# 11/12 報告 ## 架構圖調整 ![newour](https://hackmd.io/_uploads/SyY2e_nyWe.png) ## 文獻 ### 1. 主流 SOAR 都支援「手動核准」的節點與分支 * Splunk SOAR 可要求「先批准後執行」指定動作,甚至支援多位核准者。 ([help.splunk.com][1]) * Cortex XSOAR 的 Playbook 任務含手動與條件分支,可把「核准」做成決策點。 ([docs-cortex.paloaltonetworks.com][2]) * Chronicle SecOps 直接提供「動作需要核准連結」的設計。 ([Google Cloud Documentation][3]) ### 2. Wazuh 能由 Manager 對指定 Agent 觸發「在端點本機執行」的腳本 * Wazuh 的 Active Response 模組可對「特定 agent_id」下達命令(在 ossec.conf 設定),由 Manager 轉交到該 Agent 執行。 ([documentation.wazuh.com][4]) * 官方 REST API 提供「在一個或多個 Agent 上執行 Active Response 指令」的端點(`/active-response?agents_list=`)。 ([documentation.wazuh.com][5]) * 腳本路徑與預設腳本清單(含 firewall-drop)皆有文件,亦可自訂腳本放在 `active-response/bin`。 ([documentation.wazuh.com][6]) * 官方教學列出如何啟用、配置與觀察 Active Response 執行情況。 ([documentation.wazuh.com][7]) ### 3. Local Action Script 對 MQTT/EdgeX/網路層的「可做之事」 * **MQTT broker 層**:Mosquitto 的 Dynamic Security 外掛支援即時「停用 client/重新啟用/刪除」等操作,管理工具是 `mosquitto_ctrl dynsec disableClient <username>`。 ([Eclipse Mosquitto][8]) * **EdgeX 裝置層**:可透過 Core Metadata/Device Service API 將裝置 `adminState=LOCKED` 或 `operationalState=DISABLED` 以暫停存取。 ([EdgeX Foundry][9]) * **網路與主機層**:Wazuh 內建 `firewall-drop` 用於封鎖惡意 IP;你也能在腳本中改 `nftables/iptables`。 ([documentation.wazuh.com][6]) ### 4. 「Agentic RAG 參與 SOC」的可行性與業界動向 * Microsoft Security Copilot、Chronicle Gemini/Sec-PaLM 都把 LLM 放進 SOC 的偵測、調查、建議與回應(含產生建議步驟)的流程中,對應我們架構的「SOAR Agentic RAG 產生建議+編排」。 ([The Official Microsoft Blog][10]) * 安全廠商與研究也在討論「agentic 工作流在安全工程的實作考量與最佳實務」。 ([Elastic][11]) ### 5. Ticket * **官方部落格**:〈Integrating ServiceNow with Wazuh〉逐步展示從 Wazuh 伺服器將警報透過 ServiceNow REST API 建立 Incident 的流程,包含取得開發者實例、驗證 API、在 ServiceNow 儀表板確認事件已建立。([Wazuh][12]) * **TheHive 整合實例**:Wazuh 官方也發表過〈Using Wazuh and TheHive for threat protection and incident response〉,示範 Wazuh 與 TheHive 的整合做法與前置需求,證明「Wazuh 警報→外部 SIRP/工單系統」是常見且可落地的路徑。([Wazuh][13]) * **產品文件支援**:Wazuh 文件載明可與外部 API 整合、並能在規則被觸發時啟動事件回應(例如封鎖 IP、終止惡意程序等),對應到審批後的「執行」段落。([documentation.wazuh.com][14]) ### 文獻藍本總結(Python 角度) **SOAR 側(呼叫 Wazuh API)** 1. 取 JWT:`POST /security/user/authenticate` 2. 觸發 Active Response:`PUT /active-response?agents_list=001`,body 帶上你的 command 名稱與參數(如 srcip、client_id、device_id)。 ([documentation.wazuh.com][5]) **Agent 側(Local Action Script)** * 檔案放 `/var/ossec/active-response/bin/`,由 Wazuh 透過 STDIN 傳入事件與你附帶的參數;腳本裡呼叫 `mosquitto_ctrl` 來停用可疑 client,或打 EdgeX API 設 `adminState=LOCKED`,或加一條 `nft` 規則。 ([documentation.wazuh.com][6]) --- ## LSTM ### 訓練 * #### 訓練集 ![image](https://hackmd.io/_uploads/ByPws0bxWg.png) ![image](https://hackmd.io/_uploads/ry0OiA-gbg.png) ![predict_attack_confusion_matrix](https://hackmd.io/_uploads/rJDwyAbxWl.png) ### 預測 ![test_attack_confusion_matrix](https://hackmd.io/_uploads/r1KqyC-lZl.png) ![test_attack_P1_confusion_matrix](https://hackmd.io/_uploads/rJcnJ0WxZg.png) ![test_attack_P2_confusion_matrix](https://hackmd.io/_uploads/H1ej1AbeWg.png) ![test_attack_P3_confusion_matrix](https://hackmd.io/_uploads/S1KCeRbgWl.png) ![image](https://hackmd.io/_uploads/H1qhnR-eWg.png) ![image](https://hackmd.io/_uploads/SksBFAbgbx.png) ### 未來整合 ![AgenticRagFramework](https://hackmd.io/_uploads/r1MQO0WxZg.png) --- [1]: https://help.splunk.com/en/splunk-soar/soar-on-premises/use-splunk-soar-on-premises/6.4.1/get-started-using-splunk-soar-on-premises/approve-actions-before-they-run-in-splunk-soar-on-premises "Approve actions before they run in Splunk SOAR (On- ..." [2]: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Administrator-Guide/Playbook-Tasks "Cortex XSOAR playbook tasks, including conditional tasks ..." [3]: https://docs.cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/assign-approval-links-in-actions "Assign approval links in actions | Google Security Operations" [4]: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/active-response.html "active-response - Local configuration (ossec.conf)" [5]: https://documentation.wazuh.com/current/user-manual/api/reference.html "API reference · Wazuh documentation" [6]: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/blocking-ssh-brute-force.html "Blocking SSH brute-force attack with Active Response" [7]: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/how-to-configure.html "How to configure Active Response" [8]: https://mosquitto.org/documentation/dynamic-security/ "Dynamic Security Plugin" [9]: https://edgexfoundry.github.io/edgex-docs/1.2/design/adr/device-service/0011-DeviceService-Rest-API/ "Device Service REST API" [10]: https://blogs.microsoft.com/blog/2023/03/28/introducing-microsoft-security-copilot-empowering-defenders-at-the-speed-of-ai/ "Introducing Microsoft Security Copilot" [11]: https://www.elastic.co/fr/pdf/agentic-frameworks-practical-considerations-for-building-ai-augmented-security-systems.pdf?utm_source=chatgpt.com "agentic-frameworks-practical-considerations-for-building-ai ..." [12]: https://wazuh.com/blog/integrating-servicenow-with-wazuh/ "Integrating ServiceNow with Wazuh" [13]: https://wazuh.com/blog/using-wazuh-and-thehive-for-threat-protection-and-incident-response/ "Wazuh and TheHive: Protection and incident response" [14]: https://documentation.wazuh.com/current/user-manual/manager/integration-with-external-apis.html "External API integration - Wazuh server"