pub struct IncidentResponseManager { /* private fields */ }Expand description
Incident response manager
Implementations§
Source§impl IncidentResponseManager
impl IncidentResponseManager
Sourcepub fn new() -> Self
pub fn new() -> Self
Create new incident response manager
Examples found in repository?
examples/incident_response.rs (line 17)
14fn main() {
15 println!("=== Automated Incident Response Demo v2.0 ===\n");
16
17 let mut manager = IncidentResponseManager::new();
18
19 // Example 1: Create incident from alert
20 println!("--- Example 1: Create Incident from Alert ---");
21 let alert = ThreatAlert {
22 alert_id: "ALERT-001".to_string(),
23 timestamp: Utc::now(),
24 severity: ThreatSeverity::High,
25 category: ThreatCategory::BruteForce,
26 description: "Multiple failed login attempts detected from external IP".to_string(),
27 source_log: "auth.log - 500 failed attempts in 10 minutes".to_string(),
28 indicators: vec!["203.0.113.50".to_string(), "admin".to_string()],
29 recommended_action: "Block source IP and review user account".to_string(),
30 threat_score: 85,
31 correlated_alerts: vec![],
32 };
33
34 let incident_id = manager.create_incident(&alert);
35 println!("Created incident: {}", incident_id);
36
37 // Get and display incident details
38 if let Some(incident) = manager.get_incident(&incident_id) {
39 println!(" Title: {}", incident.title);
40 println!(" Status: {:?}", incident.status);
41 println!(" Severity: {:?}", incident.severity);
42 println!(" Category: {:?}", incident.category);
43 }
44
45 // Example 2: Find and execute playbooks
46 println!("\n--- Example 2: Execute Response Playbook ---");
47 let playbook = {
48 manager.find_playbooks(&alert).first().map(|&p| p.clone())
49 };
50
51 if let Some(playbook) = playbook {
52 println!("Found applicable playbook: {}", playbook.name);
53 println!(" Actions to execute: {}", playbook.actions.len());
54
55 let mut context = HashMap::new();
56 context.insert("source_ip".to_string(), "203.0.113.50".to_string());
57 context.insert("username".to_string(), "admin".to_string());
58
59 let results = manager.execute_playbook(&incident_id, &playbook, &context);
60 println!(" Executed {} actions:", results.len());
61 for result in &results {
62 println!(" - {}: {} ({}ms)",
63 result.action.name(),
64 if result.success { "Success" } else { "Failed" },
65 result.execution_time_ms
66 );
67 }
68 }
69
70 // Example 3: Incident lifecycle
71 println!("\n--- Example 3: Incident Lifecycle ---");
72 if let Some(incident) = manager.get_incident_mut(&incident_id) {
73 // Acknowledge the incident
74 incident.update_status(IncidentStatus::Acknowledged, "analyst1");
75 println!("Status updated to: {:?}", incident.status);
76
77 // Add investigation note
78 incident.add_note("analyst1", "Initial triage complete. IP belongs to known malicious range.");
79 println!("Added investigation note");
80
81 // Update to investigating
82 incident.update_status(IncidentStatus::Investigating, "analyst1");
83 println!("Status updated to: {:?}", incident.status);
84
85 // Update to containing
86 incident.update_status(IncidentStatus::Containing, "analyst1");
87 println!("Status updated to: {:?}", incident.status);
88
89 // Show timeline
90 println!("\nIncident Timeline:");
91 for entry in &incident.timeline {
92 println!(" [{}] {} by {}: {}",
93 entry.timestamp.format("%H:%M:%S"),
94 entry.event_type,
95 entry.actor,
96 entry.description
97 );
98 }
99
100 // Show metrics
101 println!("\nIncident Metrics:");
102 println!(" Time to Acknowledge: {:?} seconds", incident.metrics.time_to_acknowledge_seconds);
103 println!(" Time to Contain: {:?} seconds", incident.metrics.time_to_contain_seconds);
104 println!(" Total Actions: {}", incident.metrics.total_actions);
105 println!(" Successful Actions: {}", incident.metrics.successful_actions);
106 }
107
108 // Example 4: Create multiple incidents for statistics
109 println!("\n--- Example 4: Incident Statistics ---");
110
111 // Create a few more incidents
112 for i in 2..=5 {
113 let test_alert = ThreatAlert {
114 alert_id: format!("ALERT-{:03}", i),
115 timestamp: Utc::now(),
116 severity: if i % 2 == 0 { ThreatSeverity::High } else { ThreatSeverity::Medium },
117 category: if i % 3 == 0 { ThreatCategory::MalwareDetection } else { ThreatCategory::BruteForce },
118 description: format!("Test alert {}", i),
119 source_log: "test.log".to_string(),
120 indicators: vec![],
121 recommended_action: "Investigate".to_string(),
122 threat_score: 60 + i * 5,
123 correlated_alerts: vec![],
124 };
125 manager.create_incident(&test_alert);
126 }
127
128 let stats = manager.get_statistics();
129 println!("Incident Statistics:");
130 println!(" Total Incidents: {}", stats.total_incidents);
131 println!(" Active Incidents: {}", stats.active_incidents);
132 println!(" Resolved Incidents: {}", stats.resolved_incidents);
133 println!(" By Severity:");
134 for (severity, count) in &stats.by_severity {
135 println!(" {:?}: {}", severity, count);
136 }
137 println!(" By Category:");
138 for (category, count) in &stats.by_category {
139 println!(" {:?}: {}", category, count);
140 }
141
142 // Example 5: List available playbooks
143 println!("\n--- Example 5: Available Playbooks ---");
144 let playbooks = manager.get_playbooks();
145 println!("Available playbooks: {}", playbooks.len());
146 for pb in playbooks {
147 println!("\n {} ({})", pb.name, pb.id);
148 println!(" Description: {}", pb.description);
149 println!(" Categories: {:?}", pb.threat_categories);
150 println!(" Min Severity: {:?}", pb.min_severity);
151 println!(" Requires Approval: {}", pb.requires_approval);
152 println!(" Actions: {}", pb.actions.len());
153 }
154
155 // Example 6: Query active and high-severity incidents
156 println!("\n--- Example 6: Query Incidents ---");
157
158 let active = manager.get_active_incidents();
159 println!("Active incidents: {}", active.len());
160
161 let high_severity = manager.get_incidents_by_severity(ThreatSeverity::High);
162 println!("High severity or above: {}", high_severity.len());
163
164 // Example 7: Custom response action
165 println!("\n--- Example 7: Response Action Types ---");
166 let actions = vec![
167 ResponseAction::BlockIP { ip: "1.2.3.4".to_string(), duration_hours: 24 },
168 ResponseAction::DisableAccount { account: "compromised_user".to_string() },
169 ResponseAction::IsolateHost { hostname: "infected-host".to_string() },
170 ResponseAction::NotifyTeam { team: "SOC".to_string(), message: "Critical incident".to_string() },
171 ResponseAction::EscalateToSOC { priority: "P1".to_string() },
172 ];
173
174 println!("Available response actions:");
175 for action in &actions {
176 println!(" - {} (reversible: {})", action.name(), action.is_reversible());
177 }
178
179 println!("\n=== Demo Complete ===");
180}Sourcepub fn create_incident(&mut self, alert: &ThreatAlert) -> String
pub fn create_incident(&mut self, alert: &ThreatAlert) -> String
Create incident from alert
Examples found in repository?
