CN117318998A - Script engine system based on SOAR platform, script editing system and method - Google Patents

Script engine system based on SOAR platform, script editing system and method Download PDF

Info

Publication number
CN117318998A
CN117318998A CN202311123443.5A CN202311123443A CN117318998A CN 117318998 A CN117318998 A CN 117318998A CN 202311123443 A CN202311123443 A CN 202311123443A CN 117318998 A CN117318998 A CN 117318998A
Authority
CN
China
Prior art keywords
script
module
soar
language type
soar platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311123443.5A
Other languages
Chinese (zh)
Inventor
陆伸能
鲍杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202311123443.5A priority Critical patent/CN117318998A/en
Publication of CN117318998A publication Critical patent/CN117318998A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Stored Programmes (AREA)
  • Devices For Executing Special Programs (AREA)

Abstract

The application relates to a script engine system based on an SOAR platform, a script editing system and a script editing method, wherein the script engine system comprises a receiving module, a multi-language script supporting module and a script management module, and the receiving module is used for receiving request parameters transmitted by a request gateway of the SOAR platform; wherein the request parameters include script, script language type and script parameters; the multi-language script support module is used for carrying out corresponding analysis processing on the script based on the script language type to obtain an analysis result; and the script management module is used for executing corresponding script tasks through independent threads according to the request parameters under the condition that the analysis result meets the requirements, obtaining an execution result and returning the execution result to the SOAR platform. The method can solve the problem that the SOAR platform does not support script execution, and the script engine system supports script analysis and execution operation of multiple language types, so that the functionalization and diversification of the SOAR platform are expanded.

