FREE & OPEN

Deploy SOaC-Enterprise in your environment

Clone the repo. Run validation. Deploy detections, playbooks, and policies into your stack in minutes.

Quick Start

1. Clone the repository

git clone https://github.com/ge0mant1s/SOaC-Enterprise.git

2. Run validation

cd SOaC-Enterprise && python3 quick_start_validation.py

If quick_start_validation.py is not present, check the repo releases or docs folder for the latest version.

3. Choose your deployment path below

Deployment Paths

Microsoft-first

M365 + Entra ID + Microsoft Sentinel

  • KQL detection rules for Sentinel
  • Entra ID sign-in risk policies
  • Defender for Endpoint integration
  • Azure Logic Apps for CLAW playbooks

Splunk-first

Splunk Enterprise / Cloud

  • SPL correlation rules
  • Splunk SOAR playbook mappings
  • Okta + CrowdStrike enrichments
  • Dashboard templates for coverage

EDR-first

CrowdStrike / Microsoft Defender

  • Real-time IOA custom indicators
  • Host containment playbooks
  • BYOVD detection rules
  • Forensic snapshot automation

Open-source

Sigma / Wazuh / Elastic

  • Sigma rule translations
  • Wazuh decoder + rule XML
  • Elastic detection rules (TOML)
  • Platform-agnostic playbooks

What you get when deploying

Detections-as-Code

Version-controlled rules for your SIEM with MITRE ATT&CK mapping and CI/CD testing.

Playbooks-as-Code

CLAW YAML playbooks for automated containment, investigation, and remediation.

Policies-as-Code

AI governance baselines and lab safety policies for responsible automation.

Simulation Scenarios

Reproducible lab environments to validate your defenses against real-world TTPs.

Deployment Checklist

0/8 complete

Ready to deploy?

Start with Package 001: Identity-led Intrusion Defense

Browse PackagesContribute a packageDiscuss