SentriOps is a lightweight SOAR-style Incident Response Automation tool built to demonstrate real-world SOC workflows: alert ingestion, risk scoring, severity classification, playbook-driven response, approval-gated automation, and a tamper-evident audit trail.
Security teams often lose time and consistency during incident response due to manual triage, ad-hoc escalation, and inconsistent execution. SentriOps standardizes response logic using playbooks and enforces governance through approvals and auditing.
-
Alert Ingestion → Incident Creation
- Ingests alerts via API and creates incidents with immutable alert storage.
-
Risk Scoring & Severity
- Produces a deterministic risk_score and maps it to S1–S5 severity.
-
Incident Lifecycle (State Machine)
- Enforces valid state transitions (no skipping).
-
Playbook Framework (YAML)
- Maps incident types to response playbooks with action steps and conditional gates.
-
Approval Workflow
- Automatically requests approval for high-risk or privileged-context scenarios before execution.
-
Audit Trail
- Records key actions as append-only audit events for traceability and governance.
-
Dynamic Web UI
- Dashboard, incident detail view, approvals queue, and live-updating audit trail.
- Backend: FastAPI (Python)
- DB: SQLite (local)
- ORM: SQLAlchemy
- Playbooks: YAML
- UI: Jinja2 + Tailwind (CDN) + HTMX-style partial refresh pattern
Flow (MVP):
-
POST /alerts/ingestaccepts an alert payload -
System computes
risk_score+severityand creates an incident in Classified -
Analyst triggers playbook run from UI or API
-
If approval conditions match:
- incident → AwaitingApproval
- approval record created
- audit event:
APPROVAL_REQUESTED
-
After approval:
- incident → InProgress → Contained (simulated action execution)
- audit events:
APPROVAL_DECIDED,PLAYBOOK_STARTED,PLAYBOOK_COMPLETED
-
app/— FastAPI applicationcore/— constants, scoring modeldb/— SQLite engine/session + initmodels/— SQLAlchemy tables + Pydantic schemasservices/— business logic (ingest, runner, approvals, audit, queries)web/templates/— UI pages and partials
-
playbooks/— YAML playbooks (PB-* files) -
data/— local runtime data (SQLite DB ignored by git)
python -m venv .venv
.\.venv\Scripts\Activate.ps1pip install fastapi uvicorn sqlalchemy pydantic pyyamlpython -m uvicorn app.main:app --reload- Web UI:
http://127.0.0.1:8000/ - API docs:
http://127.0.0.1:8000/docs
GET /health— service healthPOST /alerts/ingest— ingest alert → create incidentGET /incidents— list incidentsGET /incidents/{id}— incident detailPOST /incidents/{id}/run— run playbook (may request approval)GET /approvals— list approvals (filter bystatus)POST /approvals/{id}/decide— approve/rejectGET /audit-logs— list audit logs (filter byincident_id)
- Ingest a privileged brute-force alert:
{
"incident_type": "brute_force",
"impact": 4,
"likelihood": 4,
"confidence": 3,
"context": {
"ip": "91.23.11.9",
"target_account": "admin",
"privileged_account": true,
"window_minutes": 5,
"failed_attempts": 20
}
}-
Open the incident in UI and click Run Playbook
-
Observe incident transitions to AwaitingApproval
-
Open Approvals page and click Approve
-
Observe incident becomes Contained
-
Show audit trail:
APPROVAL_REQUESTEDAPPROVAL_DECIDEDPLAYBOOK_STARTEDPLAYBOOK_COMPLETED
- Ingest phishing alert (moderate severity)
- Run playbook
- Observe direct execution and completion
Playbooks live in playbooks/ and are YAML-based.
Example fields:
id,name,incident_typeactions: ordered list of stepsrequires_approval_if: rules such asseverity_at_leastandprivileged_account
- Authentication + roles (Analyst vs Approver)
- Action plugins (block IP, disable user, isolate host)
- Integrations (Slack/Teams, email, SIEM/EDR)
- Background jobs (Celery/RQ) for async execution
- Postgres + Alembic migrations
- Docker + deployment (Render/Railway/Azure)
MIT (or update if you prefer a different license)
Gufran Ahmed
- LinkedIn: https://www.linkedin.com/in/cyb-gufran/
- GitHub: https://github.com/cyb-gufran
- Email: agufran006@gmail.com