soc

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 31, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Overview

Package soc provides SOC analytics: event trends, severity distribution, top sources, MITRE ATT&CK coverage, and time-series aggregation.

Package soc provides application services for the SENTINEL AI SOC subsystem.

Package soc provides a threat intelligence feed integration for enriching SOC events and correlation rules.

Supports:

  • STIX/TAXII 2.1 feeds (JSON)
  • CSV IOC lists (hashes, IPs, domains)
  • Local file-based IOC database
  • Periodic background refresh

Package webhook provides outbound SOAR webhook notifications for the SOC pipeline. Fires HTTP POST on incident creation/update.

Index

Constants

View Source 
const MaxAnalyticsEvents = 100000

MaxAnalyticsEvents caps the event fetch for analytics reports to prevent OOM.

View Source 
const (
	// MaxEventsPerSecondPerSensor limits event ingest rate per sensor (§17.3).
	MaxEventsPerSecondPerSensor = 100
)

Variables

This section is empty.

Functions

func DefaultSLAThresholds 

func DefaultSLAThresholds() map[string]SLAThreshold

DefaultSLAThresholds returns SLA targets per severity.

Types

type AnalyticsReport 

type AnalyticsReport struct {
	GeneratedAt time.Time `json:"generated_at"`
	TimeRange   struct {
		From time.Time `json:"from"`
		To   time.Time `json:"to"`
	} `json:"time_range"`

	// Event analytics
	EventTrend           []TimeSeriesPoint    `json:"event_trend"`
	SeverityDistribution SeverityDistribution `json:"severity_distribution"`
	TopSources           []SourceBreakdown    `json:"top_sources"`
	TopCategories        []CategoryBreakdown  `json:"top_categories"`

	// Incident analytics
	IncidentTimeline IncidentTimeline `json:"incident_timeline"`
	MTTR             float64          `json:"mttr_hours"` // Mean Time to Resolve

	// Derived KPIs
	EventsPerHour float64 `json:"events_per_hour"`
	IncidentRate  float64 `json:"incident_rate"` // incidents / 100 events
}

AnalyticsReport is the full SOC analytics output.

func GenerateReport 

func GenerateReport(events []domsoc.SOCEvent, incidents []domsoc.Incident, windowHours int) *AnalyticsReport

GenerateReport builds a full analytics report from events and incidents.

type BulkAction 

type BulkAction struct {
	Action      string   `json:"action"` // assign, status, close, delete
	IncidentIDs []string `json:"incident_ids"`
	Value       string   `json:"value"` // analyst email, new status
	Actor       string   `json:"actor"` // who initiated
}

BulkAction defines a batch operation on incidents.

type BulkActionResult 

type BulkActionResult struct {
	Affected int      `json:"affected"`
	Failed   int      `json:"failed"`
	Errors   []string `json:"errors,omitempty"`
}

BulkActionResult is the result of a batch operation.

type CategoryBreakdown 

type CategoryBreakdown struct {
	Category string `json:"category"`
	Count    int    `json:"count"`
}

CategoryBreakdown counts events per category.

type ComplianceData 

type ComplianceData struct {
	Framework    string                  `json:"framework"`
	GeneratedAt  time.Time               `json:"generated_at"`
	Requirements []ComplianceRequirement `json:"requirements"`
	Overall      string                  `json:"overall"`
}

ComplianceData holds an EU AI Act compliance report (§12.3).

type ComplianceRequirement 

type ComplianceRequirement struct {
	ID          string   `json:"id"`
	Description string   `json:"description"`
	Status      string   `json:"status"` // COMPLIANT, PARTIAL, NON_COMPLIANT
	Evidence    []string `json:"evidence"`
	Gap         string   `json:"gap,omitempty"`
}

ComplianceRequirement is a single compliance check.