examples/incident_response.rs (line 34)
14fn main() {
15 println!("=== Automated Incident Response Demo v2.0 ===\n");
16
17 let mut manager = IncidentResponseManager::new();
18
19 // Example 1: Create incident from alert
20 println!("--- Example 1: Create Incident from Alert ---");
21 let alert = ThreatAlert {
22 alert_id: "ALERT-001".to_string(),
23 timestamp: Utc::now(),
24 severity: ThreatSeverity::High,
25 category: ThreatCategory::BruteForce,
26 description: "Multiple failed login attempts detected from external IP".to_string(),
27 source_log: "auth.log - 500 failed attempts in 10 minutes".to_string(),
28 indicators: vec!["203.0.113.50".to_string(), "admin".to_string()],
29 recommended_action: "Block source IP and review user account".to_string(),
30 threat_score: 85,
31 correlated_alerts: vec![],
32 };
33
34 let incident_id = manager.create_incident(&alert);
35 println!("Created incident: {}", incident_id);
36
37 // Get and display incident details
38 if let Some(incident) = manager.get_incident(&incident_id) {
39 println!(" Title: {}", incident.title);
40 println!(" Status: {:?}", incident.status);
41 println!(" Severity: {:?}", incident.severity);
42 println!(" Category: {:?}", incident.category);
43 }
44
45 // Example 2: Find and execute playbooks
46 println!("\n--- Example 2: Execute Response Playbook ---");
47 let playbook = {
48 manager.find_playbooks(&alert).first().map(|&p| p.clone())
49 };
50
51 if let Some(playbook) = playbook {
52 println!("Found applicable playbook: {}", playbook.name);
53 println!(" Actions to execute: {}", playbook.actions.len());
54
55 let mut context = HashMap::new();
56 context.insert("source_ip".to_string(), "203.0.113.50".to_string());
57 context.insert("username".to_string(), "admin".to_string());
58
59 let results = manager.execute_playbook(&incident_id, &playbook, &context);
60 println!(" Executed {} actions:", results.len());
61 for result in &results {
62 println!(" - {}: {} ({}ms)",
63 result.action.name(),
64 if result.success { "Success" } else { "Failed" },
65 result.execution_time_ms
66 );
67 }
68 }
69
70 // Example 3: Incident lifecycle
71 println!("\n--- Example 3: Incident Lifecycle ---");
72 if let Some(incident) = manager.get_incident_mut(&incident_id) {
73 // Acknowledge the incident
74 incident.update_status(IncidentStatus::Acknowledged, "analyst1");
75 println!("Status updated to: {:?}", incident.status);
76
77 // Add investigation note
78 incident.add_note("analyst1", "Initial triage complete. IP belongs to known malicious range.");
79 println!("Added investigation note");
80
81 // Update to investigating
82 incident.update_status(IncidentStatus::Investigating, "analyst1");
83 println!("Status updated to: {:?}", incident.status);
84
85 // Update to containing
86 incident.update_status(IncidentStatus::Containing, "analyst1");
87 println!("Status updated to: {:?}", incident.status);
88
89 // Show timeline
90 println!("\nIncident Timeline:");
91 for entry in &incident.timeline {
92 println!(" [{}] {} by {}: {}",
93 entry.timestamp.format("%H:%M:%S"),
94 entry.event_type,
95 entry.actor,
96 entry.description
97 );
98 }
99
100 // Show metrics
101 println!("\nIncident Metrics:");
102 println!(" Time to Acknowledge: {:?} seconds", incident.metrics.time_to_acknowledge_seconds);
103 println!(" Time to Contain: {:?} seconds", incident.metrics.time_to_contain_seconds);
104 println!(" Total Actions: {}", incident.metrics.total_actions);
105 println!(" Successful Actions: {}", incident.metrics.successful_actions);
106 }
107
108 // Example 4: Create multiple incidents for statistics
109 println!("\n--- Example 4: Incident Statistics ---");
110
111 // Create a few more incidents
112 for i in 2..=5 {
113 let test_alert = ThreatAlert {
114 alert_id: format!("ALERT-{:03}", i),
115 timestamp: Utc::now(),
116 severity: if i % 2 == 0 { ThreatSeverity::High } else { ThreatSeverity::Medium },
117 category: if i % 3 == 0 { ThreatCategory::MalwareDetection } else { ThreatCategory::BruteForce },
118 description: format!("Test alert {}", i),
119 source_log: "test.log".to_string(),
120 indicators: vec![],
121 recommended_action: "Investigate".to_string(),
122 threat_score: 60 + i * 5,
123 correlated_alerts: vec![],
124 };
125 manager.create_incident(&test_alert);
126 }
127
128 let stats = manager.get_statistics();
129 println!("Incident Statistics:");
130 println!(" Total Incidents: {}", stats.total_incidents);
131 println!(" Active Incidents: {}", stats.active_incidents);
132 println!(" Resolved Incidents: {}", stats.resolved_incidents);
133 println!(" By Severity:");
134 for (severity, count) in &stats.by_severity {
135 println!(" {:?}: {}", severity, count);
136 }
137 println!(" By Category:");
138 for (category, count) in &stats.by_category {
139 println!(" {:?}: {}", category, count);
140 }
141
142 // Example 5: List available playbooks
143 println!("\n--- Example 5: Available Playbooks ---");
144 let playbooks = manager.get_playbooks();
145 println!("Available playbooks: {}", playbooks.len());
146 for pb in playbooks {
147 println!("\n {} ({})", pb.name, pb.id);
148 println!(" Description: {}", pb.description);
149 println!(" Categories: {:?}", pb.threat_categories);
150 println!(" Min Severity: {:?}", pb.min_severity);
151 println!(" Requires Approval: {}", pb.requires_approval);
152 println!(" Actions: {}", pb.actions.len());
153 }
154
155 // Example 6: Query active and high-severity incidents
156 println!("\n--- Example 6: Query Incidents ---");
157
158 let active = manager.get_active_incidents();
159 println!("Active incidents: {}", active.len());
160
161 let high_severity = manager.get_incidents_by_severity(ThreatSeverity::High);
162 println!("High severity or above: {}", high_severity.len());
163
164 // Example 7: Custom response action
165 println!("\n--- Example 7: Response Action Types ---");
166 let actions = vec![
167 ResponseAction::BlockIP { ip: "1.2.3.4".to_string(), duration_hours: 24 },
168 ResponseAction::DisableAccount { account: "compromised_user".to_string() },
169 ResponseAction::IsolateHost { hostname: "infected-host".to_string() },
170 ResponseAction::NotifyTeam { team: "SOC".to_string(), message: "Critical incident".to_string() },
171 ResponseAction::EscalateToSOC { priority: "P1".to_string() },
172 ];
173
174 println!("Available response actions:");
175 for action in &actions {
176 println!(" - {} (reversible: {})", action.name(), action.is_reversible());
177 }
178
179 println!("\n=== Demo Complete ===");
180}Sourcepub fn get_incident(&self, id: &str) -> Option<&Incident>
pub fn get_incident(&self, id: &str) -> Option<&Incident>
Get incident by ID
Examples found in repository?
examples/incident_response.rs (line 38)
14fn main() {
15 println!("=== Automated Incident Response Demo v2.0 ===\n");
16
17 let mut manager = IncidentResponseManager::new();
18
19 // Example 1: Create incident from alert
20 println!("--- Example 1: Create Incident from Alert ---");
21 let alert = ThreatAlert {
22 alert_id: "ALERT-001".to_string(),
23 timestamp: Utc::now(),
24 severity: ThreatSeverity::High,
25 category: ThreatCategory::BruteForce,
26 description: "Multiple failed login attempts detected from external IP".to_string(),
27 source_log: "auth.log - 500 failed attempts in 10 minutes".to_string(),
28 indicators: vec!["203.0.113.50".to_string(), "admin".to_string()],
29 recommended_action: "Block source IP and review user account".to_string(),
30 threat_score: 85,
31 correlated_alerts: vec![],
32 };
33
34 let incident_id = manager.create_incident(&alert);
35 println!("Created incident: {}", incident_id);
36
37 // Get and display incident details
38 if let Some(incident) = manager.get_incident(&incident_id) {
39 println!(" Title: {}", incident.title);
40 println!(" Status: {:?}", incident.status);
41 println!(" Severity: {:?}", incident.severity);
42 println!(" Category: {:?}", incident.category);
43 }
44
45 // Example 2: Find and execute playbooks
46 println!("\n--- Example 2: Execute Response Playbook ---");
47 let playbook = {
48 manager.find_playbooks(&alert).first().map(|&p| p.clone())
49 };
50
51 if let Some(playbook) = playbook {
52 println!("Found applicable playbook: {}", playbook.name);
53 println!(" Actions to execute: {}", playbook.actions.len());
54
55 let mut context = HashMap::new();
56 context.insert("source_ip".to_string(), "203.0.113.50".to_string());
57 context.insert("username".to_string(), "admin".to_string());
58
59 let results = manager.execute_playbook(&incident_id, &playbook, &context);
60 println!(" Executed {} actions:", results.len());
61 for result in &results {
62 println!(" - {}: {} ({}ms)",
63 result.action.name(),
64 if result.success { "Success" } else { "Failed" },
65 result.execution_time_ms
66 );
67 }
68 }
69
70 // Example 3: Incident lifecycle
71 println!("\n--- Example 3: Incident Lifecycle ---");
72 if let Some(incident) = manager.get_incident_mut(&incident_id) {
73 // Acknowledge the incident
74 incident.update_status(IncidentStatus::Acknowledged, "analyst1");
75 println!("Status updated to: {:?}", incident.status);
76
77 // Add investigation note
78 incident.add_note("analyst1", "Initial triage complete. IP belongs to known malicious range.");
79 println!("Added investigation note");
80
81 // Update to investigating
82 incident.update_status(IncidentStatus::Investigating, "analyst1");
83 println!("Status updated to: {:?}", incident.status);
84
85 // Update to containing
86 incident.update_status(IncidentStatus::Containing, "analyst1");
87 println!("Status updated to: {:?}", incident.status);
88
89 // Show timeline
90 println!("\nIncident Timeline:");
91 for entry in &incident.timeline {
92 println!(" [{}] {} by {}: {}",
93 entry.timestamp.format("%H:%M:%S"),
94 entry.event_type,
95 entry.actor,
96 entry.description
97 );
98 }
99
100 // Show metrics
101 println!("\nIncident Metrics:");
102 println!(" Time to Acknowledge: {:?} seconds", incident.metrics.time_to_acknowledge_seconds);
103 println!(" Time to Contain: {:?} seconds", incident.metrics.time_to_contain_seconds);
