initial: Syntrex extraction from sentinel-community (615 files)

internal/domain/soc/playbook.go

@@ -0,0 +1,115 @@
+package soc
+
+// PlaybookAction defines automated responses triggered by playbook rules.
+type PlaybookAction string
+
+const (
+	ActionAutoBlock  PlaybookAction = "auto_block"  // Block source via shield
+	ActionAutoReview PlaybookAction = "auto_review" // Flag for human review
+	ActionNotify     PlaybookAction = "notify"      // Send notification
+	ActionIsolate    PlaybookAction = "isolate"     // Isolate affected session
+	ActionEscalate   PlaybookAction = "escalate"    // Escalate to senior analyst
+)
+
+// PlaybookCondition defines when a playbook fires.
+type PlaybookCondition struct {
+	MinSeverity EventSeverity `json:"min_severity" yaml:"min_severity"` // Minimum severity to trigger
+	Categories  []string      `json:"categories" yaml:"categories"`     // Matching categories
+	Sources     []EventSource `json:"sources,omitempty" yaml:"sources"` // Restrict to specific sources
+	MinEvents   int           `json:"min_events" yaml:"min_events"`     // Minimum events before trigger
+}
+
+// Playbook is a YAML-defined automated response rule (§10).
+type Playbook struct {
+	ID          string            `json:"id" yaml:"id"`
+	Name        string            `json:"name" yaml:"name"`
+	Description string            `json:"description" yaml:"description"`
+	Enabled     bool              `json:"enabled" yaml:"enabled"`
+	Condition   PlaybookCondition `json:"condition" yaml:"condition"`
+	Actions     []PlaybookAction  `json:"actions" yaml:"actions"`
+	Priority    int               `json:"priority" yaml:"priority"` // Higher = runs first
+}
+
+// Matches checks if a SOC event matches this playbook's conditions.
+func (p *Playbook) Matches(event SOCEvent) bool {
+	if !p.Enabled {
+		return false
+	}
+
+	// Check severity threshold.
+	if event.Severity.Rank() < p.Condition.MinSeverity.Rank() {
+		return false
+	}
+
+	// Check category if specified.
+	if len(p.Condition.Categories) > 0 {
+		matched := false
+		for _, cat := range p.Condition.Categories {
+			if cat == event.Category {
+				matched = true
+				break
+			}
+		}
+		if !matched {
+			return false
+		}
+	}
+
+	// Check source restriction if specified.
+	if len(p.Condition.Sources) > 0 {
+		matched := false
+		for _, src := range p.Condition.Sources {
+			if src == event.Source {
+				matched = true
+				break
+			}
+		}
+		if !matched {
+			return false
+		}
+	}
+
+	return true
+}
+
+// DefaultPlaybooks returns the built-in playbook set (§10 from spec).
+func DefaultPlaybooks() []Playbook {
+	return []Playbook{
+		{
+			ID:          "pb-auto-block-jailbreak",
+			Name:        "Auto-Block Jailbreak",
+			Description: "Automatically block confirmed jailbreak attempts",
+			Enabled:     true,
+			Condition: PlaybookCondition{
+				MinSeverity: SeverityHigh,
+				Categories:  []string{"jailbreak", "prompt_injection"},
+			},
+			Actions:  []PlaybookAction{ActionAutoBlock, ActionNotify},
+			Priority: 100,
+		},
+		{
+			ID:          "pb-escalate-exfiltration",
+			Name:        "Escalate Exfiltration",
+			Description: "Escalate data exfiltration attempts to senior analyst",
+			Enabled:     true,
+			Condition: PlaybookCondition{
+				MinSeverity: SeverityCritical,
+				Categories:  []string{"exfiltration", "data_leak"},
+			},
+			Actions:  []PlaybookAction{ActionIsolate, ActionEscalate, ActionNotify},
+			Priority: 200,
+		},
+		{
+			ID:          "pb-review-tool-abuse",
+			Name:        "Review Tool Abuse",
+			Description: "Flag tool abuse attempts for human review",
+			Enabled:     true,
+			Condition: PlaybookCondition{
+				MinSeverity: SeverityMedium,
+				Categories:  []string{"tool_abuse", "unauthorized_tool_use"},
+			},
+			Actions:  []PlaybookAction{ActionAutoReview},
+			Priority: 50,
+		},
+	}
+}