Description

Script engine system based on SOAR platform, script editing system and method
Technical Field
The application relates to the technical field of network security, in particular to a script engine system based on an SOAR platform, a script editing system and a script editing method.
Background
A large number of security events require the intervention of security analysts and are costly to operate. While enterprises need to do more with less money, plus the analysis time of security analysts, often wasted on some low-level or insignificant event analysis. Conventional safety response execution processes have long response time, much human intervention, and related processes are difficult to quantitatively evaluate.
The SOAR (Security Orchestration, automation and Response, security orchestration and automation response) platform mainly comprises orchestration, automation and a reasonable KPI evaluation system, and can implement automated security orchestration to handle related network security events. When the SOAR performs security arrangement, besides the linkage of the security equipment, the method is more visual to match with a script engine system to execute built-in or custom scripts or compile and execute to acquire related linkage parameters so as to judge how to link the security equipment, acquire big data logs in the probe and Kafka for security analysis, execute operation of a system layer and the like to perform related security treatment, so that the SOAR complete security arrangement capacity is achieved.
Because of the difference of the technical stacks of security personnel of the SOAR, the number and the complexity of the scripts are continuously increased, the scripts cannot be uniformly managed, the SOAR platform does not support script execution, the functions of the SOAR platform are limited, and the complete security arrangement capability of the SOAR cannot be achieved.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a script engine system, scenario layout system and method based on an SOAR platform.
In a first aspect, an embodiment of the present application provides a script engine system based on an SOAR platform, the system including:
the receiving module is used for receiving request parameters transmitted by the SOAR platform request gateway; wherein the request parameters include script, script language type and script parameters;
the multi-language script support module is used for carrying out corresponding analysis processing on the script based on the script language type to obtain an analysis result;
and the script management module is used for executing corresponding script tasks through independent threads according to the request parameters under the condition that the analysis result meets the requirements, obtaining an execution result and returning the execution result to the SOAR platform.
In one embodiment, the multilingual script support module includes:
the Python script supporting module is used for dynamically compiling the content of the script and checking the standardization of the script at the same time; if the normalization check is not passed or the dynamic compiling fails, the analysis result does not meet the requirement, and error reporting information is returned to the SOAR platform;
the Shell script supporting module is used for checking whether dangerous command contents exist in the script or not; if the dangerous command prompt and the optimization suggestion exist, the analysis result does not meet the requirements, and the dangerous command prompt and the optimization suggestion are returned to the SOAR platform;
the Golang script supporting module is used for automatically compiling and packaging the script into a binary executable file; if the compiling and packaging are failed, the analysis result does not meet the requirement, and error reporting information is returned to the SOAR platform.
In one embodiment, the Python script support module includes:
the dependence package management module is used for installing, updating and upgrading a third party library dependence package required by a Python script with a preposed script arrangement by the SOAR platform;
the log storage module is used for storing logs generated during updating or upgrading of the dependent package;
the Python environment executor is used for dynamically compiling the content of the Python script, and if the dynamic compiling fails, the error reporting information is returned to the SOAR platform;
and the Python grammar standardability checking module is used for checking standardability of the Python script, and if standardability checking is not passed, returning error reporting information to the SOAR platform.
In one embodiment, the Shell script support module includes:
the dangerous command detection module is used for checking whether a dangerous command exists in the Shell script before the SOAR platform performs script arrangement;
the optimization suggestion module is used for providing corresponding optimization suggestions under the condition that dangerous commands exist in the Shell script or the execution of the Shell script fails.
In one embodiment, the Golang script support module includes:
the debugging environment module is used for debugging the running environment of the Golang script;
and the compiling and packing module is used for compiling and packing the Golang script into a binary file for execution when the SOAR platform performs script arrangement.
In one embodiment, the script management module comprises:
the script online editing module is used for providing online editing of Python scripts, shell scripts and Golang scripts, and is adapted to the SOAR platform for scenario editing;
the script real-time debugging module is used for carrying out real-time debugging on the Python script, the Shell script and the Golang script which are edited on line to obtain a debugging result;
the script execution module is used for executing corresponding script tasks according to the request parameters transmitted by the SOAR platform;
the SOAR script built-in package management module is used for updating or upgrading the SOAR platform built-in package;
and the script information management module is used for storing the script edited by the script online editing module or the script debugged by the script real-time debugging module.
In a second aspect, an embodiment of the present application further provides a script execution method based on an SOAR platform, where the method includes:
receiving request parameters transmitted by an SOAR platform request gateway; wherein the request parameters include script, script language type and script parameters;
performing corresponding analysis processing on the script based on the script language type to obtain an analysis result;
under the condition that the analysis result meets the requirement, executing a corresponding script task through an independent thread according to the request parameter to obtain an execution result;
and returning the execution result to the SOAR platform through the gateway.
In one embodiment, the performing corresponding parsing processing on the script based on the script language type, and obtaining the parsing result includes:
if the script language type is Python language type, dynamically compiling the content of the script and checking the standardization of the script at the same time; if the normalization check is not passed or the dynamic compiling fails, the analysis result does not meet the requirement, and error reporting information is returned to the SOAR platform;