104 println!(" Total Actions: {}", incident.metrics.total_actions);
105 println!(" Successful Actions: {}", incident.metrics.successful_actions);
106 }
107
108 // Example 4: Create multiple incidents for statistics
109 println!("\n--- Example 4: Incident Statistics ---");
110
111 // Create a few more incidents
112 for i in 2..=5 {
113 let test_alert = ThreatAlert {
114 alert_id: format!("ALERT-{:03}", i),
115 timestamp: Utc::now(),
116 severity: if i % 2 == 0 { ThreatSeverity::High } else { ThreatSeverity::Medium },
117 category: if i % 3 == 0 { ThreatCategory::MalwareDetection } else { ThreatCategory::BruteForce },
118 description: format!("Test alert {}", i),
119 source_log: "test.log".to_string(),
120 indicators: vec![],
121 recommended_action: "Investigate".to_string(),
122 threat_score: 60 + i * 5,
123 correlated_alerts: vec![],
124 };
125 manager.create_incident(&test_alert);
126 }
127
128 let stats = manager.get_statistics();
129 println!("Incident Statistics:");
130 println!(" Total Incidents: {}", stats.total_incidents);
131 println!(" Active Incidents: {}", stats.active_incidents);
132 println!(" Resolved Incidents: {}", stats.resolved_incidents);
133 println!(" By Severity:");
134 for (severity, count) in &stats.by_severity {
135 println!(" {:?}: {}", severity, count);
136 }
137 println!(" By Category:");
138 for (category, count) in &stats.by_category {
139 println!(" {:?}: {}", category, count);
140 }
141
142 // Example 5: List available playbooks
143 println!("\n--- Example 5: Available Playbooks ---");
144 let playbooks = manager.get_playbooks();
145 println!("Available playbooks: {}", playbooks.len());
146 for pb in playbooks {
147 println!("\n {} ({})", pb.name, pb.id);
148 println!(" Description: {}", pb.description);
149 println!(" Categories: {:?}", pb.threat_categories);
150 println!(" Min Severity: {:?}", pb.min_severity);
151 println!(" Requires Approval: {}", pb.requires_approval);
152 println!(" Actions: {}", pb.actions.len());
153 }
154
155 // Example 6: Query active and high-severity incidents
156 println!("\n--- Example 6: Query Incidents ---");
157
158 let active = manager.get_active_incidents();
159 println!("Active incidents: {}", active.len());
160
161 let high_severity = manager.get_incidents_by_severity(ThreatSeverity::High);
162 println!("High severity or above: {}", high_severity.len());
163
164 // Example 7: Custom response action
165 println!("\n--- Example 7: Response Action Types ---");
166 let actions = vec![
167 ResponseAction::BlockIP { ip: "1.2.3.4".to_string(), duration_hours: 24 },
168 ResponseAction::DisableAccount { account: "compromised_user".to_string() },
169 ResponseAction::IsolateHost { hostname: "infected-host".to_string() },
170 ResponseAction::NotifyTeam { team: "SOC".to_string(), message: "Critical incident".to_string() },
171 ResponseAction::EscalateToSOC { priority: "P1".to_string() },
172 ];
173
174 println!("Available response actions:");
175 for action in &actions {
176 println!(" - {} (reversible: {})", action.name(), action.is_reversible());
177 }
178
179 println!("\n=== Demo Complete ===");
180}Sourcepub fn get_incident_mut(&mut self, id: &str) -> Option<&mut Incident>
pub fn get_incident_mut(&mut self, id: &str) -> Option<&mut Incident>
Get mutable incident
Examples found in repository?
examples/incident_response.rs (line 72)
14fn main() {
15 println!("=== Automated Incident Response Demo v2.0 ===\n");
16
17 let mut manager = IncidentResponseManager::new();
18
19 // Example 1: Create incident from alert
20 println!("--- Example 1: Create Incident from Alert ---");
21 let alert = ThreatAlert {
22 alert_id: "ALERT-001".to_string(),
23 timestamp: Utc::now(),
24 severity: ThreatSeverity::High,
25 category: ThreatCategory::BruteForce,
26 description: "Multiple failed login attempts detected from external IP".to_string(),
27 source_log: "auth.log - 500 failed attempts in 10 minutes".to_string(),
28 indicators: vec!["203.0.113.50".to_string(), "admin".to_string()],
29 recommended_action: "Block source IP and review user account".to_string(),
30 threat_score: 85,
31 correlated_alerts: vec![],
32 };
33
34 let incident_id = manager.create_incident(&alert);
35 println!("Created incident: {}", incident_id);
36
37 // Get and display incident details
38 if let Some(incident) = manager.get_incident(&incident_id) {
39 println!(" Title: {}", incident.title);
40 println!(" Status: {:?}", incident.status);
41 println!(" Severity: {:?}", incident.severity);
42 println!(" Category: {:?}", incident.category);
43 }
44
45 // Example 2: Find and execute playbooks
46 println!("\n--- Example 2: Execute Response Playbook ---");
47 let playbook = {
48 manager.find_playbooks(&alert).first().map(|&p| p.clone())
49 };
50
51 if let Some(playbook) = playbook {
52 println!("Found applicable playbook: {}", playbook.name);
53 println!(" Actions to execute: {}", playbook.actions.len());
54
55 let mut context = HashMap::new();
56 context.insert("source_ip".to_string(), "203.0.113.50".to_string());
57 context.insert("username".to_string(), "admin".to_string());
58
59 let results = manager.execute_playbook(&incident_id, &playbook, &context);
60 println!(" Executed {} actions:", results.len());
61 for result in &results {
62 println!(" - {}: {} ({}ms)",
63 result.action.name(),
64 if result.success { "Success" } else { "Failed" },
65 result.execution_time_ms
66 );
67 }
68 }
69
70 // Example 3: Incident lifecycle
71 println!("\n--- Example 3: Incident Lifecycle ---");
72 if let Some(incident) = manager.get_incident_mut(&incident_id) {
73 // Acknowledge the incident
74 incident.update_status(IncidentStatus::Acknowledged, "analyst1");
75 println!("Status updated to: {:?}", incident.status);
76
77 // Add investigation note
78 incident.add_note("analyst1", "Initial triage complete. IP belongs to known malicious range.");
79 println!("Added investigation note");
80
81 // Update to investigating
82 incident.update_status(IncidentStatus::Investigating, "analyst1");
83 println!("Status updated to: {:?}", incident.status);
84
85 // Update to containing
86 incident.update_status(IncidentStatus::Containing, "analyst1");
87 println!("Status updated to: {:?}", incident.status);
88
89 // Show timeline
90 println!("\nIncident Timeline:");
91 for entry in &incident.timeline {
92 println!(" [{}] {} by {}: {}",
93 entry.timestamp.format("%H:%M:%S"),
94 entry.event_type,
95 entry.actor,
96 entry.description
97 );
98 }
99
100 // Show metrics
101 println!("\nIncident Metrics:");
102 println!(" Time to Acknowledge: {:?} seconds", incident.metrics.time_to_acknowledge_seconds);
103 println!(" Time to Contain: {:?} seconds", incident.metrics.time_to_contain_seconds);
104 println!(" Total Actions: {}", incident.metrics.total_actions);
105 println!(" Successful Actions: {}", incident.metrics.successful_actions);
106 }
107
108 // Example 4: Create multiple incidents for statistics
109 println!("\n--- Example 4: Incident Statistics ---");
110
111 // Create a few more incidents
112 for i in 2..=5 {
113 let test_alert = ThreatAlert {
114 alert_id: format!("ALERT-{:03}", i),
115 timestamp: Utc::now(),
116 severity: if i % 2 == 0 { ThreatSeverity::High } else { ThreatSeverity::Medium },
117 category: if i % 3 == 0 { ThreatCategory::MalwareDetection } else { ThreatCategory::BruteForce },
118 description: format!("Test alert {}", i),
119 source_log: "test.log".to_string(),
120 indicators: vec![],
121 recommended_action: "Investigate".to_string(),
122 threat_score: 60 + i * 5,
123 correlated_alerts: vec![],
124 };
125 manager.create_incident(&test_alert);
126 }
127
128 let stats = manager.get_statistics();
129 println!("Incident Statistics:");
130 println!(" Total Incidents: {}", stats.total_incidents);
131 println!(" Active Incidents: {}", stats.active_incidents);
132 println!(" Resolved Incidents: {}", stats.resolved_incidents);
133 println!(" By Severity:");
134 for (severity, count) in &stats.by_severity {
135 println!(" {:?}: {}", severity, count);
136 }
137 println!(" By Category:");
138 for (category, count) in &stats.by_category {
139 println!(" {:?}: {}", category, count);
140 }
141
142 // Example 5: List available playbooks
143 println!("\n--- Example 5: Available Playbooks ---");
144 let playbooks = manager.get_playbooks();
145 println!("Available playbooks: {}", playbooks.len());
146 for pb in playbooks {
147 println!("\n {} ({})", pb.name, pb.id);
148 println!(" Description: {}", pb.description);
149 println!(" Categories: {:?}", pb.threat_categories);
150 println!(" Min Severity: {:?}", pb.min_severity);
151 println!(" Requires Approval: {}", pb.requires_approval);
152 println!(" Actions: {}", pb.actions.len());
153 }
154
155 // Example 6: Query active and high-severity incidents
156 println!("\n--- Example 6: Query Incidents ---");
157
158 let active = manager.get_active_incidents();
159 println!("Active incidents: {}", active.len());
160
161 let high_severity = manager.get_incidents_by_severity(ThreatSeverity::High);
162 println!("High severity or above: {}", high_severity.len());
163
164 // Example 7: Custom response action
165 println!("\n--- Example 7: Response Action Types ---");
166 let actions = vec![
167 ResponseAction::BlockIP { ip: "1.2.3.4".to_string(), duration_hours: 24 },
168 ResponseAction::DisableAccount { account: "compromised_user".to_string() },
169 ResponseAction::IsolateHost { hostname: "infected-host".to_string() },
170 ResponseAction::NotifyTeam { team: "SOC".to_string(), message: "Critical incident".to_string() },
171 ResponseAction::EscalateToSOC { priority: "P1".to_string() },
172 ];
173
174 println!("Available response actions:");
175 for action in &actions {
176 println!(" - {} (reversible: {})", action.name(), action.is_reversible());
177 }
178
179 println!("\n=== Demo Complete ===");
180}Sourcepub fn find_playbooks(&self, alert: &ThreatAlert) -> Vec<&Playbook>
pub fn find_playbooks(&self, alert: &ThreatAlert) -> Vec<&Playbook>
Find applicable playbooks for an alert
Examples found in repository?
