greysec/ir-pipeline
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: GreySec IR pipeline structure

Browse Source
This commit is contained in:
ghstshdw
2026-05-08 18:02:35 -05:00
commit d4813b98da
3 changed files with 65 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+26
View File
@@ -0,0 +1,26 @@
# GreySec Incident Response Pipeline
Automated incident response forensic collection and evidence management.
## Structure
- `forensic-collection/` - Live response scripts and evidence collection tools
- `chain-of-custody/` - Chain of custody tracking templates and automation
- `evidence-processing/` - Evidence processing and analysis workflows
- `ir-playbooks/` - Incident response playbooks by phase
- `documentation/` - IR procedures and runbooks
## Quick Start
```bash
# Clone the repository
git clone https://gsfiles.tail57cd.ts.net/greysec/ir-pipeline.git
# Run forensic collection (requires sudo)
sudo -S -p '' python3 forensic-collection/scripts/live_response.py --output ./evidence/
```
## Integration
Connects to GreySec's Supabase IR case tracking via `ir_cases` table.
See: https://greysec.supabase.co
chain-of-custody/evidence_log.md
+4
View File
@@ -0,0 +1,4 @@
# Evidence Chain of Custody Log
| Evidence ID | Description | Collected By | Date | Hash (SHA256) | Storage Location |
|------------|-------------|-------------|------|---------------|-----------------|
forensic-collection/scripts/live_response.py
+35
View File
@@ -0,0 +1,35 @@
#!/usr/bin/env python3
"""
GreySec Live Response Forensic Collection
Collects volatile data from a running system for IR analysis.
"""
import os
import subprocess
import json
from datetime import datetime
def collect_processes():
"""Capture running processes."""
result = subprocess.run(["ps", "aux"], capture_output=True, text=True)
return {"timestamp": datetime.utcnow().isoformat(), "data": result.stdout}
def collect_network():
"""Capture network connections."""
result = subprocess.run(["ss", "-tunap"], capture_output=True, text=True)
return {"timestamp": datetime.utcnow().isoformat(), "data": result.stdout}
def main(output_dir="./evidence"):
os.makedirs(output_dir, exist_ok=True)
evidence = {
"collection_time": datetime.utcnow().isoformat(),
"hostname": os.uname().nodename,
"processes": collect_processes(),
"network": collect_network(),
}
out_file = os.path.join(output_dir, f"live_response_{datetime.utcnow().strftime('%Y%m%d_%H%M%S')}.json")
with open(out_file, "w") as f:
json.dump(evidence, f, indent=2)
print(f"Evidence written to {out_file}")
if __name__ == "__main__":
main()