if the script language type is Shell language type, checking whether dangerous command content exists in the script; if the dangerous command prompt and the optimization suggestion exist, the analysis result does not meet the requirements, and the dangerous command prompt and the optimization suggestion are returned to the SOAR platform;
if the script language type is Golang language type, automatically compiling and packaging the script into a binary executable file; if the compiling and packaging are failed, the analysis result does not meet the requirement, and error reporting information is returned to the SOAR platform.
In a third aspect, the embodiment of the application also provides a scenario editing system based on the SOAR platform; the system comprises:
the registry is used for storing interface addresses of the script engine system;
the scenario flow module is used for responding to the triggering of the safety case and executing scenario flow;
the gateway is used for acquiring an interface address of the script engine system from the registry and transmitting the request parameters to the script engine system through the interface address; wherein the request parameters include script, script language type and script parameters; the request parameters are used for executing the script flow;
the script engine system is used for receiving the request parameters, and carrying out corresponding analysis processing on the script based on the script language type to obtain an analysis result; under the condition that the analysis result meets the requirement, executing a corresponding script task through an independent thread according to the request parameter to obtain an execution result; returning the execution result to the script flow module through the gateway;
and the scenario flow module is also used for receiving the execution result and continuously executing the next action of the scenario flow based on the execution result until the scenario flow is executed.
In a fourth aspect, the embodiment of the application also provides a scenario editing method based on the SOAR platform; the method comprises the following steps:
executing a script flow in response to the triggering of the security case;
acquiring an interface address of a script engine system from a registry by calling a gateway;
transmitting request parameters to the script engine system through the interface address; wherein the request parameters include script, script language type and script parameters; the script engine system is used for receiving the request parameters, carrying out corresponding analysis processing on the script based on the script language type, obtaining an analysis result and obtaining the analysis result; under the condition that the analysis result meets the requirement, executing a corresponding script task through an independent thread according to the request parameter to obtain an execution result; returning the execution result to the script flow through the gateway;
and continuously executing the next action of the script flow based on the execution result until the execution of the script flow is finished.
The script engine system, the script editing system and the script editing method based on the SOAR platform solve the problem that the SOAR platform does not support script execution, support script analysis and execution operation of multiple language types, expand the functionalization and diversification of the SOAR platform, and achieve the complete safe editing capability of the SOAR.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the other features, objects, and advantages of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 is a block diagram of the architecture of a SOAR platform based scripting engine system in one embodiment;
FIG. 2 is a block diagram of the architecture of a multilingual script support module in one embodiment;
FIG. 3 is a block diagram of another embodiment of a script engine system based on an SOAR platform;
FIG. 4 is a flow diagram of a method of executing a script based on an SOAR platform in one embodiment;
FIG. 5 is a block diagram of a scenario layout system based on an SOAR platform in one embodiment;
FIG. 6 is a flow diagram of a scenario layout method based on an SOAR platform in one embodiment.
11, a receiving module; 12. a multilingual script support module; 13. a script management module; 21. a Python script support module; 22. shell script support module; 23. a Golang script support module; 211. a dependency package management module; 212. a log storage module; 213. a Python environment executor; 214. a Python grammar normalization check module; 221. a dangerous command detection module; 222. an optimization suggestion module; 231. a debug environment module; 232. compiling and packaging the module; 131. a script online editing module; 132. the script real-time debugging module; 133. a script execution module; 134. the script is internally provided with a package management module; 135. a script information management module; 10. a registry; 20. a scenario flow module; 30. a gateway; 40. a script engine system.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described and illustrated below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden on the person of ordinary skill in the art based on the embodiments provided herein, are intended to be within the scope of the present application.
It is apparent that the drawings in the following description are only some examples or embodiments of the present application, and it is possible for those of ordinary skill in the art to apply the present application to other similar situations according to these drawings without inventive effort. Moreover, it should be appreciated that while such a development effort might be complex and lengthy, it would nevertheless be a routine undertaking of design, fabrication, or manufacture for those of ordinary skill having the benefit of this disclosure, and thus should not be construed as having the benefit of this disclosure.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly and implicitly understood by those of ordinary skill in the art that the embodiments described herein can be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar terms herein do not denote a limitation of quantity, but rather denote the singular or plural. The terms "comprising," "including," "having," and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to only those steps or elements but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. The terms "connected," "coupled," and the like in this application are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as used herein refers to two or more. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., "a and/or B" may mean: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship. The terms "first," "second," "third," and the like, as used herein, are merely distinguishing between similar objects and not representing a particular ordering of objects.
In a first aspect, an embodiment of the present application provides a script engine system based on an SOAR platform, as shown in fig. 1, where the system includes a receiving module 11, a multilingual script supporting module 12, and a script management module 13.