examples/incident_response.rs (line 48)
14fn main() {
15 println!("=== Automated Incident Response Demo v2.0 ===\n");
16
17 let mut manager = IncidentResponseManager::new();
18
19 // Example 1: Create incident from alert
20 println!("--- Example 1: Create Incident from Alert ---");
21 let alert = ThreatAlert {
22 alert_id: "ALERT-001".to_string(),
23 timestamp: Utc::now(),
24 severity: ThreatSeverity::High,
25 category: ThreatCategory::BruteForce,
26 description: "Multiple failed login attempts detected from external IP".to_string(),
27 source_log: "auth.log - 500 failed attempts in 10 minutes".to_string(),
28 indicators: vec!["203.0.113.50".to_string(), "admin".to_string()],
29 recommended_action: "Block source IP and review user account".to_string(),
30 threat_score: 85,
31 correlated_alerts: vec![],
32 };
33
34 let incident_id = manager.create_incident(&alert);
35 println!("Created incident: {}", incident_id);
36
37 // Get and display incident details
38 if let Some(incident) = manager.get_incident(&incident_id) {
39 println!(" Title: {}", incident.title);
40 println!(" Status: {:?}", incident.status);
41 println!(" Severity: {:?}", incident.severity);
42 println!(" Category: {:?}", incident.category);
43 }
44
45 // Example 2: Find and execute playbooks
46 println!("\n--- Example 2: Execute Response Playbook ---");
47 let playbook = {
48 manager.find_playbooks(&alert).first().map(|&p| p.clone())
49 };
50
51 if let Some(playbook) = playbook {
52 println!("Found applicable playbook: {}", playbook.name);
53 println!(" Actions to execute: {}", playbook.actions.len());
54
55 let mut context = HashMap::new();
56 context.insert("source_ip".to_string(), "203.0.113.50".to_string());
57 context.insert("username".to_string(), "admin".to_string());
58
59 let results = manager.execute_playbook(&incident_id, &playbook, &context);
60 println!(" Executed {} actions:", results.len());
61 for result in &results {
62 println!(" - {}: {} ({}ms)",
63 result.action.name(),
64 if result.success { "Success" } else { "Failed" },
65 result.execution_time_ms
66 );
67 }
68 }
69
70 // Example 3: Incident lifecycle
71 println!("\n--- Example 3: Incident Lifecycle ---");
72 if let Some(incident) = manager.get_incident_mut(&incident_id) {
73 // Acknowledge the incident
74 incident.update_status(IncidentStatus::Acknowledged, "analyst1");
75 println!("Status updated to: {:?}", incident.status);
76
77 // Add investigation note
78 incident.add_note("analyst1", "Initial triage complete. IP belongs to known malicious range.");
79 println!("Added investigation note");
80
81 // Update to investigating
82 incident.update_status(IncidentStatus::Investigating, "analyst1");
83 println!("Status updated to: {:?}", incident.status);
84
85 // Update to containing
86 incident.update_status(IncidentStatus::Containing, "analyst1");
87 println!("Status updated to: {:?}", incident.status);
88
89 // Show timeline
90 println!("\nIncident Timeline:");
91 for entry in &incident.timeline {
92 println!(" [{}] {} by {}: {}",
93 entry.timestamp.format("%H:%M:%S"),
94 entry.event_type,
95 entry.actor,
96 entry.description
97 );
98 }
99
100 // Show metrics
101 println!("\nIncident Metrics:");
102 println!(" Time to Acknowledge: {:?} seconds", incident.metrics.time_to_acknowledge_seconds);
103 println!(" Time to Contain: {:?} seconds", incident.metrics.time_to_contain_seconds);
104 println!(" Total Actions: {}", incident.metrics.total_actions);
105 println!(" Successful Actions: {}", incident.metrics.successful_actions);
106 }
107
108 // Example 4: Create multiple incidents for statistics
109 println!("\n--- Example 4: Incident Statistics ---");
110
111 // Create a few more incidents
112 for i in 2..=5 {
113 let test_alert = ThreatAlert {
114 alert_id: format!("ALERT-{:03}", i),
115 timestamp: Utc::now(),
116 severity: if i % 2 == 0 { ThreatSeverity::High } else { ThreatSeverity::Medium },
117 category: if i % 3 == 0 { ThreatCategory::MalwareDetection } else { ThreatCategory::BruteForce },
118 description: format!("Test alert {}", i),
119 source_log: "test.log".to_string(),
120 indicators: vec![],
121 recommended_action: "Investigate".to_string(),
122 threat_score: 60 + i * 5,
123 correlated_alerts: vec![],
124 };
125 manager.create_incident(&test_alert);
126 }
127
128 let stats = manager.get_statistics();
129 println!("Incident Statistics:");
130 println!(" Total Incidents: {}", stats.total_incidents);
131 println!(" Active Incidents: {}", stats.active_incidents);
132 println!(" Resolved Incidents: {}", stats.resolved_incidents);
133 println!(" By Severity:");
134 for (severity, count) in &stats.by_severity {
135 println!(" {:?}: {}", severity, count);
136 }
137 println!(" By Category:");
138 for (category, count) in &stats.by_category {
139 println!(" {:?}: {}", category, count);
140 }
141
142 // Example 5: List available playbooks
143 println!("\n--- Example 5: Available Playbooks ---");
144 let playbooks = manager.get_playbooks();
145 println!("Available playbooks: {}", playbooks.len());
146 for pb in playbooks {
147 println!("\n {} ({})", pb.name, pb.id);
148 println!(" Description: {}", pb.description);
149 println!(" Categories: {:?}", pb.threat_categories);
150 println!(" Min Severity: {:?}", pb.min_severity);
151 println!(" Requires Approval: {}", pb.requires_approval);
152 println!(" Actions: {}", pb.actions.len());
153 }
154
155 // Example 6: Query active and high-severity incidents
156 println!("\n--- Example 6: Query Incidents ---");
157
158 let active = manager.get_active_incidents();
159 println!("Active incidents: {}", active.len());
160
161 let high_severity = manager.get_incidents_by_severity(ThreatSeverity::High);
162 println!("High severity or above: {}", high_severity.len());
163
164 // Example 7: Custom response action
165 println!("\n--- Example 7: Response Action Types ---");
166 let actions = vec![
167 ResponseAction::BlockIP { ip: "1.2.3.4".to_string(), duration_hours: 24 },
168 ResponseAction::DisableAccount { account: "compromised_user".to_string() },
169 ResponseAction::IsolateHost { hostname: "infected-host".to_string() },
170 ResponseAction::NotifyTeam { team: "SOC".to_string(), message: "Critical incident".to_string() },
171 ResponseAction::EscalateToSOC { priority: "P1".to_string() },
172 ];
173
174 println!("Available response actions:");
175 for action in &actions {
176 println!(" - {} (reversible: {})", action.name(), action.is_reversible());
177 }
178
179 println!("\n=== Demo Complete ===");
180}Sourcepub fn execute_playbook(
&mut self,
incident_id: &str,
playbook: &Playbook,
context: &HashMap<String, String>,
) -> Vec<ActionResult>
pub fn execute_playbook( &mut self, incident_id: &str, playbook: &Playbook, context: &HashMap<String, String>, ) -> Vec<ActionResult>
Execute playbook actions (simulated)
Examples found in repository?