type DashboardData 

type DashboardData struct {
	TotalEvents      int                         `json:"total_events"`
	EventsLastHour   int                         `json:"events_last_hour"`
	OpenIncidents    int                         `json:"open_incidents"`
	SensorStatus     map[domsoc.SensorStatus]int `json:"sensor_status"`
	ChainValid       bool                        `json:"chain_valid"`
	ChainLength      int                         `json:"chain_length"`
	ChainHeadHash    string                      `json:"chain_head_hash"`
	ChainBrokenLine  int                         `json:"chain_broken_line,omitempty"`
	CorrelationRules int                         `json:"correlation_rules"`
	ActivePlaybooks  int                         `json:"active_playbooks"`
}

DashboardData holds SOC KPI metrics (§12.2).

func (*DashboardData) JSON 

func (d *DashboardData) JSON() string

JSON returns the dashboard as JSON string.

type FeedSync 

type FeedSync struct {
	// contains filtered or unexported fields
}

FeedSync syncs IOCs from STIX/TAXII feeds into the ThreatIntelStore.

func NewFeedSync 

func NewFeedSync(store *ThreatIntelStore, feeds []STIXFeedConfig) *FeedSync

NewFeedSync creates a feed synchronizer.

func (*FeedSync) Start 

func (f *FeedSync) Start(done <-chan struct{})

Start begins polling all enabled feeds in the background.

type IOC 

type IOC struct {
	Type       IOCType   `json:"type"`
	Value      string    `json:"value"`
	Source     string    `json:"source"`   // Feed name
	Severity   string    `json:"severity"` // critical/high/medium/low
	Tags       []string  `json:"tags"`     // MITRE ATT&CK, campaign, etc.
	FirstSeen  time.Time `json:"first_seen"`
	LastSeen   time.Time `json:"last_seen"`
	Confidence float64   `json:"confidence"` // 0.0-1.0
}

IOC is an Indicator of Compromise.

type IOCType 

type IOCType string

IOCType represents the type of Indicator of Compromise. 

const (
	IOCTypeIP     IOCType = "ipv4-addr"
	IOCTypeDomain IOCType = "domain-name"
	IOCTypeHash   IOCType = "file:hashes"
	IOCTypeURL    IOCType = "url"
	IOCCVE        IOCType = "vulnerability"
	IOCPattern    IOCType = "pattern"
)

type IncidentFilter 

type IncidentFilter struct {
	Status     string `json:"status"`
	Severity   string `json:"severity"`
	AssignedTo string `json:"assigned_to"`
	Search     string `json:"search"`
	Source     string `json:"source"` // correlation_rule
	DateFrom   string `json:"date_from"`
	DateTo     string `json:"date_to"`
	Page       int    `json:"page"`
	Limit      int    `json:"limit"`
	SortBy     string `json:"sort_by"`
	SortOrder  string `json:"sort_order"` // asc, desc
}

IncidentFilter defines advanced filter criteria for incidents.

type IncidentFilterResult 

type IncidentFilterResult struct {
	Incidents  []domsoc.Incident `json:"incidents"`
	Total      int               `json:"total"`
	Page       int               `json:"page"`
	Limit      int               `json:"limit"`
	TotalPages int               `json:"total_pages"`
}

IncidentFilterResult is paginated incidents response.

type IncidentTimeline 

type IncidentTimeline struct {
	Created  []TimeSeriesPoint `json:"created"`
	Resolved []TimeSeriesPoint `json:"resolved"`
}

IncidentTimeline shows incident trend.

type PlaybookResult 

type PlaybookResult struct {
	PlaybookID string                  `json:"playbook_id"`
	IncidentID string                  `json:"incident_id"`
	Actions    []domsoc.PlaybookAction `json:"actions"`
	Status     string                  `json:"status"`
}

PlaybookResult represents the result of a manual playbook run.

