Python-Powered Automated Incident Response and Endpoint Isolation
I wrote a Python IR orchestrator that consumes Wazuh IOC alerts, scans the affected host with YARA rules, and isolates it via nftables and the Proxmox API without analyst intervention. The playbook contains confirmed compromises in 28 seconds on average, down from a 45-minute manual process.
Threat Model & MITRE ATT&CK Mapping
Speed of containment determines blast radius. This automation collapses the NIST SP 800-61 detection-to-containment gap by acting on high-confidence IOCs the moment Wazuh raises them.
- T1486 Data Encrypted for Impact – ransomware canary detection triggers immediate isolation.
- T1055 Process Injection – YARA memory rules flag injected code for snapshot + quarantine.
- T1048 Exfiltration Over Alternative Protocol – nftables egress block on alert.
Wazuh IOC] --> T[Triage
YARA + psutil] T --> C[Containment
nftables isolate] C --> E[Eradication
kill PID + snapshot] E --> R[Recovery
Proxmox restore] R --> Rep[Forensic Timeline]
Environment & Prerequisites
- Python 3.11 with
psutil,yara-python,requests,PyYAML. - Wazuh 4.7 API credentials (read alerts) and Proxmox VE 8.1 API token (VM control).
- nftables on endpoints; SQLite for case tracking; Slack SDK for notifications.
Step-by-Step Execution
1. Core isolation logic (excerpt)
import psutil, yara, subprocess, logging
def isolate_host(iface="eth0"):
# [PRIVILEGED] drop all egress except management subnet
subprocess.run(["nft", "add", "rule", "inet", "filter",
"output", "ip", "daddr", "!=", "192.168.10.0/24", "drop"],
check=True)
logging.warning("host isolated via nftables")
def scan_memory(rules_path="ioc.yar"):
rules = yara.compile(filepath=rules_path)
for p in psutil.process_iter(["pid", "name"]):
if rules.match(pid=p.info["pid"]):
return p.info["pid"]
return None
2. Snapshot the VM via the Proxmox API before eradication
curl -sk -H "Authorization: PVEAPIToken=$TOKEN" -X POST https://pve:8006/api2/json/nodes/pve/qemu/120/snapshot -d snapname=ir-$(date +%s)3. Install dependencies and validate the YARA ruleset
pip install psutil yara-python requests PyYAML && yara -w ioc.yar /bin4. Run the playbook as a systemd-triggered service
python3 ir_playbook.py --config ir.yaml --alert-id 8200[28.4s] CONTAINED host=192.168.20.15 pid=4412 rule=ransomware_canary snapshot=ir-1718...
Validation & Testing
Drop an EICAR-style YARA-matching test artifact on a sandbox VM and confirm the playbook isolates it, snapshots the VM, and posts to Slack within the SLA. Pass criteria: containment under 60 seconds and a complete SQLite case record (alt text: Slack alert and SQLite case row showing automated containment evidence).
Advanced: Troubleshooting
- yara-python ImportError: install
libyaradev headers before pip install. - nftables locks out management: always whitelist the mgmt subnet first in the ruleset.
- Proxmox 401: confirm token privilege separation and the
VM.Snapshotpermission.
Key Results
- Isolated compromised endpoints in 28 seconds average across test runs.
- Reduced mean time to contain (MTTC) from 45 minutes to under 1 minute.
- Processed 1,000+ simulated alerts/day with zero human intervention required.
- Captured a forensic VM snapshot on 100% of containment events for later analysis.