这篇文章介绍了一个基于大模型的多智能体安全运营中心(SOC)自动化分析助手,通过5个专用智能体系统实现威胁指标提取、VirusTotal集成、MITRE ATT&CK映射、CVE情报获取、数字取证与事件响应规划等功能。系统使用LangGraph构建流水线,可生成结构化JSON和文本报告,所有报告按时间戳保存在指定目录中,为SOC团队提供自动化安全分析和响应能力。
基于终端的多智能体安全运营中心自动化分析助手
主要功能
🔍威胁指标提取- 自动识别IP地址、域名、URL、文件哈希、电子邮件及文件路径
🦠VirusTotal集成- 结合威胁情报增强的自动化哈希分析
🎯MITRE ATT&CK映射- 依据官方企业版ATT&CK框架验证并映射攻击技术
🔐真实CVE情报- 从NVD API获取实际漏洞信息
📋数字取证与事件响应规划- 生成调查与遏制行动计划
📊安全运营中心级报告- 生成结构化JSON和易读的文本报告
💾持久化输出- 所有报告均按时间戳保存在/output/目录下
🔄多智能体编排- 基于LangGraph流水线构建的5个专用智能体系统
关键实现
1.威胁指标提取
使用few-shot的方式提取用户输入中的威胁指标。指令还是比较简单的,给定了角色、任务和输出格式。
💻系统提示词
system_prompt = ( "You are a SOC analyst specializing in IOC extraction. " "Your task is to read the incident description and extract indicators of compromise " "(IPs, domains, URLs, emails, malware hashes, file paths) " "into a valid JSON format.\n\n" "IMPORTANT RULES:\n" "- Do NOT extract memory addresses (e.g., 0x...) as hashes.\n" "- Do NOT extract usernames (e.g., 'john.doe') as emails. Emails MUST contain '@' and a domain.\n" "- Only extract valid IPv4 or IPv6 addresses." )👨用户提示词
user_prompt = f"""Incident text:{incident_text}Return ONLY a valid JSON with the following structure:{{ "ips": ["1.2.3.4", ...], "domains": ["example.com", ...], "urls": ["http://example.com/malware.exe", ...], "emails": ["user@example.com", ...], "hashes": {{ "md5": ["..."], "sha1": ["..."], "sha256": ["..."] }}, "file_paths": ["C:\\\\Windows\\\\System32\\\\...", "/tmp/malicious", ...]}}"""最后将模型提出的结果进行一次内容和格式校验。
2.VT威胁情报富化
根据哈希值在VT中查询相关记录
返回结果
return { "malicious_count": stats.get("malicious", 0), "total_engines": sum(stats.values()) if stats else 0, "permalink": f"https://www.virustotal.com/gui/file/{file_hash}", "scan_date": attributes.get("last_analysis_date", 0), "names": attributes.get("names", [])[:5], "threat_label": threat_label, "sandbox_verdicts": sandbox_verdicts[:5], "sigma_rules": sigma_rules[:3], "signature_description": signature_info }3.ATT&CK技术映射
MITRE技术映射:LLM + 官方数据库验证
用大模型根据incident_text与IOCs提议一组技术ID以及证据说明。将LLM返回的ID交给本地或线上的数据库查询,通过technique ID查找对应的信息并将结果返回。
查询ATT&CK系统提示词:
system_prompt = ( "You are a cybersecurity analyst expert in MITRE ATT&CK. " "Based on the incident description and IOCs, identify the most probable techniques " "and sub-techniques (ID Txxxx / Txxxx.xx). " "\n\nCRITICAL RULES:\n" "1. Do NOT invent IDs; use only valid MITRE ATT&CK Enterprise IDs.\n" "2. ONLY map techniques if there is DIRECT EVIDENCE in the incident text.\n" "3. DO NOT map T1027.003 (Steganography) to ZIP files - ZIP is compression, NOT steganography.\n" "4. DO NOT map T1071 (C2) or T1071.001 (Web Protocols) unless there is evidence of BEACONING or persistent communication.\n" "5. DO NOT map T1190 (Exploit Public-Facing Application) unless there is evidence of exploitation (RCE, injection, etc).\n" "6. For file downloads, prefer T1105 (Ingress Tool Transfer).\n" "7. For phishing with malicious links, use T1566.002 only if there is evidence.\n" "8. If the incident involves ransomware execution, focus on execution techniques (T1204, T1059) and impact (T1486).\n" "\nDo not provide names or tactics, only IDs and justification: the system will enrich them later." )用户输入提示词
user_prompt = f"""Incident description:{incident_text}Extracted IOCs (JSON):{ioc_snippet}IMPORTANT GUIDELINES:- Only map techniques with DIRECT evidence from the incident- For downloads: use T1105 (Ingress Tool Transfer)- For ZIP files: use T1560.001 (Archive via Utility) if relevant, NOT T1027.003- For C2: ONLY if there's evidence of beaconing/persistent communication- For exploitation: ONLY if there's evidence of RCE, injection, or vulnerability exploitation- For ransomware execution: focus on T1204 (User Execution), T1059 (Command/Scripting), T1486 (Data Encrypted for Impact)Return ONLY a valid JSON with the following structure:{{ "techniques": [ {{ "id": "T1059.001", "justification": "Briefly explain why this technique applies based on EVIDENCE" }} ], "summary": "Summary in 3-5 lines of the observed MITRE pattern."}}"""4.检索CVE
用大模型抽取2-3个相关的产品或技术关键词及时间范围作为查询条件。调用NVD API获取CVE列表。对于每个CVE再次使用大模型判断是否与当前时间相关。最后讲结果返回。
主要实现方式:
extraction = _build_cve_keywords_with_llm(software_info, mitre_context)for kw in keywords: cves = search_cves(kw, max_results=3, pub_start_date=pub_start_date, pub_end_date=pub_end_date) for c in cves: if _validate_cve_relevance(c, software_info): c2 = dict(c) c2["source_keyword"] = kw c2["related_techniques"] = [] c2["confidence"] = "medium" all_cves.append(c2)5.DFIR计划生成
汇集上下文信息后,使用大模型来生成结构化的调查步骤。
系统提示词:
system_prompt = ( "You are a Senior DFIR Analyst in a SOC. " "Based on the incident/event description, IOCs, MITRE mapping, " "and vulnerabilities (CVEs), you must propose a structured investigation " "and response plan, oriented towards L1/L2 analysts." )用户提示词:
user_prompt = f"""Incident / Event description:{text}Extracted IOCs:{ioc_snippet}MITRE Context (TTPs):{mitre_snippet}CVE Context:{cve_snippet}Return ONLY a valid JSON with the following structure:{{ "investigation_steps": [ {{ "step": 1, "category": "Artifact Collection", "description": "Detailed action description.", "tools": ["Splunk", "EDR", "Volatility"], "expected_outcome": "What is expected to be found." }} ], "containment_actions": [ {{ "priority": "high", "description": "Containment action.", "depends_on": [1] }} ], "eradication_and_recovery": [ "Eradication action 1", "Recovery action 1" ], "notes": "Additional notes (e.g., communication, reporting, etc.)."}}"""6.结构化报告生成
根据上下文生成结构化报告
系统提示词:
system_prompt = ( "You are an L2 SOC Analyst responsible for writing incident reports. " "You must generate a clear, structured, and actionable report for a SOC environment, " "separating an executive section (for managers) and a technical section (for analysts). " "Use a professional and concise tone." )用户提示词:
user_prompt = f"""Original incident description:{incident_text}IOCs (JSON):{ioc_snippet}MITRE Context (JSON):{mitre_snippet}CVE Context (JSON):{cve_snippet}Investigation / Response Plan (JSON):{investigation_snippet}Generate ONLY a valid JSON with the following structure:{{ "metadata": {{ "title": "Incident Title", "severity": "high", "status": "under_investigation", "tlp": "TLP:AMBER", "detected_by": "SOC L1 - SIEM alert", "environment": "production" }}, "executive_summary": "Summary in 5-8 lines, oriented to non-technical managers.", "technical_summary": "Technical summary of the attack, vectors, IOCs, MITRE, and CVEs.", "timeline": [ {{ "timestamp": "2025-11-30T08:14:00Z", "event": "First SIEM alert for suspicious traffic to malicious IP." }} ], "ioc_section": {{ "ips": [], "domains": [], "urls": [], "emails": [], "hashes": {{ "md5": [], "sha1": [], "sha256": [] }}, "file_paths": [] }}, "mitre_mapping": [ {{ "id": "T1059.001", "name": "Command Shell", "tactic": "Execution", "tactic_id": "TA0002", "justification": "Brief explanation of why it applies." }} ], "cve_section": [ {{ "id": "CVE-XXXX-YYYY", "cvss": 9.8, "description": "Vulnerability summary.", "related_techniques": ["T1059.001"], "confidence": "high" }} ], "investigation_summary": [ "Brief list of investigation actions performed / planned." ], "containment_and_recovery": {{ "containment_actions": [ "Isolate affected host from corporate network." ], "eradication": [ "Reimage machine or clean malicious artifacts according to playbook." ], "recovery": [ "Return systems to production after validating integrity." ] }}, "recommendations": {{ "short_term": [ "Immediate improvement actions." ], "long_term": [ "Strategic long-term measures." ] }}}}"""7.持久化保存
保存报告为txt或json文件,并加入时间戳。
最后
我在一线科技企业深耕十二载,见证过太多因技术卡位而跃迁的案例。那些率先拥抱 AI 的同事,早已在效率与薪资上形成代际优势,我意识到有很多经验和知识值得分享给大家,也可以通过我们的能力和经验解答大家在大模型的学习中的很多困惑。
我整理出这套 AI 大模型突围资料包:
- ✅AI大模型学习路线图
- ✅Agent行业报告
- ✅100集大模型视频教程
- ✅大模型书籍PDF
- ✅DeepSeek教程
- ✅AI产品经理入门资料
完整的大模型学习和面试资料已经上传带到CSDN的官方了,有需要的朋友可以扫描下方二维码免费领取【保证100%免费】👇👇
为什么说现在普通人就业/升职加薪的首选是AI大模型?
人工智能技术的爆发式增长,正以不可逆转之势重塑就业市场版图。从DeepSeek等国产大模型引发的科技圈热议,到全国两会关于AI产业发展的政策聚焦,再到招聘会上排起的长队,AI的热度已从技术领域渗透到就业市场的每一个角落。
智联招聘的最新数据给出了最直观的印证:2025年2月,AI领域求职人数同比增幅突破200%,远超其他行业平均水平;整个人工智能行业的求职增速达到33.4%,位居各行业榜首,其中人工智能工程师岗位的求职热度更是飙升69.6%。
AI产业的快速扩张,也让人才供需矛盾愈发突出。麦肯锡报告明确预测,到2030年中国AI专业人才需求将达600万人,人才缺口可能高达400万人,这一缺口不仅存在于核心技术领域,更蔓延至产业应用的各个环节。
资料包有什么?
①从入门到精通的全套视频教程⑤⑥
包含提示词工程、RAG、Agent等技术点
② AI大模型学习路线图(还有视频解说)
全过程AI大模型学习路线
③学习电子书籍和技术文档
市面上的大模型书籍确实太多了,这些是我精选出来的
④各大厂大模型面试题目详解
⑤ 这些资料真的有用吗?
这份资料由我和鲁为民博士共同整理,鲁为民博士先后获得了北京清华大学学士和美国加州理工学院博士学位,在包括IEEE Transactions等学术期刊和诸多国际会议上发表了超过50篇学术论文、取得了多项美国和中国发明专利,同时还斩获了吴文俊人工智能科学技术奖。目前我正在和鲁博士共同进行人工智能的研究。
所有的视频教程由智泊AI老师录制,且资料与智泊AI共享,相互补充。这份学习大礼包应该算是现在最全面的大模型学习资料了。
资料内容涵盖了从入门到进阶的各类视频教程和实战项目,无论你是小白还是有些技术基础的,这份资料都绝对能帮助你提升薪资待遇,转行大模型岗位。
智泊AI始终秉持着“让每个人平等享受到优质教育资源”的育人理念,通过动态追踪大模型开发、数据标注伦理等前沿技术趋势,构建起"前沿课程+智能实训+精准就业"的高效培养体系。
课堂上不光教理论,还带着学员做了十多个真实项目。学员要亲自上手搞数据清洗、模型调优这些硬核操作,把课本知识变成真本事!
如果说你是以下人群中的其中一类,都可以来智泊AI学习人工智能,找到高薪工作,一次小小的“投资”换来的是终身受益!
应届毕业生:无工作经验但想要系统学习AI大模型技术,期待通过实战项目掌握核心技术。
零基础转型:非技术背景但关注AI应用场景,计划通过低代码工具实现“AI+行业”跨界。
业务赋能 突破瓶颈:传统开发者(Java/前端等)学习Transformer架构与LangChain框架,向AI全栈工程师转型。
👉获取方式:
😝有需要的小伙伴,可以保存图片到wx扫描二v码免费领取【保证100%免费】🆓**
带论文文档1万字以上,文末可获取,系统界面在最后面。)
)