type SLAStatus 

type SLAStatus struct {
	ResponseBreached    bool    `json:"response_breached"`
	ResolutionBreached  bool    `json:"resolution_breached"`
	ResponseRemaining   float64 `json:"response_remaining_min"` // minutes remaining (negative = breached)
	ResolutionRemaining float64 `json:"resolution_remaining_min"`
	ResponseTarget      float64 `json:"response_target_min"`
	ResolutionTarget    float64 `json:"resolution_target_min"`
}

SLAStatus represents an incident's SLA compliance state.

func CalculateSLA 

func CalculateSLA(inc *domsoc.Incident) *SLAStatus

CalculateSLA computes SLA status for an incident.

type SLAThreshold 

type SLAThreshold struct {
	Severity       string        `json:"severity"`
	ResponseTime   time.Duration `json:"response_time"`   // max time to assign
	ResolutionTime time.Duration `json:"resolution_time"` // max time to resolve
}

SLAThreshold defines response/resolution time targets per severity.

type STIXBundle 

type STIXBundle struct {
	Type    string       `json:"type"` // "bundle"
	ID      string       `json:"id"`
	Objects []STIXObject `json:"objects"`
}

STIXBundle represents a STIX 2.1 bundle (simplified).

type STIXFeedConfig 

type STIXFeedConfig struct {
	Name     string            `json:"name"`     // Feed name (e.g., "OTX", "MISP")
	URL      string            `json:"url"`      // TAXII or HTTP feed URL
	APIKey   string            `json:"api_key"`  // Authentication key
	Headers  map[string]string `json:"headers"`  // Additional headers
	Interval time.Duration     `json:"interval"` // Poll interval (default: 1h)
	Enabled  bool              `json:"enabled"`
}

STIXFeedConfig configures automatic STIX feed polling.

func DefaultOTXFeed 

func DefaultOTXFeed(apiKey string) STIXFeedConfig

DefaultOTXFeed returns a pre-configured AlienVault OTX feed config.

type STIXObject 

type STIXObject struct {
	Type        string    `json:"type"` // indicator, malware, attack-pattern, etc.
	ID          string    `json:"id"`
	Created     time.Time `json:"created"`
	Modified    time.Time `json:"modified"`
	Name        string    `json:"name,omitempty"`
	Description string    `json:"description,omitempty"`
	Pattern     string    `json:"pattern,omitempty"`      // STIX pattern (indicators)
	PatternType string    `json:"pattern_type,omitempty"` // stix, pcre, sigma
	ValidFrom   time.Time `json:"valid_from,omitempty"`
	Labels      []string  `json:"labels,omitempty"`
	// Kill chain phases for attack-pattern objects.
	KillChainPhases []struct {
		KillChainName string `json:"kill_chain_name"`
		PhaseName     string `json:"phase_name"`
	} `json:"kill_chain_phases,omitempty"`
	// External references (CVE, etc.)
	ExternalReferences []struct {
		SourceName  string `json:"source_name"`
		ExternalID  string `json:"external_id,omitempty"`
		URL         string `json:"url,omitempty"`
		Description string `json:"description,omitempty"`
	} `json:"external_references,omitempty"`
}

STIXObject represents a generic STIX 2.1 object.

type Service 

type Service struct {
	// contains filtered or unexported fields
}

Service orchestrates the SOC event pipeline: Step 0: Secret Scanner (INVARIANT) → DIP → Decision Logger → Persist → Correlation.

func NewService 

func NewService(repo domsoc.SOCRepository, logger *audit.DecisionLogger) *Service

NewService creates a SOC service with persistence and decision logging.

func (*Service) AddCustomRules 

func (s *Service) AddCustomRules(rules []domsoc.SOCCorrelationRule)

AddCustomRules appends YAML-loaded custom correlation rules (§7.5).

func (*Service) AddIncidentNote 

func (s *Service) AddIncidentNote(id, author, content string) (*domsoc.IncidentNote, error)

AddIncidentNote adds an investigation note to an incident.