The receiving module 11 is configured to receive a request parameter transmitted by the SOAR platform request gateway. Wherein the request parameters include script, script language type, and script parameters. The script in the request parameters is a script source program, and the script parameters comprise the parameters needed by script execution and other carrying parameters. The receiving module 11 is a script engine system interface, and in this embodiment, the request parameters transmitted by the SOAR platform request gateway are received through the interface, and specifically, the script engine system interface is called in an RPC (Remote Procedure Call ) or HTTP (hyper (Hypertext Transfer Protocol, text transmission protocol) mode.
The multi-language script support module 12 is configured to perform corresponding parsing processing on the script according to the script language type, so as to obtain a parsing result. A scripting language is a programming language that is specifically used to write scripts, the purpose of which is to automate or simplify a particular task by executing a series of instructions. Common scripting language types include: javaScript: the method is mainly used for webpage development, and interactivity and dynamic functions can be added on the webpage; python: a general high-level programming language, which is widely applied to the fields of Web development, data analysis, artificial intelligence and the like; PHP: the method is mainly used for server-side script programming, and is particularly suitable for Web development; ruby: a compact and elegant scripting language commonly used for Web development and automation tasks; shell script: a command line interface for an operating system for executing system commands and automation tasks.
The script management module 13 is configured to execute, according to the request parameter, a corresponding script task through an independent thread to obtain an execution result, and return the execution result to the SOAR platform when the analysis result meets a requirement. If the analysis result does not meet the requirement, the script task is not executed.
The embodiment is actually a Web service process, and is a Web service script engine system written by a FastApi framework. In this embodiment, when the SOAR security orchestrates a scenario, the SOAR platform requests the gateway to transmit relevant request parameters for executing the script to the script engine system, receives the request parameters through the receiving module 11, and performs corresponding parsing processing on the script content according to the script language types in the request parameters through the multi-language script supporting module 12, so that parsing results are obtained by using different parsing operations for different script language types. Under the condition that the analysis result meets the requirement, the script management module 13 executes the corresponding script task through an independent thread according to the request parameter to obtain an execution result, and returns the execution result to the SOAR platform, so that the problem that the SOAR platform does not support script execution can be solved, the script engine system supports script analysis and execution operations of multiple language types, the functionalization and diversification of the SOAR platform are expanded, and the whole safety arrangement capability of the SOAR is achieved.
In one embodiment, as shown in fig. 2, the multi-language script support module 12 includes a Python script support module 21, a Shell script support module 22, and a Golang script support module 23.
The Python script supporting module 21 is configured to dynamically compile the content of the script and check the normalization of the script when the script language type in the request parameter is Python language type; if the normalization check is not passed or the dynamic compiling fails, the analysis result does not meet the requirement, and error reporting information is returned to the SOAR platform.
The Shell script supporting module 22 is configured to check whether dangerous command content exists in the script when the script language type in the request parameter is a Shell language type; if the dangerous command prompt and the optimization suggestion exist, the analysis result does not meet the requirements, and the dangerous command prompt and the optimization suggestion are returned to the SOAR platform.
The Golang script supporting module 23 is configured to automatically compile and package the script into a binary executable file when the script language type in the request parameter is a Golang language type; if the compiling and packaging are failed, the analysis result does not meet the requirement, and error reporting information is returned to the SOAR platform.
The multi-language script supporting module 12 in the embodiment of the present application includes a Python script supporting module 21, a Shell script supporting module 22, and a Golang script supporting module 23, which can support parsing operations of Python scripts, shell scripts, and Golang scripts. Of course, the multi-language script supporting module 12 may also include other script language supporting modules, such as JavaScript script supporting modules, which are not limited in detail by the present invention. The multi-language script supporting module 12 in this embodiment of the present application is mainly configured to analyze a script according to a script language type in a request parameter, and then determine which language script supporting module is used to support an analysis operation on the multi-language script, obtain an analysis result, and if the analysis result does not meet a requirement, return related error reporting information and optimization suggestions to the SOAR platform, so as to ensure safe execution of the script.
In one embodiment, as shown in fig. 3, the Python script supporting module 21 includes a dependency package management module 211, a log storage module 212, a Python environment executor 213, and a Python grammar normalization verification module 214.
The dependency package management module 211 is used for installing, updating and upgrading the third party library dependency packages required by the pre-script Python of the scenario layout of the SOAR platform. For the Python script writing process, a third party dependence or an SDK is needed, and the non-real-time update is needed, and the update/installation entry is needed by clicking. The dependency package management module 211 provides a portal for dependency package installation on the SOAR, i.e., offline installation (installation by manually uploading the dependency package file) and online installation (installation by internet). Third party libraries, which may require new versions for Python script writing, may list installed dependency package list information and manually upgrade to the latest or specified upgrade to version by the user.
The log storage module 212 is configured to store a log generated during update or upgrade of the dependency package. That is, each time the third party dependency package is upgraded or updated, the log storage module 212 stores an update log or upgrade log for viewing and sets a time limit reservation.
The Python environment executor 213 is configured to dynamically compile the content of the Python script, and if the dynamic compilation fails, return error reporting information to the SOAR platform.
The Python grammar normalization verification module 214 is configured to verify the normalization of the Python script, and if the normalization verification is not passed, return error reporting information to the SOAR platform.
In one embodiment, with continued reference to FIG. 3, the Shell script support module 22 includes a dangerous command detection module 221 and an optimization suggestion module 222.
The dangerous command detection module 221 is used for checking whether a dangerous command exists in the Shell script before the SOAR platform performs script arrangement. For Shell script execution, the dangerous command detection module 221 obtains script content to match some significant dangerous commands, such as rm-rf, rm-rf/, etc., delete class and inject class commands.
The optimization suggestion module 222 is configured to provide corresponding optimization suggestions in the case that there is a dangerous command in the Shell script or the Shell script fails to execute. If the dangerous command detection module 221 detects a dangerous command, the optimization suggestion module 222 is configured to return the matched dangerous command to the SOAR platform and give an optimization suggestion; if the operation of the bottom layer is concerned, directly suggesting not to be executed, wherein the suggestion can be operated by artificial background; in addition, if the Shell script fails to execute, an error reason is returned to the SOAR platform, and an optimization suggestion is given. Such as returning a command absence or command parameter mismatching error causes, and corresponding to returning a manual background installation command or a suggestion to execute a command parameter.
In one embodiment, with continued reference to FIG. 3, the Golang script support module 23 includes a debug environment module 231 and a compile packaging module 232.
The debug environment module 231 is used for debugging the execution environment of the Golang script. Golang is a compiled language and, when debugging a script, directly executes a command to run the debug environment, e.g. go run x.go.
The compiling and packing module 232 is configured to compile and pack the Golang script into a binary file for execution when the SOAR platform performs script arrangement.
In one embodiment, with continued reference to fig. 3, the script management module 13 includes a script online editing module 131, a script real-time debugging module 132, a script execution module 133, an SOAR script in-package management module 134, and a script information management module 135.
The script online editing module 131 is configured to provide online editing of Python scripts, shell scripts, and Golang scripts, so as to adapt to the SOAR platform for scenario editing. Aiming at the three scripting languages, the script online editing module 131 provides a script page for the SOAR platform, so that a user can directly edit the script on the page, the environment can be conveniently and directly executed, and the problems of local adaptation and the like are not needed. When the scripts are written by using the Python language and the Golang language, the built-in methods and functions in the built-in package of the SOAR script are required to be combined, the built-in package of the script is imported, the relevant basic methods are called for use, for example, the output result methods and functions are adapted to the flow of the SOAR script.
The script real-time debugging module 132 is configured to debug the Python script, shell script, and Golang script edited online in real time, so as to obtain a debugging result. After the script is edited online by the user, the debugging button is manually clicked to realize the function of real-time debugging, and the returned information after the script is debugged also returns to the front-end page in real time to be displayed for the user to check.
The script execution module 133 is configured to execute a corresponding script task according to the request parameter transferred by the SOAR platform. Specifically, the script execution module 133 uses a separate thread to execute the script using the script language type transferred to the script engine system through the SOAR platform when the script is executed. For example, python may generate a piece of executable code for execution, shell may generate Linux script for execution, and Golang may execute by compiling a packed binary (the compiling and packing function is only executed when the Golang script is updated or used for the first time). In addition, to avoid the risk of excessive progress, the script execution module 133 may provide a custom time configuration through the SOAR page, and set a timeout period, and when the script is executed, if the time for the script engine system to execute the script exceeds the timeout period, return to not suggest to continue execution to the SOAR platform.
The SOAR script built-in package management module 134 is used for updating or upgrading of the SOAR platform built-in package. The built-in package is a third party library of Python scripts and Golang scripts specially provided for adapting the SOAR script flow, and is used for adapting the SOAR output.
The script information management module 135 is used for storing the script edited by the script online editing module or the script debugged by the script real-time debugging module. The script information management module 135 provides the function of storing script information for the SOAR platform, and can save the edited or debugged script for later use.
The script management module 13 of this embodiment provides an online editing script, a debugging script, a function of executing the script and obtaining a related result, and a built-in packaging function commonly used in the script for matching with the editing task of the SOAR, and provides a better and more stable script running environment for the SOAR, so as to achieve the task of editing the whole scenario of the SOAR, and improve the capability of automatically editing the extended SOAR platform in the security field.
In a second aspect, an embodiment of the present application further provides a script execution method based on an SOAR platform, as shown in fig. 4, where the method includes the following steps:
step S101, receiving request parameters transmitted by an SOAR platform request gateway; wherein the request parameters include script, script language type, and script parameters.
Step S102, corresponding analysis processing is carried out on the script based on the script language type, and an analysis result is obtained.
Step S103, executing the corresponding script task by the separate thread according to the request parameter, and obtaining the execution result when the analysis result meets the requirement.
Specifically, under the condition that the analysis result meets the requirement, the script engine system starts an independent thread to provide a sandbox environment, and starts to execute script program tasks according to the request parameters.
And step S104, returning the execution result to the SOAR platform through the gateway.
Through the steps S101 to S105, the problem that the SOAR platform does not support script execution can be solved, script analysis and execution operations of multiple language types are supported, the functionalization and diversification of the SOAR platform are expanded, and the complete security arrangement capability of the SOAR is achieved.