examples/incident_response.rs (line 59)
14fn main() {
15 println!("=== Automated Incident Response Demo v2.0 ===\n");
16
17 let mut manager = IncidentResponseManager::new();
18
19 // Example 1: Create incident from alert
20 println!("--- Example 1: Create Incident from Alert ---");
21 let alert = ThreatAlert {
22 alert_id: "ALERT-001".to_string(),
23 timestamp: Utc::now(),
24 severity: ThreatSeverity::High,
25 category: ThreatCategory::BruteForce,
26 description: "Multiple failed login attempts detected from external IP".to_string(),
27 source_log: "auth.log - 500 failed attempts in 10 minutes".to_string(),
28 indicators: vec!["203.0.113.50".to_string(), "admin".to_string()],
29 recommended_action: "Block source IP and review user account".to_string(),
30 threat_score: 85,
31 correlated_alerts: vec![],
32 };
33
34 let incident_id = manager.create_incident(&alert);
35 println!("Created incident: {}", incident_id);
36
37 // Get and display incident details
38 if let Some(incident) = manager.get_incident(&incident_id) {
39 println!(" Title: {}", incident.title);
40 println!(" Status: {:?}", incident.status);
41 println!(" Severity: {:?}", incident.severity);
42 println!(" Category: {:?}", incident.category);
43 }
44
45 // Example 2: Find and execute playbooks
46 println!("\n--- Example 2: Execute Response Playbook ---");
47 let playbook = {
48 manager.find_playbooks(&alert).first().map(|&p| p.clone())
49 };
50
51 if let Some(playbook) = playbook {
52 println!("Found applicable playbook: {}", playbook.name);
53 println!(" Actions to execute: {}", playbook.actions.len());
54
55 let mut context = HashMap::new();
56 context.insert("source_ip".to_string(), "203.0.113.50".to_string());
57 context.insert("username".to_string(), "admin".to_string());
58
59 let results = manager.execute_playbook(&incident_id, &playbook, &context);
60 println!(" Executed {} actions:", results.len());
61 for result in &results {
62 println!(" - {}: {} ({}ms)",
63 result.action.name(),
64 if result.success { "Success" } else { "Failed" },
65 result.execution_time_ms
66 );
67 }
68 }
69
70 // Example 3: Incident lifecycle
71 println!("\n--- Example 3: Incident Lifecycle ---");
72 if let Some(incident) = manager.get_incident_mut(&incident_id) {
73 // Acknowledge the incident
74 incident.update_status(IncidentStatus::Acknowledged, "analyst1");
75 println!("Status updated to: {:?}", incident.status);
76
77 // Add investigation note
78 incident.add_note("analyst1", "Initial triage complete. IP belongs to known malicious range.");
79 println!("Added investigation note");
80
81 // Update to investigating
82 incident.update_status(IncidentStatus::Investigating, "analyst1");
83 println!("Status updated to: {:?}", incident.status);
84
85 // Update to containing
86 incident.update_status(IncidentStatus::Containing, "analyst1");
87 println!("Status updated to: {:?}", incident.status);
88
89 // Show timeline
90 println!("\nIncident Timeline:");
91 for entry in &incident.timeline {
92 println!(" [{}] {} by {}: {}",
93 entry.timestamp.format("%H:%M:%S"),
94 entry.event_type,
95 entry.actor,
96 entry.description
97 );
98 }
99
100 // Show metrics
101 println!("\nIncident Metrics:");
102 println!(" Time to Acknowledge: {:?} seconds", incident.metrics.time_to_acknowledge_seconds);
103 println!(" Time to Contain: {:?} seconds", incident.metrics.time_to_contain_seconds);
104 println!(" Total Actions: {}", incident.metrics.total_actions);
105 println!(" Successful Actions: {}", incident.metrics.successful_actions);
106 }
107
108 // Example 4: Create multiple incidents for statistics
109 println!("\n--- Example 4: Incident Statistics ---");
110
111 // Create a few more incidents
112 for i in 2..=5 {
113 let test_alert = ThreatAlert {
114 alert_id: format!("ALERT-{:03}", i),
115 timestamp: Utc::now(),
116 severity: if i % 2 == 0 { ThreatSeverity::High } else { ThreatSeverity::Medium },
117 category: if i % 3 == 0 { ThreatCategory::MalwareDetection } else { ThreatCategory::BruteForce },
118 description: format!("Test alert {}", i),
119 source_log: "test.log".to_string(),
120 indicators: vec![],
121 recommended_action: "Investigate".to_string(),
122 threat_score: 60 + i * 5,
123 correlated_alerts: vec![],
124 };
125 manager.create_incident(&test_alert);
126 }
127
128 let stats = manager.get_statistics();
129 println!("Incident Statistics:");
130 println!(" Total Incidents: {}", stats.total_incidents);
131 println!(" Active Incidents: {}", stats.active_incidents);
132 println!(" Resolved Incidents: {}", stats.resolved_incidents);
133 println!(" By Severity:");
134 for (severity, count) in &stats.by_severity {
135 println!(" {:?}: {}", severity, count);
136 }
137 println!(" By Category:");
138 for (category, count) in &stats.by_category {
139 println!(" {:?}: {}", category, count);
140 }
141
142 // Example 5: List available playbooks
143 println!("\n--- Example 5: Available Playbooks ---");
144 let playbooks = manager.get_playbooks();
145 println!("Available playbooks: {}", playbooks.len());
146 for pb in playbooks {
147 println!("\n {} ({})", pb.name, pb.id);
148 println!(" Description: {}", pb.description);
149 println!(" Categories: {:?}", pb.threat_categories);
150 println!(" Min Severity: {:?}", pb.min_severity);
151 println!(" Requires Approval: {}", pb.requires_approval);
152 println!(" Actions: {}", pb.actions.len());
153 }
154
155 // Example 6: Query active and high-severity incidents
156 println!("\n--- Example 6: Query Incidents ---");
157
158 let active = manager.get_active_incidents();
159 println!("Active incidents: {}", active.len());
160
161 let high_severity = manager.get_incidents_by_severity(ThreatSeverity::High);
162 println!("High severity or above: {}", high_severity.len());
163
164 // Example 7: Custom response action
165 println!("\n--- Example 7: Response Action Types ---");
166 let actions = vec![
167 ResponseAction::BlockIP { ip: "1.2.3.4".to_string(), duration_hours: 24 },
168 ResponseAction::DisableAccount { account: "compromised_user".to_string() },
169 ResponseAction::IsolateHost { hostname: "infected-host".to_string() },
170 ResponseAction::NotifyTeam { team: "SOC".to_string(), message: "Critical incident".to_string() },
171 ResponseAction::EscalateToSOC { priority: "P1".to_string() },
172 ];
173
174 println!("Available response actions:");
175 for action in &actions {
176 println!(" - {} (reversible: {})", action.name(), action.is_reversible());
177 }
178
179 println!("\n=== Demo Complete ===");
180}Sourcepub fn get_active_incidents(&self) -> Vec<&Incident>
pub fn get_active_incidents(&self) -> Vec<&Incident>
Get active incidents
Examples found in repository?