func (*Service) AddWaitlistEntry 

func (s *Service) AddWaitlistEntry(email, company, useCase string)

AddWaitlistEntry records a waitlist registration interest. Currently logs to the audit trail — DB persistence added when registration opens.

func (*Service) Analytics 

func (s *Service) Analytics(windowHours int) (*AnalyticsReport, error)

Analytics generates a full SOC analytics report for the given time window.

func (*Service) AnomalyDetector 

func (s *Service) AnomalyDetector() *domsoc.AnomalyDetector

AnomalyDetector returns the anomaly detection engine (§5).

func (*Service) AssignIncident 

func (s *Service) AssignIncident(id, analyst string) error

AssignIncident assigns an analyst to an incident.

func (*Service) BulkUpdateIncidents 

func (s *Service) BulkUpdateIncidents(action BulkAction) (*BulkActionResult, error)

BulkUpdateIncidents performs batch operations on multiple incidents.

func (*Service) ChangeIncidentStatus 

func (s *Service) ChangeIncidentStatus(id string, status domsoc.IncidentStatus, actor string) error

ChangeIncidentStatus changes the status of an incident with actor tracking.

func (*Service) CheckSensors 

func (s *Service) CheckSensors() []domsoc.Sensor

CheckSensors runs heartbeat check on all sensors (§11.3). Returns sensors that transitioned to OFFLINE (need SOC alert).

func (*Service) ClusterStats 

func (s *Service) ClusterStats() map[string]any

ClusterStats returns Alert Clustering engine statistics (§7.6).

func (*Service) ComplianceReport 

func (s *Service) ComplianceReport() (*ComplianceData, error)

ComplianceReport generates an EU AI Act Article 15 compliance report (§12.3).

func (*Service) Dashboard 

func (s *Service) Dashboard(tenantID string) (*DashboardData, error)

Dashboard returns SOC KPI metrics, scoped to tenant.

func (*Service) DecisionLogPath 

func (s *Service) DecisionLogPath() string

DecisionLogPath returns the decision log file path for chain verification.

func (*Service) DeregisterSensor 

func (s *Service) DeregisterSensor(id string)

DeregisterSensor removes a sensor from the SOC.

func (*Service) DisableRateLimit 

func (s *Service) DisableRateLimit()

DisableRateLimit disables per-sensor rate limiting (for benchmarks only).

func (*Service) Drain 

func (s *Service) Drain()

Drain puts the service into drain mode (§15.7 Stage 1). New events are rejected with ErrDraining; existing processing continues.

func (*Service) EventBus 

func (s *Service) EventBus() *domsoc.EventBus

EventBus returns the real-time event bus for SSE subscribers.

func (*Service) ExportIncidents 

func (s *Service) ExportIncidents(sourcePeerID string) []peer.SyncIncident

ExportIncidents converts all current incidents into portable SyncIncident format for P2P synchronization (§10 T-01).

func (*Service) ExportIncidentsCSV 

func (s *Service) ExportIncidentsCSV(f IncidentFilter) ([]byte, error)

ExportIncidentsCSV generates CSV data for incidents.

func (*Service) GetIncident 

func (s *Service) GetIncident(id string) (*domsoc.Incident, error)

GetIncident returns an incident by ID.

func (*Service) GetIncidentDetail 

func (s *Service) GetIncidentDetail(id string) (*domsoc.Incident, error)

GetIncidentDetail returns full incident with notes and timeline.

func (*Service) GetKillChain 

func (s *Service) GetKillChain(incidentID string) (*domsoc.KillChain, error)

GetKillChain reconstructs the Kill Chain for a given incident (§8).

func (*Service) GetRecentDecisions 

func (s *Service) GetRecentDecisions(limit int) []map[string]any

GetRecentDecisions returns audit metadata for the decision log (§9). Note: Full decision retrieval requires extending DecisionLogger in a future phase.