In one embodiment, the performing corresponding parsing processing on the script based on the script language type, and obtaining the parsing result includes the following parsing operations:
if the script language type is a Python language type: dynamically compiling the content of the script and checking the standardization of the script at the same time; if the normalization check is not passed or the dynamic compiling fails, the analysis result does not meet the requirement, and error reporting information is returned to the SOAR platform.
If the script language type is Shell language type: checking whether dangerous command content exists in the script; if the dangerous command prompt and the optimization suggestion exist, the analysis result does not meet the requirements, and the dangerous command prompt and the optimization suggestion are returned to the SOAR platform.
If the script language type is Golang language type: automatically compiling and packaging the script into a binary executable file; if the compiling and packaging are failed, the analysis result does not meet the requirement, and error reporting information is returned to the SOAR platform.
In a third aspect, an embodiment of the present application further provides a scenario editing system based on an SOAR platform, as shown in fig. 5, where the system includes a registry 10, a scenario flow module 20, a gateway 30, and a script engine system 40.
A registry 10 for storing interface addresses of the script engine system. The registry 10 is further configured to store configuration information and network information registered by the microservice system, and provide a service discovery function.
And the scenario flow module 20 is configured to respond to the triggering of the security case and execute a scenario flow.
A gateway 30 for acquiring an interface address of the script engine system 40 from the registry 10 and transmitting a request parameter to the script engine system through the interface address; wherein the request parameters include script, script language type and script parameters; the request parameters are used for executing the scenario flow.
The script engine system 40 is configured to receive the request parameter, and perform corresponding parsing processing on the script based on the script language type, so as to obtain a parsing result; under the condition that the analysis result meets the requirement, executing a corresponding script task through an independent thread according to the request parameter to obtain an execution result; and returns the execution result to the scenario flow module 20 through the gateway 30.
And the scenario flow module 20 is further configured to receive the execution result, and based on the execution result, continue to execute the next action of the scenario flow until the scenario flow is executed.
In the scenario layout system of the present embodiment, the scenario flow module 20 acquires the interface address of the script engine system 40 from the registry 10 by calling the gateway 30, transmits the request parameters to the script engine system 40, and the script engine system 40 receives the request parameters to perform parsing and executing operations, and returns the execution result to the scenario flow module 20 through the gateway 30. The method can solve the problem that the SOAR platform does not support script execution, and the script engine system supports script analysis and execution operation of multiple language types, so that the functionalization and diversification of the SOAR platform are expanded, and the complete security arrangement capability of the SOAR is achieved.
In a fourth aspect, embodiments of the present application further provide a scenario editing method based on an SOAR platform, where the method includes the following steps:
step S201, executing a scenario flow in response to the triggering of the security case;
step S202, obtaining an interface address of a script engine system from a registry by calling a gateway;
step S203, transmitting request parameters to the script engine system through the interface address; wherein the request parameters include script, script language type and script parameters; the script engine system is used for receiving the request parameters, carrying out corresponding analysis processing on the script based on the script language type, obtaining an analysis result and obtaining the analysis result; under the condition that the analysis result meets the requirement, executing a corresponding script task through an independent thread according to the request parameter to obtain an execution result; returning the execution result to the script flow through the gateway;
and step S204, based on the execution result, continuing to execute the next action of the scenario flow until the scenario flow is executed.
Fig. 6 is a preferred flowchart of a scenario layout method based on the SOAR platform in the present embodiment, the method includes the following steps:
step S301, manually or automatically triggering the SOAR security case, and executing the editing script.
And step S302, executing the script flow to obtain related information to judge the flow direction of the next step.
In step S303, the SOAR platform obtains the interface address of the script engine system from the registration center through the calling gateway, and calls the script engine system interface in RPC or Http mode with the script content and the request.
Step S304, the script engine system interface receives the request parameters required by the gateway, analyzes the script according to the script language type for different languages, and specifically comprises Python script analysis processing, shell script analysis processing and Golang script analysis processing. Wherein:
the Python script parsing process includes: meanwhile, dynamically compiling an abstract grammar tree (Abstract Syntax Tree, AST) and carrying out Python grammar standardization verification; if the normalization check is not passed or the dynamic compiling fails, the error reporting information is returned to the SOAR platform.
The Shell script parsing process comprises the following steps: checking whether dangerous command content and dangerous degree exist in the script; and if the verification is not passed, returning a dangerous command prompt and an optimization suggestion to the SOAR platform.
The Golang script parsing process includes: automatically compiling and packing the script into a binary executable file; if the compiling and packaging are failed, the error reporting information is returned to the SOAR platform.
Step S305, after analyzing that no error is reported, the execution premise meets the requirement, and the script engine system main process starts an independent thread through a thread pool to provide a sandbox environment to start to execute script program tasks, specifically including Python script sandbox execution, shell script sandbox execution and Golang script sandbox execution.
And step S306, finally obtaining the content of the execution result, returning information to the SOAR platform, returning the execution result to the SOAR, and then feeding the execution result to the scenario flow, wherein the scenario flow uses the result as a basis for judging the next step to execute the next action until the scenario flow is ended.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.

