mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-13 06:34:57 +03:00
mukul975
222 lines
8.0 KiB
Python
222 lines
8.0 KiB
Python
#!/usr/bin/env python3
|
|
"""
|
|
SOC Escalation Matrix Builder and Simulator
|
|
|
|
Builds escalation matrices, simulates incident routing,
|
|
and tracks SLA compliance for SOC operations.
|
|
"""
|
|
|
|
import json
|
|
from datetime import datetime, timedelta
|
|
|
|
|
|
SEVERITY_CONFIG = {
|
|
"P1": {
|
|
"name": "Critical",
|
|
"initial_response_min": 15,
|
|
"escalation_to_tier2_min": 0,
|
|
"escalation_to_tier3_min": 0,
|
|
"escalation_to_mgmt_min": 30,
|
|
"resolution_target_hours": 4,
|
|
"update_interval_min": 30,
|
|
"assigned_tier": 3,
|
|
},
|
|
"P2": {
|
|
"name": "High",
|
|
"initial_response_min": 30,
|
|
"escalation_to_tier2_min": 30,
|
|
"escalation_to_tier3_min": 240,
|
|
"escalation_to_mgmt_min": 120,
|
|
"resolution_target_hours": 8,
|
|
"update_interval_min": 120,
|
|
"assigned_tier": 2,
|
|
},
|
|
"P3": {
|
|
"name": "Medium",
|
|
"initial_response_min": 240,
|
|
"escalation_to_tier2_min": 480,
|
|
"escalation_to_tier3_min": None,
|
|
"escalation_to_mgmt_min": None,
|
|
"resolution_target_hours": 24,
|
|
"update_interval_min": 1440,
|
|
"assigned_tier": 1,
|
|
},
|
|
"P4": {
|
|
"name": "Low",
|
|
"initial_response_min": 480,
|
|
"escalation_to_tier2_min": None,
|
|
"escalation_to_tier3_min": None,
|
|
"escalation_to_mgmt_min": None,
|
|
"resolution_target_hours": 72,
|
|
"update_interval_min": 10080,
|
|
"assigned_tier": 1,
|
|
},
|
|
}
|
|
|
|
ASSET_CRITICALITY_MAP = {
|
|
("critical", "critical"): "P1",
|
|
("critical", "high"): "P1",
|
|
("critical", "medium"): "P1",
|
|
("critical", "low"): "P2",
|
|
("high", "critical"): "P1",
|
|
("high", "high"): "P2",
|
|
("high", "medium"): "P2",
|
|
("high", "low"): "P3",
|
|
("medium", "critical"): "P2",
|
|
("medium", "high"): "P2",
|
|
("medium", "medium"): "P3",
|
|
("medium", "low"): "P4",
|
|
("low", "critical"): "P3",
|
|
("low", "high"): "P3",
|
|
("low", "medium"): "P4",
|
|
("low", "low"): "P4",
|
|
}
|
|
|
|
AUTO_ESCALATION_TRIGGERS = {
|
|
"ransomware_detected": "P1",
|
|
"domain_admin_compromise": "P1",
|
|
"active_data_exfiltration": "P1",
|
|
"multiple_hosts_malware": "P1",
|
|
"critical_infrastructure_alert": "P1",
|
|
"executive_account_anomaly": "P2",
|
|
"insider_threat_indicator": "P2",
|
|
"brute_force_success": "P2",
|
|
}
|
|
|
|
|
|
class Incident:
|
|
"""Represents a security incident with escalation tracking."""
|
|
|
|
def __init__(self, incident_id: str, title: str, severity_score: str,
|
|
asset_criticality: str, incident_type: str):
|
|
self.incident_id = incident_id
|
|
self.title = title
|
|
self.incident_type = incident_type
|
|
self.created = datetime.utcnow()
|
|
|
|
# Calculate priority
|
|
if incident_type in AUTO_ESCALATION_TRIGGERS:
|
|
self.priority = AUTO_ESCALATION_TRIGGERS[incident_type]
|
|
else:
|
|
self.priority = ASSET_CRITICALITY_MAP.get(
|
|
(severity_score, asset_criticality), "P3"
|
|
)
|
|
|
|
self.config = SEVERITY_CONFIG[self.priority]
|
|
self.current_tier = self.config["assigned_tier"]
|
|
self.status = "open"
|
|
self.escalation_history = []
|
|
self.resolved_at = None
|
|
|
|
def check_sla_compliance(self) -> dict:
|
|
now = datetime.utcnow()
|
|
elapsed_min = (now - self.created).total_seconds() / 60
|
|
|
|
response_sla_met = elapsed_min <= self.config["initial_response_min"] or self.status != "open"
|
|
resolution_target_min = self.config["resolution_target_hours"] * 60
|
|
|
|
if self.resolved_at:
|
|
resolution_min = (self.resolved_at - self.created).total_seconds() / 60
|
|
resolution_sla_met = resolution_min <= resolution_target_min
|
|
else:
|
|
resolution_sla_met = elapsed_min <= resolution_target_min
|
|
|
|
return {
|
|
"incident_id": self.incident_id,
|
|
"priority": self.priority,
|
|
"elapsed_minutes": round(elapsed_min, 1),
|
|
"response_sla_met": response_sla_met,
|
|
"resolution_sla_met": resolution_sla_met,
|
|
"response_sla_min": self.config["initial_response_min"],
|
|
"resolution_sla_min": resolution_target_min,
|
|
"needs_escalation": not resolution_sla_met and self.status == "open",
|
|
}
|
|
|
|
def escalate(self, to_tier: int, reason: str):
|
|
self.escalation_history.append({
|
|
"from_tier": self.current_tier,
|
|
"to_tier": to_tier,
|
|
"reason": reason,
|
|
"timestamp": datetime.utcnow().isoformat(),
|
|
})
|
|
self.current_tier = to_tier
|
|
|
|
def resolve(self):
|
|
self.status = "resolved"
|
|
self.resolved_at = datetime.utcnow()
|
|
|
|
|
|
class EscalationMatrix:
|
|
"""Manages the SOC escalation matrix and tracks incidents."""