func (*Service) GetWebhookConfig 

func (s *Service) GetWebhookConfig() *WebhookConfig

GetWebhookConfig returns current webhook configuration.

func (*Service) ImportIncidents 

func (s *Service) ImportIncidents(incidents []peer.SyncIncident) (int, error)

ImportIncidents ingests incidents from a trusted peer (§10 T-01). Uses UPDATE-or-INSERT semantics: new incidents are created, existing IDs are skipped. Returns the number of newly imported incidents.

func (*Service) IngestEvent 

func (s *Service) IngestEvent(event domsoc.SOCEvent) (string, *domsoc.Incident, error)

IngestEvent processes an incoming security event through the SOC pipeline. Returns the event ID and any incident created by correlation.

Pipeline (§5.2): 

Step -1: Sensor Authentication — pre-shared key validation (§17.3 T-01)
Step 0: Secret Scanner — INVARIANT, cannot be disabled (§5.4)
Step 0.5: Rate Limiting — per sensor ≤100 events/sec (§17.3)
Step 1: Decision Logger — SHA-256 chain with Zero-G tagging (§5.6, §13.4)
Step 2: Persist event to SQLite
Step 3: Update sensor registry (§11.3)
Step 4: Run correlation engine (§7)
Step 5: Apply playbooks (§10)

func (*Service) IsDraining 

func (s *Service) IsDraining() bool

IsDraining returns true if the service is in drain mode.

func (*Service) ListEvents 

func (s *Service) ListEvents(tenantID string, limit int) ([]domsoc.SOCEvent, error)

ListEvents returns recent events with optional limit, scoped to tenant.

func (*Service) ListIncidents 

func (s *Service) ListIncidents(tenantID string, status string, limit int) ([]domsoc.Incident, error)

ListIncidents returns incidents, optionally filtered by status, scoped to tenant.

func (*Service) ListIncidentsAdvanced 

func (s *Service) ListIncidentsAdvanced(f IncidentFilter) (*IncidentFilterResult, error)

ListIncidentsAdvanced filters incidents with multi-field criteria and pagination.

func (*Service) ListRules 

func (s *Service) ListRules() []domsoc.SOCCorrelationRule

ListRules returns all active correlation rules (built-in + custom).

func (*Service) ListSensors 

func (s *Service) ListSensors(tenantID string) ([]domsoc.Sensor, error)

ListSensors returns registered sensors, scoped to tenant.

func (*Service) P2PSync 

func (s *Service) P2PSync() *domsoc.P2PSyncService

P2PSync returns the P2P SOC sync engine (§14).

func (*Service) PlaybookEngine 

func (s *Service) PlaybookEngine() *domsoc.PlaybookEngine

PlaybookEngine returns the playbook execution engine (§10).

func (*Service) RecordHeartbeat 

func (s *Service) RecordHeartbeat(sensorID string) (bool, error)

RecordHeartbeat processes a sensor heartbeat (§11.3).

func (*Service) RegisterSensor 

func (s *Service) RegisterSensor(id, name, sensorType string)

RegisterSensor adds or updates a sensor in the SOC.

func (*Service) Repo 

func (s *Service) Repo() domsoc.SOCRepository

Repo returns the underlying SOC repository (used for demo seed injection).

func (*Service) Resume 

func (s *Service) Resume()

Resume exits drain mode, re-enabling event ingestion.

func (*Service) RetentionPolicy 

func (s *Service) RetentionPolicy() *domsoc.DataRetentionPolicy

RetentionPolicy returns the data retention policy engine (§19).

func (*Service) RunPlaybook 

func (s *Service) RunPlaybook(playbookID, incidentID string) (*PlaybookResult, error)

RunPlaybook manually executes a playbook against an incident (§10, §12.1).

func (*Service) SetSensorKeys 

func (s *Service) SetSensorKeys(keys map[string]string)