Claims (10)

1. A script engine system based on an SOAR platform, the system comprising:
the receiving module is used for receiving request parameters transmitted by the SOAR platform request gateway; wherein the request parameters include script, script language type and script parameters;
the multi-language script support module is used for carrying out corresponding analysis processing on the script based on the script language type to obtain an analysis result;
and the script management module is used for executing corresponding script tasks through independent threads according to the request parameters under the condition that the analysis result meets the requirements, obtaining an execution result and returning the execution result to the SOAR platform.
2. The system of claim 1, wherein the multi-language script support module comprises:
the Python script supporting module is used for dynamically compiling the content of the script and checking the normalization of the script under the condition that the script language type is the Python language type; if the normalization check is not passed or the dynamic compiling fails, the analysis result does not meet the requirement, and error reporting information is returned to the SOAR platform;
the Shell script support module is used for checking whether dangerous command contents exist in the script or not under the condition that the script language type is Shell language type; if the dangerous command prompt and the optimization suggestion exist, the analysis result does not meet the requirements, and the dangerous command prompt and the optimization suggestion are returned to the SOAR platform;
the Golang script support module is used for automatically compiling and packaging the script into a binary executable file under the condition that the script language type is Golang language type; if the compiling and packaging are failed, the analysis result does not meet the requirement, and error reporting information is returned to the SOAR platform.
3. The system of claim 2, wherein the Python script support module comprises:
the dependence package management module is used for installing, updating and upgrading a third party library dependence package required by a Python script with a preposed script arrangement by the SOAR platform;
the log storage module is used for storing logs generated during updating or upgrading of the dependent package;
the Python environment executor is used for dynamically compiling the content of the Python script, and if the dynamic compiling fails, the error reporting information is returned to the SOAR platform;
and the Python grammar standardability checking module is used for checking standardability of the Python script, and if standardability checking is not passed, returning error reporting information to the SOAR platform.
4. The system of claim 2, wherein the Shell script support module comprises:
the dangerous command detection module is used for checking whether a dangerous command exists in the Shell script before the SOAR platform performs script arrangement;
the optimization suggestion module is used for providing corresponding optimization suggestions under the condition that dangerous commands exist in the Shell script or the execution of the Shell script fails.
5. The system of claim 2, wherein the Golang script support module comprises:
the debugging environment module is used for debugging the running environment of the Golang script;
and the compiling and packing module is used for compiling and packing the Golang script into a binary file for execution when the SOAR platform performs script arrangement.
6. The system of claim 2, wherein the script management module comprises:
the script online editing module is used for providing online editing of Python scripts, shell scripts and Golang scripts, and is adapted to the SOAR platform for scenario editing;
the script real-time debugging module is used for carrying out real-time debugging on the Python script, the Shell script and the Golang script which are edited on line to obtain a debugging result;
the script execution module is used for executing corresponding script tasks according to the request parameters transmitted by the SOAR platform;
the SOAR script built-in package management module is used for updating or upgrading the SOAR platform built-in package;
and the script information management module is used for storing the script edited by the script online editing module or the script debugged by the script real-time debugging module.
7. A method for executing a script based on an SOAR platform, the method comprising:
receiving request parameters transmitted by an SOAR platform request gateway; wherein the request parameters include script, script language type and script parameters;
performing corresponding analysis processing on the script based on the script language type to obtain an analysis result;
under the condition that the analysis result meets the requirement, executing a corresponding script task through an independent thread according to the request parameter to obtain an execution result;
and returning the execution result to the SOAR platform through the gateway.
8. The method of claim 7, wherein the performing a corresponding parsing process on the script based on the script language type to obtain a parsing result comprises:
if the script language type is Python language type, dynamically compiling the content of the script and checking the standardization of the script at the same time; if the normalization check is not passed or the dynamic compiling fails, the analysis result does not meet the requirement, and error reporting information is returned to the SOAR platform;
if the script language type is Shell language type, checking whether dangerous command content exists in the script; if the dangerous command prompt and the optimization suggestion exist, the analysis result does not meet the requirements, and the dangerous command prompt and the optimization suggestion are returned to the SOAR platform;
if the script language type is Golang language type, automatically compiling and packaging the script into a binary executable file; if the compiling and packaging are failed, the analysis result does not meet the requirement, and error reporting information is returned to the SOAR platform.
9. A scenario editing system based on an SOAR platform; characterized in that the system comprises:
the registry is used for storing interface addresses of the script engine system;
the scenario flow module is used for responding to the triggering of the safety case and executing scenario flow;
the gateway is used for acquiring an interface address of the script engine system from the registry and transmitting the request parameters to the script engine system through the interface address; wherein the request parameters include script, script language type and script parameters; the request parameters are used for executing the script flow;
the script engine system is used for receiving the request parameters, and carrying out corresponding analysis processing on the script based on the script language type to obtain an analysis result; under the condition that the analysis result meets the requirement, executing a corresponding script task through an independent thread according to the request parameter to obtain an execution result; returning the execution result to the script flow module through the gateway;
and the scenario flow module is also used for receiving the execution result and continuously executing the next action of the scenario flow based on the execution result until the scenario flow is executed.
10. A scenario editing method based on an SOAR platform; characterized in that the method comprises:
executing a script flow in response to the triggering of the security case;
acquiring an interface address of a script engine system from a registry by calling a gateway;
transmitting request parameters to the script engine system through the interface address; wherein the request parameters include script, script language type and script parameters; the script engine system is used for receiving the request parameters, carrying out corresponding analysis processing on the script based on the script language type, obtaining an analysis result and obtaining the analysis result; under the condition that the analysis result meets the requirement, executing a corresponding script task through an independent thread according to the request parameter to obtain an execution result; returning the execution result to the script flow through the gateway;
and continuously executing the next action of the script flow based on the execution result until the execution of the script flow is finished.
CN202311123443.5A 2023-08-31 2023-08-31 Script engine system based on SOAR platform, script editing system and method Pending CN117318998A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311123443.5A CN117318998A (en) 2023-08-31 2023-08-31 Script engine system based on SOAR platform, script editing system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311123443.5A CN117318998A (en) 2023-08-31 2023-08-31 Script engine system based on SOAR platform, script editing system and method

