyst specializing in IOC extraction. " "Your task is to read the incident description and extract indicators of compromise " "(IPs, domains, URLs, emails, malware hashes, file paths) " "into a valid JSON format.\n\n" "IMPORTANT RULES:\n" "- Do NOT extract memory addresses (e.g., 0x...) as hashes.\n" "- Do NOT extract usernames (e.g., 'john.doe') as emails. Emails MUST contain '@' and a domain.\n" "- Only extract valid IPv4 or IPv6 addresses." )</code>
👨用户提示词
<code>user_prompt = f"""
Incident text:
{incident_text}
Return ONLY a valid JSON with the following structure:
{{
"ips": ["1.2.3.4", ...],
"domains": ["example.com", ...],
"urls": ["http://example.com/malware.exe", ...],
"emails": ["user@example.com", ...],
"hashes": {{
"md5": ["..."],
"sha1": ["..."],
"sha256": ["..."]
}},
"file_paths": ["C:\\\\Windows\\\\System32\\\\...", "/tmp/malicious", ...]
}}
"""</code>
最后将模型提出的结果进行一次内容和格式校验。
2.VT威胁情报富化
根据哈希值在VT中查询相关记录
返回结果
<code> return {
"malicious_count": stats.get("malicious", 0),
"total_engines": sum(stats.values()) if stats else 0,
"permalink": f"https://www.virustotal.com/gui/file/{file_hash}",
"scan_date": attributes.get("last_analysis_date", 0),
"names": attributes.get("names", [])[:5],
"threat_label": threat_label,
"sandbox_verdicts": sandbox_verdicts[:5],
"sigma_rules": sigma_rules[:3],
"signature_description": signature_info
}</code>
3.ATT&CK技术映射
MITRE技术映射:LLM + 官方数据库验证
用大模型根据incident_text与IOCs提议一组技术ID以及证据说明。将LLM返回的ID交给本地或线上的数据库查询,通过technique ID查找对应的信息并将结果返回。
查询ATT&CK系统提示词:
<code> system_prompt = ( "You are a cybersecurity analyst expert in MITRE ATT&CK. " "Based on the incident description and IOCs, identify the most probable techniques " "and sub-techniques (ID Txxxx / Txxxx.xx). " "\n\nCRITICAL RULES:\n" "1. Do NOT invent IDs; use only valid MITRE ATT&CK Enterprise IDs.\n" "2. ONLY map techniques if there is DIRECT EVIDENCE in the incident text.\n" "3. DO NOT map T1027.003 (Steganography) to ZIP files - ZIP is compression, NOT steganography.\n" "4. DO NOT map T1071 (C2) or T1071.001 (Web Protocols) unless there is evidence of BEACONING or persistent communication.\n" "5. DO NOT map T1190 (Exploit Public-Facing Application) unless there is evidence of exploitation (RCE, injection, etc).\n" "6. For file downloads, prefer T1105 (Ingress Tool Transfer).\n" "7. For phishing with malicious links, use T1566.002 only if there is evidence.\n" "8. If the incident involves ransomware execution, focus on execution techniques (T1204, T1059) and impact (T1486).\n" "\nDo not provide names or tactics, only IDs and justification: the system will enrich them later." )</code>
用户输入提示词
<code> user_prompt = f"""
Incident description:
{incident_text}
Extracted IOCs (JSON):
{ioc_snippet}
IMPORTANT GUIDELINES:
- Only map techniques with DIRECT evidence from the incident
- For downloads: use T1105 (Ingress Tool Transfer)
- For ZIP files: use T1560.001 (Archive via Utility) if relevant, NOT T1027.003
- For C2: ONLY if there's evidence of beaconing/persistent communication
- For exploitation: ONLY if there's evidence of RCE, injection, or vulnerability exploitation
- For ransomware execution: focus on T1204 (User Execution), T1059 (Command/Scripting), T1486 (Data Encrypted for Impact)
Return ONLY a valid JSON with the following structure:
{{
"techniques": [
{{
"id": "T1059.001",
"justification": "Briefly explain why this technique applies based on EVIDENCE"
}}
],
"summary": "Summary in 3-5 lines of the observed MITRE pattern."
}}
"""</code>
4.检索CVE
用大模型抽取2-3个相关的产品或技术关键词及时间范围作为查询条件。调用NVD API获取CVE列表。对于每个CVE再次使用大模型判断是否与当前时间相关。最后讲结果返回。
主要实现方式:
<code>extraction = _build_cve_keywords_with_llm(software_info, mitre_context) for kw in keywords: cves = search_cves(kw, max_results=3, pub_start_date=pub_start_date, pub_end_date=pub_end_date) for c in cves: if _validate_cve_relevance(c, software_info): c2 = dict(c) c2["source_keyword"] = kw c2["related_techniques"] = [] c2["confidence"] = "medium" all_cves.append(c2)</code>
5.DFIR计划生成
汇集上下文信息后,使用大模型来生成结构化的调查步骤。
系统提示词:
<code> system_prompt = ( "You are a Senior DFIR Analyst in a SOC. " "Based on the incident/event description, IOCs, MITRE mapping, " "and vulnerabilities (CVEs), you must propose a structured investigation " "and response plan, oriented towards L1/L2 analysts." )</code>
用户提示词:
<code> user_prompt = f"""
Incident / Event description:
{text}
Extracted IOCs:
{ioc_snippet}
MITRE Context (TTPs):
{mitre_snippet}
CVE Context:
{cve_snippet}
Return ONLY a valid JSON with the following structure:
{{
"investigation_steps": [
{{
"step": 1,
"category": "Artifact Collection",
"description": "Detailed action description.",
"tools": ["Splunk", "EDR", "Volatility"],
"expected_outcome": "What is expected to be found."
}}
],
"containment_actions": [
{{
"priority": "high",
"description": "Containment action.",
"depends_on": [1]
}}
],
"eradication_and_recovery": [
"Eradication action 1",
"Recovery action 1"
],
"notes": "Additional notes (e.g., communication, reporting, etc.)."
}}
"""</code>
6.结构化报告生成
根据上下文生成结构化报告
系统提示词:
<code> system_prompt = ( "You are an L2 SOC Analyst responsible for writing incident reports. " "You must generate a clear, structured, and actionable report for a SOC environment, " "separating an executive section (for managers) and a technical section (for analysts). " "Use a professional and concise tone." )</code>
用户提示词:
<code>user_prompt = f"""
Original incident description:
{incident_text}
IOCs (JSON):
{ioc_snippet}
MITRE Context (JSON):
{mitre_snippet}
CVE Context (JSON):
{cve_snippet}
Investigation / Response Plan (JSON):
{investigation_snippet}
Generate ONLY a valid JSON with the following structure:
{{
"metadata": {{
"title": "Incident Title",
"severity": "high",
"status": "under_investigation",
"tlp": "TLP:AMBER",
"detected_by": "SOC L1 - SIEM alert",
"environment": "production"
}},
"executive_summary": "Summary in 5-8 lines, oriented to non-technical managers.",
"technical_summary": "Technical summary of the attack, vectors, IOCs, MITRE, and CVEs.",
"timeline": [
{{
"timestamp": "2025-11-30T08:14:00Z",
"event": "First SIEM alert for suspicious traffic to malicious IP."
}}
],
"ioc_section": {{
"ips": [],
"domains": [],
"urls": [],
"emails": [],
"hashes": {{
"md5": [],
"sha1": [],
"sha256": []
}},
"file_paths": []
}},
"mitre_mapping": [
{{
"id": "T1059.001",
"name": "Command Shell",
"tactic": "Execution",
"tactic_id": "TA0002",
"justification": "Brief explanation of why it applies."
}}
],
"cve_section": [
{{
"id": "CVE-XXXX-YYYY",
"cvss": 9.8,
"description": "Vulnerability summary.",
"related_techniques": ["T1059.001"],
"confidence": "high"
}}
],
"investigation_summary": [
"Brief list of investigation actions performed / planned."
],
"containment_and_recovery": {{
"containment_actions": [
"Isolate affected host from corporate network."
],
"eradication": [
"Reimage machine or clean malicious artifacts according to playbook."
],
"recovery": [
"Return systems to production after validating integrity."
]
}},
"recommendations": {{
"short_term": [
"Immediate improvement actions."
],
"long_term": [
"Strategic long-term measures."
]
}}
}}
"""</code>
7.持久化保存
保存报告为txt或json文件,并加入时间戳。
转自:https://mp.weixin.qq.com/s/pqZdbR6Ym9dZDV-WQtTubA?mpshare=1&scene=1&srcid=1225fsKxMrLR0CLyNqVP4bdr&sharer_shareinfo=75e804430cbfac57ee25ac838e24c46e&sharer_shareinfo_first=75e804430cbfac57ee25ac838e24c46e&color_scheme=light#rd