SetSensorKeys configures pre-shared keys for sensor authentication (§17.3 T-01). If keys is nil or empty, authentication is disabled (all events accepted).

func (*Service) SetThreatIntel 

func (s *Service) SetThreatIntel(store *ThreatIntelStore)

SetThreatIntel configures the threat intelligence store for IOC enrichment.

func (*Service) SetWebhookConfig 

func (s *Service) SetWebhookConfig(config WebhookConfig)

SetWebhookConfig configures SOAR webhook notifications. If config has no endpoints, webhooks are disabled.

func (*Service) StartRetentionScheduler 

func (s *Service) StartRetentionScheduler(ctx context.Context, interval time.Duration)

StartRetentionScheduler runs a background goroutine that periodically purges expired events and incidents (§19 Data Retention). Default interval: 1 hour. Stops when ctx is cancelled.

func (*Service) TestWebhook 

func (s *Service) TestWebhook() []WebhookResult

TestWebhook sends a test ping to all configured webhook endpoints.

func (*Service) ThreatIntelEngine 

func (s *Service) ThreatIntelEngine() *domsoc.ThreatIntelEngine

ThreatIntelEngine returns the IOC matching engine (§6).

func (*Service) UpdateVerdict 

func (s *Service) UpdateVerdict(id string, status domsoc.IncidentStatus) error

UpdateVerdict updates an incident's status (manual verdict).

func (*Service) WebhookStats 

func (s *Service) WebhookStats() map[string]any

WebhookStats returns SOAR webhook delivery statistics (T3-5).

func (*Service) ZeroG 

func (s *Service) ZeroG() *domsoc.ZeroGMode

ZeroG returns the Zero-G Mode approval engine (§13.4).

type SeverityDistribution 

type SeverityDistribution struct {
	Critical int `json:"critical"`
	High     int `json:"high"`
	Medium   int `json:"medium"`
	Low      int `json:"low"`
	Info     int `json:"info"`
}

SeverityDistribution counts events by severity.

type SourceBreakdown 

type SourceBreakdown struct {
	Source string `json:"source"`
	Count  int    `json:"count"`
}

SourceBreakdown counts events per source.

type ThreatFeed 

type ThreatFeed struct {
	Name      string        `json:"name"`
	URL       string        `json:"url"`
	Type      string        `json:"type"` // stix, csv, json
	Enabled   bool          `json:"enabled"`
	Interval  time.Duration `json:"interval"`
	APIKey    string        `json:"api_key,omitempty"`
	LastFetch time.Time     `json:"last_fetch"`
	IOCCount  int           `json:"ioc_count"`
	LastError string        `json:"last_error,omitempty"`
}

ThreatFeed represents a configured threat intelligence source.

type ThreatIntelStore 

type ThreatIntelStore struct {

	// Stats
	TotalIOCs    int       `json:"total_iocs"`
	TotalFeeds   int       `json:"total_feeds"`
	LastRefresh  time.Time `json:"last_refresh"`
	MatchesFound int64     `json:"matches_found"`
	// contains filtered or unexported fields
}

ThreatIntelStore manages IOCs from multiple feeds.

func NewThreatIntelStore 

func NewThreatIntelStore() *ThreatIntelStore

NewThreatIntelStore creates an empty threat intel store.

func (*ThreatIntelStore) AddDefaultFeeds 

func (t *ThreatIntelStore) AddDefaultFeeds()

AddDefaultFeeds registers SENTINEL-native threat feeds.

func (*ThreatIntelStore) AddFeed 

func (t *ThreatIntelStore) AddFeed(feed ThreatFeed)

AddFeed registers a threat intel feed.

func (*ThreatIntelStore) AddIOC 

func (t *ThreatIntelStore) AddIOC(ioc IOC)

AddIOC adds or updates an indicator.

func (*ThreatIntelStore) EnrichEvent 

func (t *ThreatIntelStore) EnrichEvent(sourceIP, description string) []IOC

EnrichEvent checks event fields against IOC database and returns matches.