Publications (1)

Publication Number Publication Date
CN117318998A true CN117318998A (en) 2023-12-29

Family

ID=89283898

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311123443.5A Pending CN117318998A (en) 2023-08-31 2023-08-31 Script engine system based on SOAR platform, script editing system and method

Country Status (1)

Country Link
CN (1) CN117318998A (en)

Similar Documents

Publication Publication Date Title
US11360879B2 (en) Script debugging method, device, and computer storage medium
CN111309441B (en) Micro-service deployment method for realizing DevOps based on Jenkins
US10067858B2 (en) Cloud-based software testing
US8515876B2 (en) Dry-run design time environment
US9069902B2 (en) Software test automation
CN111736954B (en) Multi-intelligent contract virtual machine implementation method, multi-intelligent contract virtual machine and system
US20140109057A1 (en) Software development kit testing
US20140109061A1 (en) Test creation with execution
CN108965375B (en) Service call proxy control system, method, server and readable storage medium
CN111966396A (en) Data processing method and device, computer system and computer readable storage medium
CN115202669A (en) Project construction method and system based on configuration file and related equipment
CN108595656B (en) Data processing method and system
CN114217789A (en) Function component expansion method, device, equipment, storage medium and program product
KR101449201B1 (en) Automatic software test system for steel processing
CN110659022B (en) Method for automatically calling Python script based on Java
CN117318998A (en) Script engine system based on SOAR platform, script editing system and method
CN116069334B (en) Cloud-protogenesis-based online development and code hosting method and system
CN111459492A (en) Method, device, storage medium and equipment for detecting compatibility of Dubbo service interface
CN111259042A (en) Dynamic query method and system
CN114564185A (en) Method and system for improving micro-server architecture program release efficiency
CN113791790A (en) Application program updating method and device, electronic equipment and storage medium
CN113220337A (en) Version construction method and device, computer equipment and storage medium
CN113778451A (en) File loading method and device, computer system and computer readable storage medium
Wood et al. Triton: a domain specific language for cyber-physical systems
CN116860324B (en) Development data processing method, development data processing apparatus, and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination