MCPcopy Index your code
hub / github.com/COSSAS/SOARCA

github.com/COSSAS/SOARCA @1.1.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release 1.1.0 ↗ · + Follow
1,104 symbols 4,001 edges 125 files 115 documented · 10%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

https://cossas-project.org/portfolio/SOARCA/ Pipeline status License

Automate threat and incident response workflows with CACAO security playbooks

Context and backgound

Organisations are increasingly automating threat and incident response through playbook driven security workflow orchestration. The essence of this concept is that specific security events trigger a predefined series of response actions that are executed with no or only limited human intervention. These automated workflows are captured in machine-readable security playbooks, which are typically executed by a so called Security Orchestration, Automation and Response (SOAR) tool. The market for SOAR solutions has matured significantly over the past years and present day products support sophisticated automation workflows and a wide array of integrations with external security tools and data resources. Typically, however, the technology employed is proprietary and not easily adaptable for research and experimentation purposes. SOARCA aims to offer an open-source alternative for such solutions that is free of vendor dependencies and supports standardized formats and technologies where applicable.

SOARCA was developed for research and innovation purposes and allows SOC, CERT and CTI professionals to experiment with the concept of playbook driven security automation. It is open and extensible and its interfaces are well-defined and elaborately documented. Importantly, it offers native support for the emerging technology standards CACAOv2 and OpenC2, both developed and maintained by OASIS Open. CACAO (Collaborative Automated Course of Action Operations) provides a standardized scheme for machine-readable security playbooks while OpenC2 offers a standardized language for the command and control of cyber defense technologies (e.g. firewalls or IAM solutions).

Software

SOARCA is a security orchestrator that can ingest, validate and execute CACAOv2 security playbooks. These playbooks and the triggers for their execution are consumed via a JSON API. SOARCA comes with native http(s), SSH and OpenC2 capabilities to interface with external tools and data resources. These native capabilities can be extended via a dedicated MQTT interface, allowing developers to compile additional integrations according their needs.

Development is ongoing. The current version solely supports machine and command line interfaces, but a graphical user interface will be added in the foreseeable future. Furthermore, its current capability to run CACAOv2 playbooks sequentially will evolve towards the ability to run multiple playbooks in parallel. Such further developments will be announced and published on the SOARCA repository on Github.

Documentation

For the latest documentation we refer to our Github pages.

Source Project

More information on the source of the project can be found here.

Extension points exported contracts — how you extend this code

IWorkflowReporter (Interface)
Reporter interfaces [5 implementers]
pkg/reporter/reporter.go
IPlaybookExecuter (Interface)
(no doc) [16 implementers]
pkg/core/executors/executors.go
ITrigger (Interface)
(no doc) [16 implementers]
pkg/api/trigger/trigger_api.go
IGuid (Interface)
* * IGuid allows one to inject the uuid property and have it be available by mocking * */ [2 implementers]
pkg/utils/guid/guid.go
ITheHiveConnector (Interface)
############################### ITheHiveConnector interface [1 implementers]
pkg/integration/thehive/reporter/thehive_connector.go
IPlaybookRepository (Interface)
(no doc) [3 implementers]
internal/database/playbook/playbook.go
IExecutionInformer (Interface)
(no doc) [3 implementers]
internal/controller/informer/execution_informer.go
Message (Interface)
(no doc) [1 implementers]
test/unittest/mocks/mock_mqtt/mock_mqttmessage.go

Core symbols most depended-on inside this repo

NewVariables
called by 220
pkg/models/cacao/variables.go
New
called by 170
pkg/utils/guid/guid.go
Error
called by 151
pkg/models/manual/manual.go
String
called by 86
pkg/models/cache/cache.go
Now
called by 60
pkg/utils/time/time.go
Evaluate
called by 58
pkg/utils/stix/expression/comparison/comparison.go
Logger
called by 37
internal/logger/logger.go
Error
called by 27
test/unittest/mocks/mock_mqtt/mock_mqtttoken.go

Shape

Function 503
Method 378
Struct 141
Class 32
Interface 30
TypeAlias 20

Languages

Go76%
TypeScript24%

Modules by API surface

docs/static/js/asciinema-player.min.js267 symbols
pkg/utils/http/http_test.go28 symbols
pkg/models/cacao/cacao.go25 symbols
pkg/utils/http/http.go24 symbols
pkg/integration/thehive/reporter/thehive_connector.go23 symbols
pkg/core/capability/manual/interaction/interaction.go22 symbols
pkg/models/fin/fin.go21 symbols
pkg/core/capability/manual/interaction/interaction_test.go19 symbols
pkg/core/capability/fin/controller/controller.go18 symbols
pkg/core/capability/fin/protocol/protocol.go17 symbols
internal/database/mongodb/mongo.go17 symbols
test/unittest/mocks/mock_mqtt/mock_mqttmessage.go16 symbols

Datastores touched

(mongodb)Database · 1 repos

For agents

$ claude mcp add SOARCA \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact