creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 06:34:57 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/building-soc-escalation-matrix/scripts/agent.py
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

150 lines
7.4 KiB
Python
Raw Blame History

#!/usr/bin/env python3
"""SOC Escalation Matrix Agent - Builds and validates SOC escalation paths and response workflows."""
import json
import logging
import argparse
from datetime import datetime
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
SEVERITY_TIERS = {
"P1": {"name": "Critical", "response_sla": 15, "update_sla": 60, "resolution_sla": 240,
"escalation_path": ["SOC Analyst", "SOC Lead", "IR Manager", "CISO"],
"notification": ["Slack #critical-alerts", "PagerDuty", "Email CISO", "SMS Exec Team"]},
"P2": {"name": "High", "response_sla": 30, "update_sla": 120, "resolution_sla": 480,
"escalation_path": ["SOC Analyst", "SOC Lead", "IR Manager"],
"notification": ["Slack #soc-alerts", "PagerDuty", "Email IR Manager"]},
"P3": {"name": "Medium", "response_sla": 60, "update_sla": 240, "resolution_sla": 1440,
"escalation_path": ["SOC Analyst", "SOC Lead"],
"notification": ["Slack #soc-alerts", "Email SOC Lead"]},
"P4": {"name": "Low", "response_sla": 240, "update_sla": 480, "resolution_sla": 4320,
"escalation_path": ["SOC Analyst"],
"notification": ["Slack #soc-triage"]},
}
ALERT_CATEGORIES = {
"malware": {"default_priority": "P2", "auto_escalate_if": ["ransomware", "wiper", "apt"]},
"phishing": {"default_priority": "P3", "auto_escalate_if": ["executive_target", "credential_harvested"]},
"unauthorized_access": {"default_priority": "P2", "auto_escalate_if": ["admin_account", "domain_controller"]},
"data_exfiltration": {"default_priority": "P1", "auto_escalate_if": ["pii", "financial", "classified"]},
"denial_of_service": {"default_priority": "P2", "auto_escalate_if": ["customer_facing", "revenue_impacting"]},
"insider_threat": {"default_priority": "P2", "auto_escalate_if": ["privileged_user", "data_staging"]},
"vulnerability_exploit": {"default_priority": "P2", "auto_escalate_if": ["zero_day", "active_exploitation"]},
}
def classify_alert(category, tags, affected_asset_criticality="medium"):
"""Classify alert priority based on category, tags, and asset criticality."""
cat_info = ALERT_CATEGORIES.get(category, {"default_priority": "P3", "auto_escalate_if": []})
priority = cat_info["default_priority"]
escalation_reasons = []
for tag in tags:
if tag in cat_info["auto_escalate_if"]:
escalation_reasons.append(f"Tag '{tag}' triggers auto-escalation")
if affected_asset_criticality == "critical":
escalation_reasons.append("Critical asset affected")
if escalation_reasons:
priority_num = int(priority[1])
new_priority = f"P{max(1, priority_num - 1)}"
if new_priority != priority:
escalation_reasons.append(f"Escalated from {priority} to {new_priority}")
priority = new_priority
return {"priority": priority, "category": category, "escalation_reasons": escalation_reasons,
"sla": SEVERITY_TIERS[priority]}
def build_escalation_matrix():
"""Build complete escalation matrix structure."""
matrix = {"tiers": {}, "categories": {}, "auto_escalation_rules": []}
for tier_id, tier_info in SEVERITY_TIERS.items():
matrix["tiers"][tier_id] = {
"name": tier_info["name"],
"response_sla_minutes": tier_info["response_sla"],
"update_sla_minutes": tier_info["update_sla"],
"resolution_sla_minutes": tier_info["resolution_sla"],
"escalation_chain": tier_info["escalation_path"],
"notification_channels": tier_info["notification"],
}
for cat_name, cat_info in ALERT_CATEGORIES.items():
matrix["categories"][cat_name] = {
"default_priority": cat_info["default_priority"],
"auto_escalation_triggers": cat_info["auto_escalate_if"],
}
matrix["auto_escalation_rules"] = [
{"rule": "SLA breach: response", "action": "Escalate to next tier in chain", "condition": "Response SLA exceeded"},
{"rule": "SLA breach: update", "action": "Notify SOC Lead", "condition": "Update SLA exceeded"},
{"rule": "SLA breach: resolution", "action": "Escalate to IR Manager", "condition": "Resolution SLA exceeded"},
{"rule": "Multiple related alerts", "action": "Escalate priority by 1", "condition": ">= 3 correlated alerts"},
{"rule": "VIP user affected", "action": "Auto-escalate to P1", "condition": "Executive or board member"},
]
return matrix
def validate_escalation_matrix(matrix):
"""Validate the escalation matrix for completeness and consistency."""
issues = []
for tier_id, tier in matrix["tiers"].items():
if not tier.get("escalation_chain"):
issues.append({"tier": tier_id, "issue": "Empty escalation chain", "severity": "critical"})
if tier.get("response_sla_minutes", 0) >= tier.get("update_sla_minutes", 0):
issues.append({"tier": tier_id, "issue": "Response SLA >= Update SLA", "severity": "warning"})
if not tier.get("notification_channels"):
issues.append({"tier": tier_id, "issue": "No notification channels", "severity": "high"})
for cat, info in matrix["categories"].items():
if info["default_priority"] not in matrix["tiers"]:
issues.append({"category": cat, "issue": f"Invalid priority {info['default_priority']}", "severity": "critical"})
valid = not any(i["severity"] == "critical" for i in issues)
return {"valid": valid, "issues": issues, "tier_count": len(matrix["tiers"]),
"category_count": len(matrix["categories"])}
def simulate_alerts(matrix, alerts):
"""Simulate alert classification through the escalation matrix."""
results = []
for alert in alerts:
classification = classify_alert(alert.get("category", ""), alert.get("tags", []),
alert.get("asset_criticality", "medium"))
results.append({"alert": alert, "classification": classification})
return results
def generate_report(matrix, validation, simulation_results=None):
"""Generate escalation matrix report."""
report = {
"timestamp": datetime.utcnow().isoformat(),
"escalation_matrix": matrix,
"validation": validation,
"simulation_results": simulation_results or [],
}
status = "VALID" if validation["valid"] else "INVALID"
print(f"ESCALATION MATRIX: {status}, {validation['tier_count']} tiers, "
f"{validation['category_count']} categories, {len(validation['issues'])} issues")
return report
def main():
parser = argparse.ArgumentParser(description="SOC Escalation Matrix Builder")
parser.add_argument("--validate", action="store_true", help="Validate matrix")
parser.add_argument("--simulate", help="JSON file with test alerts for simulation")
parser.add_argument("--output", default="escalation_matrix_report.json")
args = parser.parse_args()
matrix = build_escalation_matrix()
validation = validate_escalation_matrix(matrix)
simulation_results = None
if args.simulate:
with open(args.simulate) as f:
alerts = json.load(f)
simulation_results = simulate_alerts(matrix, alerts)
report = generate_report(matrix, validation, simulation_results)
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
logger.info("Report saved to %s", args.output)
if __name__ == "__main__":
main()
Reference in New Issue View Git Blame Copy Permalink