examples/incident_response.rs (line 158)
14fn main() {
15 println!("=== Automated Incident Response Demo v2.0 ===\n");
16
17 let mut manager = IncidentResponseManager::new();
18
19 // Example 1: Create incident from alert
20 println!("--- Example 1: Create Incident from Alert ---");
21 let alert = ThreatAlert {
22 alert_id: "ALERT-001".to_string(),
23 timestamp: Utc::now(),
24 severity: ThreatSeverity::High,
25 category: ThreatCategory::BruteForce,
26 description: "Multiple failed login attempts detected from external IP".to_string(),
27 source_log: "auth.log - 500 failed attempts in 10 minutes".to_string(),
28 indicators: vec!["203.0.113.50".to_string(), "admin".to_string()],
29 recommended_action: "Block source IP and review user account".to_string(),
30 threat_score: 85,
31 correlated_alerts: vec![],
32 };
33
34 let incident_id = manager.create_incident(&alert);
35 println!("Created incident: {}", incident_id);
36
37 // Get and display incident details
38 if let Some(incident) = manager.get_incident(&incident_id) {
39 println!(" Title: {}", incident.title);
40 println!(" Status: {:?}", incident.status);
41 println!(" Severity: {:?}", incident.severity);
42 println!(" Category: {:?}", incident.category);
43 }
44
45 // Example 2: Find and execute playbooks
46 println!("\n--- Example 2: Execute Response Playbook ---");
47 let playbook = {
48 manager.find_playbooks(&alert).first().map(|&p| p.clone())
49 };
50
51 if let Some(playbook) = playbook {
52 println!("Found applicable playbook: {}", playbook.name);
53 println!(" Actions to execute: {}", playbook.actions.len());
54
55 let mut context = HashMap::new();
56 context.insert("source_ip".to_string(), "203.0.113.50".to_string());
57 context.insert("username".to_string(), "admin".to_string());
58
59 let results = manager.execute_playbook(&incident_id, &playbook, &context);
60 println!(" Executed {} actions:", results.len());
61 for result in &results {
62 println!(" - {}: {} ({}ms)",
63 result.action.name(),
64 if result.success { "Success" } else { "Failed" },
65 result.execution_time_ms
66 );
67 }
68 }
69
70 // Example 3: Incident lifecycle
71 println!("\n--- Example 3: Incident Lifecycle ---");
72 if let Some(incident) = manager.get_incident_mut(&incident_id) {
73 // Acknowledge the incident
74 incident.update_status(IncidentStatus::Acknowledged, "analyst1");
75 println!("Status updated to: {:?}", incident.status);
76
77 // Add investigation note
78 incident.add_note("analyst1", "Initial triage complete. IP belongs to known malicious range.");
79 println!("Added investigation note");
80
81 // Update to investigating
82 incident.update_status(IncidentStatus::Investigating, "analyst1");
83 println!("Status updated to: {:?}", incident.status);
84
85 // Update to containing
86 incident.update_status(IncidentStatus::Containing, "analyst1");
87 println!("Status updated to: {:?}", incident.status);
88
89 // Show timeline
90 println!("\nIncident Timeline:");
91 for entry in &incident.timeline {
92 println!(" [{}] {} by {}: {}",
93 entry.timestamp.format("%H:%M:%S"),
94 entry.event_type,
95 entry.actor,
96 entry.description
97 );
98 }
99
100 // Show metrics
101 println!("\nIncident Metrics:");
102 println!(" Time to Acknowledge: {:?} seconds", incident.metrics.time_to_acknowledge_seconds);
103 println!(" Time to Contain: {:?} seconds", incident.metrics.time_to_contain_seconds);
104 println!(" Total Actions: {}", incident.metrics.total_actions);
105 println!(" Successful Actions: {}", incident.metrics.successful_actions);
106 }
107
108 // Example 4: Create multiple incidents for statistics
109 println!("\n--- Example 4: Incident Statistics ---");
110
111 // Create a few more incidents
112 for i in 2..=5 {
113 let test_alert = ThreatAlert {
114 alert_id: format!("ALERT-{:03}", i),
115 timestamp: Utc::now(),
116 severity: if i % 2 == 0 { ThreatSeverity::High } else { ThreatSeverity::Medium },
117 category: if i % 3 == 0 { ThreatCategory::MalwareDetection } else { ThreatCategory::BruteForce },
118 description: format!("Test alert {}", i),
119 source_log: "test.log".to_string(),
120 indicators: vec![],
121 recommended_action: "Investigate".to_string(),
122 threat_score: 60 + i * 5,
123 correlated_alerts: vec![],
124 };
125 manager.create_incident(&test_alert);
126 }
127
128 let stats = manager.get_statistics();
129 println!("Incident Statistics:");
130 println!(" Total Incidents: {}", stats.total_incidents);
131 println!(" Active Incidents: {}", stats.active_incidents);
132 println!(" Resolved Incidents: {}", stats.resolved_incidents);
133 println!(" By Severity:");
134 for (severity, count) in &stats.by_severity {
135 println!(" {:?}: {}", severity, count);
136 }
137 println!(" By Category:");
138 for (category, count) in &stats.by_category {
139 println!(" {:?}: {}", category, count);
140 }
141
142 // Example 5: List available playbooks
143 println!("\n--- Example 5: Available Playbooks ---");
144 let playbooks = manager.get_playbooks();
145 println!("Available playbooks: {}", playbooks.len());
146 for pb in playbooks {
147 println!("\n {} ({})", pb.name, pb.id);
148 println!(" Description: {}", pb.description);
149 println!(" Categories: {:?}", pb.threat_categories);
150 println!(" Min Severity: {:?}", pb.min_severity);
151 println!(" Requires Approval: {}", pb.requires_approval);
152 println!(" Actions: {}", pb.actions.len());
153 }
154
155 // Example 6: Query active and high-severity incidents
156 println!("\n--- Example 6: Query Incidents ---");
157
158 let active = manager.get_active_incidents();
159 println!("Active incidents: {}", active.len());
160
161 let high_severity = manager.get_incidents_by_severity(ThreatSeverity::High);
162 println!("High severity or above: {}", high_severity.len());
163
164 // Example 7: Custom response action
165 println!("\n--- Example 7: Response Action Types ---");
166 let actions = vec![
167 ResponseAction::BlockIP { ip: "1.2.3.4".to_string(), duration_hours: 24 },
168 ResponseAction::DisableAccount { account: "compromised_user".to_string() },
169 ResponseAction::IsolateHost { hostname: "infected-host".to_string() },
170 ResponseAction::NotifyTeam { team: "SOC".to_string(), message: "Critical incident".to_string() },
171 ResponseAction::EscalateToSOC { priority: "P1".to_string() },
172 ];
173
174 println!("Available response actions:");
175 for action in &actions {
176 println!(" - {} (reversible: {})", action.name(), action.is_reversible());
177 }
178
179 println!("\n=== Demo Complete ===");
180}Sourcepub fn get_incidents_by_severity(
&self,
min_severity: ThreatSeverity,
) -> Vec<&Incident>
pub fn get_incidents_by_severity( &self, min_severity: ThreatSeverity, ) -> Vec<&Incident>
Get incidents by severity
Examples found in repository?
examples/incident_response.rs (line 161)
14fn main() {
15 println!("=== Automated Incident Response Demo v2.0 ===\n");
16
17 let mut manager = IncidentResponseManager::new();
18
19 // Example 1: Create incident from alert
20 println!("--- Example 1: Create Incident from Alert ---");
21 let alert = ThreatAlert {
22 alert_id: "ALERT-001".to_string(),
23 timestamp: Utc::now(),
24 severity: ThreatSeverity::High,
25 category: ThreatCategory::BruteForce,
26 description: "Multiple failed login attempts detected from external IP".to_string(),
27 source_log: "auth.log - 500 failed attempts in 10 minutes".to_string(),
28 indicators: vec!["203.0.113.50".to_string(), "admin".to_string()],
29 recommended_action: "Block source IP and review user account".to_string(),
30 threat_score: 85,
31 correlated_alerts: vec![],
32 };
33
34 let incident_id = manager.create_incident(&alert);
35 println!("Created incident: {}", incident_id);
36
37 // Get and display incident details
38 if let Some(incident) = manager.get_incident(&incident_id) {
39 println!(" Title: {}", incident.title);
40 println!(" Status: {:?}", incident.status);
41 println!(" Severity: {:?}", incident.severity);
42 println!(" Category: {:?}", incident.category);
43 }
44
45 // Example 2: Find and execute playbooks
46 println!("\n--- Example 2: Execute Response Playbook ---");
47 let playbook = {
48 manager.find_playbooks(&alert).first().map(|&p| p.clone())
49 };
50
51 if let Some(playbook) = playbook {
52 println!("Found applicable playbook: {}", playbook.name);
53 println!(" Actions to execute: {}", playbook.actions.len());
54
55 let mut context = HashMap::new();
56 context.insert("source_ip".to_string(), "203.0.113.50".to_string());
57 context.insert("username".to_string(), "admin".to_string());
58
59 let results = manager.execute_playbook(&incident_id, &playbook, &context);
60 println!(" Executed {} actions:", results.len());
61 for result in &results {
62 println!(" - {}: {} ({}ms)",
63 result.action.name(),
64 if result.success { "Success" } else { "Failed" },
65 result.execution_time_ms
66 );
67 }
68 }
69
70 // Example 3: Incident lifecycle
71 println!("\n--- Example 3: Incident Lifecycle ---");
72 if let Some(incident) = manager.get_incident_mut(&incident_id) {
73 // Acknowledge the incident
74 incident.update_status(IncidentStatus::Acknowledged, "analyst1");
75 println!("Status updated to: {:?}", incident.status);
76
77 // Add investigation note
78 incident.add_note("analyst1", "Initial triage complete. IP belongs to known malicious range.");
79 println!("Added investigation note");
80
81 // Update to investigating
82 incident.update_status(IncidentStatus::Investigating, "analyst1");
83 println!("Status updated to: {:?}", incident.status);
84
85 // Update to containing
86 incident.update_status(IncidentStatus::Containing, "analyst1");
87 println!("Status updated to: {:?}", incident.status);
88
89 // Show timeline
90 println!("\nIncident Timeline:");
91 for entry in &incident.timeline {
92 println!(" [{}] {} by {}: {}",
93 entry.timestamp.format("%H:%M:%S"),
94 entry.event_type,
95 entry.actor,
96 entry.description
97 );
98 }
99
100 // Show metrics
101 println!("\nIncident Metrics:");
102 println!(" Time to Acknowledge: {:?} seconds", incident.metrics.time_to_acknowledge_seconds);
103 println!(" Time to Contain: {:?} seconds", incident.metrics.time_to_contain_seconds);
104 println!(" Total Actions: {}", incident.metrics.total_actions);
105 println!(" Successful Actions: {}", incident.metrics.successful_actions);