|
|
|
|
def __init__(self):
|
|
self.incidents = []
|
|
|
|
def create_incident(self, incident_id: str, title: str, severity: str,
|
|
asset_criticality: str, incident_type: str) -> Incident:
|
|
incident = Incident(incident_id, title, severity, asset_criticality, incident_type)
|
|
self.incidents.append(incident)
|
|
return incident
|
|
|
|
def get_sla_report(self) -> dict:
|
|
report = {"total": len(self.incidents), "by_priority": {}, "sla_breaches": 0}
|
|
for priority in ["P1", "P2", "P3", "P4"]:
|
|
priority_incidents = [i for i in self.incidents if i.priority == priority]
|
|
breaches = sum(1 for i in priority_incidents if not i.check_sla_compliance()["resolution_sla_met"])
|
|
report["by_priority"][priority] = {
|
|
"count": len(priority_incidents),
|
|
"resolved": sum(1 for i in priority_incidents if i.status == "resolved"),
|
|
"open": sum(1 for i in priority_incidents if i.status == "open"),
|
|
"sla_breaches": breaches,
|
|
}
|
|
report["sla_breaches"] += breaches
|
|
return report
|
|
|
|
def get_escalation_summary(self) -> dict:
|
|
total_escalations = sum(len(i.escalation_history) for i in self.incidents)
|
|
tier_distribution = {1: 0, 2: 0, 3: 0}
|
|
for i in self.incidents:
|
|
if i.current_tier in tier_distribution:
|
|
tier_distribution[i.current_tier] += 1
|
|
return {
|
|
"total_incidents": len(self.incidents),
|
|
"total_escalations": total_escalations,
|
|
"current_tier_distribution": tier_distribution,
|
|
}
|
|
|
|
|
|
if __name__ == "__main__":
|
|
matrix = EscalationMatrix()
|
|
|
|
inc1 = matrix.create_incident("INC-001", "Ransomware on Finance Server", "critical", "critical", "ransomware_detected")
|
|
inc2 = matrix.create_incident("INC-002", "Failed Brute Force on VPN", "medium", "high", "brute_force_attempt")
|
|
inc3 = matrix.create_incident("INC-003", "Suspicious PowerShell on Workstation", "high", "medium", "suspicious_execution")
|
|
inc4 = matrix.create_incident("INC-004", "Expired SSL Certificate", "low", "low", "certificate_expiry")
|
|
inc5 = matrix.create_incident("INC-005", "Executive Email Compromise Attempt", "high", "critical", "executive_account_anomaly")
|
|
|
|
# Simulate escalations
|
|
inc1.escalate(3, "Ransomware auto-escalation to Tier 3")
|
|
inc3.escalate(2, "Analyst escalation - needs deeper investigation")
|
|
inc4.resolve()
|
|
|
|
print("=" * 70)
|
|
print("SOC ESCALATION MATRIX REPORT")
|
|
print("=" * 70)
|
|
|
|
for inc in matrix.incidents:
|
|
sla = inc.check_sla_compliance()
|
|
print(f"\n[{inc.priority}] {inc.incident_id}: {inc.title}")
|
|
print(f" Status: {inc.status} | Tier: {inc.current_tier} | Type: {inc.incident_type}")
|
|
print(f" Response SLA: {'MET' if sla['response_sla_met'] else 'BREACHED'} ({sla['response_sla_min']}min)")
|
|
print(f" Resolution SLA: {'MET' if sla['resolution_sla_met'] else 'AT RISK'} ({sla['resolution_sla_min']}min)")
|
|
if inc.escalation_history:
|
|
print(f" Escalations: {len(inc.escalation_history)}")
|
|
|
|
print(f"\n{'=' * 70}")
|
|
print("SLA COMPLIANCE REPORT")
|
|
print("=" * 70)
|
|
report = matrix.get_sla_report()
|
|
for priority, data in report["by_priority"].items():
|
|
if data["count"] > 0:
|
|
print(f" {priority}: {data['count']} incidents, {data['resolved']} resolved, {data['sla_breaches']} SLA breaches")
|