func (*ThreatIntelStore) GetFeeds 

func (t *ThreatIntelStore) GetFeeds() []ThreatFeed

GetFeeds returns all configured feeds with their status.

func (*ThreatIntelStore) Lookup 

func (t *ThreatIntelStore) Lookup(iocType IOCType, value string) *IOC

Lookup checks if a value matches any known IOC. Returns nil if not found.

func (*ThreatIntelStore) LookupAny 

func (t *ThreatIntelStore) LookupAny(value string) []*IOC

LookupAny checks value against all IOC types (broad search).

func (*ThreatIntelStore) RefreshAll 

func (t *ThreatIntelStore) RefreshAll() error

RefreshAll fetches all enabled feeds and updates IOC database.

func (*ThreatIntelStore) StartBackgroundRefresh 

func (t *ThreatIntelStore) StartBackgroundRefresh(interval time.Duration, stop <-chan struct{})

StartBackgroundRefresh runs periodic feed refresh in a goroutine.

func (*ThreatIntelStore) Stats 

func (t *ThreatIntelStore) Stats() map[string]interface{}

Stats returns threat intel statistics.

type TimeSeriesPoint 

type TimeSeriesPoint struct {
	Timestamp time.Time `json:"timestamp"`
	Count     int       `json:"count"`
}

TimeSeriesPoint represents a single data point in time series.

type WebhookConfig 

type WebhookConfig struct {
	// Endpoints is a list of webhook URLs to POST to.
	Endpoints []string `json:"endpoints"`

	// Headers are custom HTTP headers added to every request (e.g., auth tokens).
	Headers map[string]string `json:"headers,omitempty"`

	// MaxRetries is the number of retry attempts on failure (default 3).
	MaxRetries int `json:"max_retries"`

	// TimeoutSec is the HTTP client timeout in seconds (default 10).
	TimeoutSec int `json:"timeout_sec"`

	// MinSeverity filters: only incidents >= this severity trigger webhooks.
	// Empty string means all severities.
	MinSeverity domsoc.EventSeverity `json:"min_severity,omitempty"`
}

WebhookConfig holds SOAR webhook settings.

type WebhookNotifier 

type WebhookNotifier struct {
	// contains filtered or unexported fields
}

WebhookNotifier handles outbound SOAR notifications.

func NewWebhookNotifier 

func NewWebhookNotifier(config WebhookConfig) *WebhookNotifier

NewWebhookNotifier creates a notifier with the given config.

func (*WebhookNotifier) NotifyIncident 

func (w *WebhookNotifier) NotifyIncident(eventType string, incident *domsoc.Incident) []WebhookResult

NotifyIncident sends an incident webhook to all configured endpoints. Non-blocking: fires goroutines for each endpoint.

func (*WebhookNotifier) NotifySensorOffline 

func (w *WebhookNotifier) NotifySensorOffline(sensor domsoc.Sensor) []WebhookResult

NotifySensorOffline sends a sensor offline alert to all endpoints.

func (*WebhookNotifier) Stats 

func (w *WebhookNotifier) Stats() (sent, failed int64)

Stats returns webhook delivery stats.

type WebhookPayload 

type WebhookPayload struct {
	EventType string          `json:"event_type"` // incident_created, incident_updated, sensor_offline
	Timestamp time.Time       `json:"timestamp"`
	Source    string          `json:"source"`
	Data      json.RawMessage `json:"data"`
}

WebhookPayload is the JSON body sent to SOAR endpoints.

type WebhookResult 

type WebhookResult struct {
	Endpoint   string `json:"endpoint"`
	StatusCode int    `json:"status_code"`
	Success    bool   `json:"success"`
	Retries    int    `json:"retries"`
	Error      string `json:"error,omitempty"`
}

WebhookResult tracks delivery status per endpoint.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.