106 }
107
108 // Example 4: Create multiple incidents for statistics
109 println!("\n--- Example 4: Incident Statistics ---");
110
111 // Create a few more incidents
112 for i in 2..=5 {
113 let test_alert = ThreatAlert {
114 alert_id: format!("ALERT-{:03}", i),
115 timestamp: Utc::now(),
116 severity: if i % 2 == 0 { ThreatSeverity::High } else { ThreatSeverity::Medium },
117 category: if i % 3 == 0 { ThreatCategory::MalwareDetection } else { ThreatCategory::BruteForce },
118 description: format!("Test alert {}", i),
119 source_log: "test.log".to_string(),
120 indicators: vec![],
121 recommended_action: "Investigate".to_string(),
122 threat_score: 60 + i * 5,
123 correlated_alerts: vec![],
124 };
125 manager.create_incident(&test_alert);
126 }
127
128 let stats = manager.get_statistics();
129 println!("Incident Statistics:");
130 println!(" Total Incidents: {}", stats.total_incidents);
131 println!(" Active Incidents: {}", stats.active_incidents);
132 println!(" Resolved Incidents: {}", stats.resolved_incidents);
133 println!(" By Severity:");
134 for (severity, count) in &stats.by_severity {
135 println!(" {:?}: {}", severity, count);
136 }
137 println!(" By Category:");
138 for (category, count) in &stats.by_category {
139 println!(" {:?}: {}", category, count);
140 }
141
142 // Example 5: List available playbooks
143 println!("\n--- Example 5: Available Playbooks ---");
144 let playbooks = manager.get_playbooks();
145 println!("Available playbooks: {}", playbooks.len());
146 for pb in playbooks {
147 println!("\n {} ({})", pb.name, pb.id);
148 println!(" Description: {}", pb.description);
149 println!(" Categories: {:?}", pb.threat_categories);
150 println!(" Min Severity: {:?}", pb.min_severity);
151 println!(" Requires Approval: {}", pb.requires_approval);
152 println!(" Actions: {}", pb.actions.len());
153 }
154
155 // Example 6: Query active and high-severity incidents
156 println!("\n--- Example 6: Query Incidents ---");
157
158 let active = manager.get_active_incidents();
159 println!("Active incidents: {}", active.len());
160
161 let high_severity = manager.get_incidents_by_severity(ThreatSeverity::High);
162 println!("High severity or above: {}", high_severity.len());
163
164 // Example 7: Custom response action
165 println!("\n--- Example 7: Response Action Types ---");
166 let actions = vec![
167 ResponseAction::BlockIP { ip: "1.2.3.4".to_string(), duration_hours: 24 },
168 ResponseAction::DisableAccount { account: "compromised_user".to_string() },
169 ResponseAction::IsolateHost { hostname: "infected-host".to_string() },
170 ResponseAction::NotifyTeam { team: "SOC".to_string(), message: "Critical incident".to_string() },
171 ResponseAction::EscalateToSOC { priority: "P1".to_string() },
172 ];
173
174 println!("Available response actions:");
175 for action in &actions {
176 println!(" - {} (reversible: {})", action.name(), action.is_reversible());
177 }
178
179 println!("\n=== Demo Complete ===");
180}Sourcepub fn get_overdue_incidents(&self, sla_hours: i64) -> Vec<&Incident>
pub fn get_overdue_incidents(&self, sla_hours: i64) -> Vec<&Incident>
Get overdue incidents
Sourcepub fn get_statistics(&self) -> IncidentStatistics
pub fn get_statistics(&self) -> IncidentStatistics
Get incident statistics
Examples found in repository?
examples/incident_response.rs (line 128)
14fn main() {
15 println!("=== Automated Incident Response Demo v2.0 ===\n");
16
17 let mut manager = IncidentResponseManager::new();
18
19 // Example 1: Create incident from alert
20 println!("--- Example 1: Create Incident from Alert ---");
21 let alert = ThreatAlert {
22 alert_id: "ALERT-001".to_string(),
23 timestamp: Utc::now(),
24 severity: ThreatSeverity::High,
25 category: ThreatCategory::BruteForce,
26 description: "Multiple failed login attempts detected from external IP".to_string(),
27 source_log: "auth.log - 500 failed attempts in 10 minutes".to_string(),
28 indicators: vec!["203.0.113.50".to_string(), "admin".to_string()],
29 recommended_action: "Block source IP and review user account".to_string(),
30 threat_score: 85,
31 correlated_alerts: vec![],
32 };
33
34 let incident_id = manager.create_incident(&alert);
35 println!("Created incident: {}", incident_id);
36
37 // Get and display incident details
38 if let Some(incident) = manager.get_incident(&incident_id) {
39 println!(" Title: {}", incident.title);
40 println!(" Status: {:?}", incident.status);
41 println!(" Severity: {:?}", incident.severity);
42 println!(" Category: {:?}", incident.category);
43 }
44
45 // Example 2: Find and execute playbooks
46 println!("\n--- Example 2: Execute Response Playbook ---");
47 let playbook = {
48 manager.find_playbooks(&alert).first().map(|&p| p.clone())
49 };
50
51 if let Some(playbook) = playbook {
52 println!("Found applicable playbook: {}", playbook.name);
53 println!(" Actions to execute: {}", playbook.actions.len());
54
55 let mut context = HashMap::new();
56 context.insert("source_ip".to_string(), "203.0.113.50".to_string());
57 context.insert("username".to_string(), "admin".to_string());
58
59 let results = manager.execute_playbook(&incident_id, &playbook, &context);
60 println!(" Executed {} actions:", results.len());
61 for result in &results {
62 println!(" - {}: {} ({}ms)",
63 result.action.name(),
64 if result.success { "Success" } else { "Failed" },
65 result.execution_time_ms
66 );
67 }
68 }
69
70 // Example 3: Incident lifecycle
71 println!("\n--- Example 3: Incident Lifecycle ---");
72 if let Some(incident) = manager.get_incident_mut(&incident_id) {
73 // Acknowledge the incident
74 incident.update_status(IncidentStatus::Acknowledged, "analyst1");
75 println!("Status updated to: {:?}", incident.status);
76
77 // Add investigation note
78 incident.add_note("analyst1", "Initial triage complete. IP belongs to known malicious range.");
79 println!("Added investigation note");
80
81 // Update to investigating
82 incident.update_status(IncidentStatus::Investigating, "analyst1");
83 println!("Status updated to: {:?}", incident.status);
84
85 // Update to containing
86 incident.update_status(IncidentStatus::Containing, "analyst1");
87 println!("Status updated to: {:?}", incident.status);
88
89 // Show timeline
90 println!("\nIncident Timeline:");
91 for entry in &incident.timeline {
92 println!(" [{}] {} by {}: {}",
93 entry.timestamp.format("%H:%M:%S"),
94 entry.event_type,
95 entry.actor,
96 entry.description
97 );
98 }
99
100 // Show metrics
101 println!("\nIncident Metrics:");
102 println!(" Time to Acknowledge: {:?} seconds", incident.metrics.time_to_acknowledge_seconds);
103 println!(" Time to Contain: {:?} seconds", incident.metrics.time_to_contain_seconds);
104 println!(" Total Actions: {}", incident.metrics.total_actions);
105 println!(" Successful Actions: {}", incident.metrics.successful_actions);
106 }
107
108 // Example 4: Create multiple incidents for statistics
109 println!("\n--- Example 4: Incident Statistics ---");
110
111 // Create a few more incidents
112 for i in 2..=5 {
113 let test_alert = ThreatAlert {
114 alert_id: format!("ALERT-{:03}", i),
115 timestamp: Utc::now(),
116 severity: if i % 2 == 0 { ThreatSeverity::High } else { ThreatSeverity::Medium },
117 category: if i % 3 == 0 { ThreatCategory::MalwareDetection } else { ThreatCategory::BruteForce },
118 description: format!("Test alert {}", i),
119 source_log: "test.log".to_string(),
120 indicators: vec![],
121 recommended_action: "Investigate".to_string(),
122 threat_score: 60 + i * 5,
123 correlated_alerts: vec![],
124 };
125 manager.create_incident(&test_alert);
126 }
127
128 let stats = manager.get_statistics();
129 println!("Incident Statistics:");
130 println!(" Total Incidents: {}", stats.total_incidents);
131 println!(" Active Incidents: {}", stats.active_incidents);
132 println!(" Resolved Incidents: {}", stats.resolved_incidents);
133 println!(" By Severity:");
134 for (severity, count) in &stats.by_severity {
135 println!(" {:?}: {}", severity, count);
136 }
137 println!(" By Category:");
138 for (category, count) in &stats.by_category {
139 println!(" {:?}: {}", category, count);
140 }
141
142 // Example 5: List available playbooks
143 println!("\n--- Example 5: Available Playbooks ---");
144 let playbooks = manager.get_playbooks();
145 println!("Available playbooks: {}", playbooks.len());
146 for pb in playbooks {
147 println!("\n {} ({})", pb.name, pb.id);
148 println!(" Description: {}", pb.description);
149 println!(" Categories: {:?}", pb.threat_categories);
150 println!(" Min Severity: {:?}", pb.min_severity);
151 println!(" Requires Approval: {}", pb.requires_approval);
152 println!(" Actions: {}", pb.actions.len());
153 }
154
155 // Example 6: Query active and high-severity incidents
156 println!("\n--- Example 6: Query Incidents ---");
157
158 let active = manager.get_active_incidents();
159 println!("Active incidents: {}", active.len());
160
161 let high_severity = manager.get_incidents_by_severity(ThreatSeverity::High);
162 println!("High severity or above: {}", high_severity.len());
163
164 // Example 7: Custom response action
165 println!("\n--- Example 7: Response Action Types ---");
166 let actions = vec![
167 ResponseAction::BlockIP { ip: "1.2.3.4".to_string(), duration_hours: 24 },
168 ResponseAction::DisableAccount { account: "compromised_user".to_string() },
169 ResponseAction::IsolateHost { hostname: "infected-host".to_string() },
170 ResponseAction::NotifyTeam { team: "SOC".to_string(), message: "Critical incident".to_string() },
171 ResponseAction::EscalateToSOC { priority: "P1".to_string() },
172 ];
173
174 println!("Available response actions:");
175 for action in &actions {
176 println!(" - {} (reversible: {})", action.name(), action.is_reversible());
177 }
178
179 println!("\n=== Demo Complete ===");
180}Sourcepub fn set_auto_response(&mut self, enabled: bool)
pub fn set_auto_response(&mut self, enabled: bool)
Enable/disable auto response
Sourcepub fn add_playbook(&mut self, playbook: Playbook)
pub fn add_playbook(&mut self, playbook: Playbook)
Add custom playbook
Sourcepub fn get_playbooks(&self) -> &[Playbook]
pub fn get_playbooks(&self) -> &[Playbook]
Get all playbooks
Examples found in repository?
examples/incident_response.rs (line 144)
14fn main() {
15 println!("=== Automated Incident Response Demo v2.0 ===\n");
16
17 let mut manager = IncidentResponseManager::new();
18
19 // Example 1: Create incident from alert
20 println!("--- Example 1: Create Incident from Alert ---");
21 let alert = ThreatAlert {
22 alert_id: "ALERT-001".to_string(),
23 timestamp: Utc::now(),
24 severity: ThreatSeverity::High,
25 category: ThreatCategory::BruteForce,
26 description: "Multiple failed login attempts detected from external IP".to_string(),
27 source_log: "auth.log - 500 failed attempts in 10 minutes".to_string(),
28 indicators: vec!["203.0.113.50".to_string(), "admin".to_string()],
29 recommended_action: "Block source IP and review user account".to_string(),
30 threat_score: 85,
31 correlated_alerts: vec![],
32 };
33
34 let incident_id = manager.create_incident(&alert);
35 println!("Created incident: {}", incident_id);
36
37 // Get and display incident details
38 if let Some(incident) = manager.get_incident(&incident_id) {
39 println!(" Title: {}", incident.title);
40 println!(" Status: {:?}", incident.status);
41 println!(" Severity: {:?}", incident.severity);
42 println!(" Category: {:?}", incident.category);
43 }
44
45 // Example 2: Find and execute playbooks
46 println!("\n--- Example 2: Execute Response Playbook ---");
47 let playbook = {
48 manager.find_playbooks(&alert).first().map(|&p| p.clone())
49 };
50
51 if let Some(playbook) = playbook {
52 println!("Found applicable playbook: {}", playbook.name);
53 println!(" Actions to execute: {}", playbook.actions.len());
54
55 let mut context = HashMap::new();
56 context.insert("source_ip".to_string(), "203.0.113.50".to_string());
57 context.insert("username".to_string(), "admin".to_string());
58
59 let results = manager.execute_playbook(&incident_id, &playbook, &context);
60 println!(" Executed {} actions:", results.len());
61 for result in &results {
62 println!(" - {}: {} ({}ms)",
63 result.action.name(),
64 if result.success { "Success" } else { "Failed" },
65 result.execution_time_ms
66 );
67 }
68 }
69
70 // Example 3: Incident lifecycle
71 println!("\n--- Example 3: Incident Lifecycle ---");
72 if let Some(incident) = manager.get_incident_mut(&incident_id) {
73 // Acknowledge the incident
74 incident.update_status(IncidentStatus::Acknowledged, "analyst1");
75 println!("Status updated to: {:?}", incident.status);
76
77 // Add investigation note
78 incident.add_note("analyst1", "Initial triage complete. IP belongs to known malicious range.");
79 println!("Added investigation note");
80
81 // Update to investigating
82 incident.update_status(IncidentStatus::Investigating, "analyst1");
83 println!("Status updated to: {:?}", incident.status);
84
85 // Update to containing
86 incident.update_status(IncidentStatus::Containing, "analyst1");
87 println!("Status updated to: {:?}", incident.status);
88
89 // Show timeline
90 println!("\nIncident Timeline:");
91 for entry in &incident.timeline {
92 println!(" [{}] {} by {}: {}",
93 entry.timestamp.format("%H:%M:%S"),
94 entry.event_type,
95 entry.actor,
96 entry.description
97 );
98 }
99
100 // Show metrics
101 println!("\nIncident Metrics:");
102 println!(" Time to Acknowledge: {:?} seconds", incident.metrics.time_to_acknowledge_seconds);
103 println!(" Time to Contain: {:?} seconds", incident.metrics.time_to_contain_seconds);
104 println!(" Total Actions: {}", incident.metrics.total_actions);
105 println!(" Successful Actions: {}", incident.metrics.successful_actions);
106 }
107
108 // Example 4: Create multiple incidents for statistics
109 println!("\n--- Example 4: Incident Statistics ---");
110
111 // Create a few more incidents
112 for i in 2..=5 {
113 let test_alert = ThreatAlert {
114 alert_id: format!("ALERT-{:03}", i),
115 timestamp: Utc::now(),
116 severity: if i % 2 == 0 { ThreatSeverity::High } else { ThreatSeverity::Medium },
117 category: if i % 3 == 0 { ThreatCategory::MalwareDetection } else { ThreatCategory::BruteForce },
118 description: format!("Test alert {}", i),
119 source_log: "test.log".to_string(),
120 indicators: vec![],
121 recommended_action: "Investigate".to_string(),
122 threat_score: 60 + i * 5,
123 correlated_alerts: vec![],
124 };
125 manager.create_incident(&test_alert);
126 }
127
128 let stats = manager.get_statistics();
129 println!("Incident Statistics:");
130 println!(" Total Incidents: {}", stats.total_incidents);
131 println!(" Active Incidents: {}", stats.active_incidents);
132 println!(" Resolved Incidents: {}", stats.resolved_incidents);
133 println!(" By Severity:");
134 for (severity, count) in &stats.by_severity {
135 println!(" {:?}: {}", severity, count);
136 }
137 println!(" By Category:");
138 for (category, count) in &stats.by_category {
139 println!(" {:?}: {}", category, count);
140 }
141
142 // Example 5: List available playbooks
143 println!("\n--- Example 5: Available Playbooks ---");
144 let playbooks = manager.get_playbooks();
145 println!("Available playbooks: {}", playbooks.len());
146 for pb in playbooks {
147 println!("\n {} ({})", pb.name, pb.id);
148 println!(" Description: {}", pb.description);
149 println!(" Categories: {:?}", pb.threat_categories);
150 println!(" Min Severity: {:?}", pb.min_severity);
151 println!(" Requires Approval: {}", pb.requires_approval);
152 println!(" Actions: {}", pb.actions.len());
153 }
154
155 // Example 6: Query active and high-severity incidents
156 println!("\n--- Example 6: Query Incidents ---");
157
158 let active = manager.get_active_incidents();
159 println!("Active incidents: {}", active.len());
160
161 let high_severity = manager.get_incidents_by_severity(ThreatSeverity::High);
162 println!("High severity or above: {}", high_severity.len());
163
164 // Example 7: Custom response action
165 println!("\n--- Example 7: Response Action Types ---");
166 let actions = vec![
167 ResponseAction::BlockIP { ip: "1.2.3.4".to_string(), duration_hours: 24 },
168 ResponseAction::DisableAccount { account: "compromised_user".to_string() },
169 ResponseAction::IsolateHost { hostname: "infected-host".to_string() },
170 ResponseAction::NotifyTeam { team: "SOC".to_string(), message: "Critical incident".to_string() },
171 ResponseAction::EscalateToSOC { priority: "P1".to_string() },
172 ];
173
174 println!("Available response actions:");
175 for action in &actions {
176 println!(" - {} (reversible: {})", action.name(), action.is_reversible());
177 }
178
179 println!("\n=== Demo Complete ===");
180}Trait Implementations§
Auto Trait Implementations§
impl Freeze for IncidentResponseManager
impl RefUnwindSafe for IncidentResponseManager
impl Send for IncidentResponseManager
impl Sync for IncidentResponseManager
impl Unpin for IncidentResponseManager
impl UnwindSafe for IncidentResponseManager
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more