Skip to content
1337skills 1337skills

Allama Security Automation

Open-source AI security automation and SOAR platform with visual workflow builder, 80+ integrations, and autonomous threat response agents.

Installation

Section titled “Installation”

Quick Start (Development)

Section titled “Quick Start (Development)”
# Clone the repository
git clone https://github.com/digitranslab/allama.git
cd allama

# Initialize the project
make init

# Start development environment
make dev

Demo Environment

Section titled “Demo Environment”
# One-command demo deployment
./demo.sh

Docker Compose (Production)

Section titled “Docker Compose (Production)”
# Production deployment
docker-compose up -d

# Development environment
docker-compose -f docker-compose.dev.yml up -d

# Local testing
docker-compose -f docker-compose.local.yml up -d

# View logs
docker-compose logs -f

# Stop all services
docker-compose down

System Requirements

Section titled “System Requirements”
RequirementMinimum
Python3.12+
DockerLatest stable
RAM4 GB
Disk Space10 GB

Basic Commands

Section titled “Basic Commands”
CommandDescription
make initInitialize project and install dependencies
make devStart development server
make testRun test suite
make lintRun code linting
docker-compose up -dStart production deployment
docker-compose downStop all services
docker-compose logs -fFollow service logs
./demo.shLaunch demo environment

Technology Stack

Section titled “Technology Stack”
ComponentTechnology
API ServerFastAPI (Python)
Workflow EngineTemporal
AI AgentsPydanticAI + LiteLLM
DatabasePostgreSQL
Object StorageS3-compatible
Script SandboxWebAssembly (Wasm)
FrontendReact

Integrations (80+)

Section titled “Integrations (80+)”

SIEM Platforms

Section titled “SIEM Platforms”
IntegrationDescription
SplunkLog ingestion, search queries, alert correlation
Elastic SIEMElasticsearch queries, Kibana dashboards
DatadogMetrics, logs, and security signals
WazuhHost-based intrusion detection, compliance
QRadarIBM security intelligence platform
Microsoft SentinelCloud-native SIEM and SOAR

EDR/XDR Solutions

Section titled “EDR/XDR Solutions”
IntegrationDescription
CrowdStrike FalconEndpoint detection and response
SentinelOneAutonomous endpoint security
Carbon BlackVMware endpoint protection
Microsoft DefenderEndpoint and identity protection
Cortex XDRPalo Alto extended detection

Identity Providers

Section titled “Identity Providers”
IntegrationDescription
OktaIdentity and access management
Microsoft Entra IDAzure Active Directory
Google WorkspaceUser and device management
OneLoginSingle sign-on and directory

Ticketing Systems

Section titled “Ticketing Systems”
IntegrationDescription
JiraIssue tracking and project management
ServiceNowIT service management
PagerDutyIncident management and alerting
OpsgenieAlert and on-call management

Communication

Section titled “Communication”
IntegrationDescription
SlackChannel notifications and bot commands
Microsoft TeamsAdaptive cards and webhooks
Email (SMTP)Alert notifications and reports
TelegramBot-based notifications

Threat Intelligence

Section titled “Threat Intelligence”
IntegrationDescription
VirusTotalFile and URL analysis
AbuseIPDBIP reputation checking
ShodanInternet-facing asset discovery
AlienVault OTXOpen threat exchange feeds
MISPThreat intelligence sharing

Cloud Platforms

Section titled “Cloud Platforms”
IntegrationDescription
AWSCloudTrail, GuardDuty, Security Hub
AzureSentinel, Defender, Activity Logs
GCPSecurity Command Center, Cloud Audit

Workflow Builder

Section titled “Workflow Builder”

Workflow Components

Section titled “Workflow Components”
ComponentDescription
TriggerEvent that starts the workflow (webhook, schedule, alert)
ActionIntegration call (query SIEM, block IP, create ticket)
ConditionIf/else branching based on data values
LoopIterate over lists (IP addresses, users, alerts)
ParallelRun multiple branches simultaneously
DelayWait for specified duration before continuing
ScriptCustom Python code in WebAssembly sandbox
AI AgentLLM-powered decision making and analysis

Trigger Types

Section titled “Trigger Types”
TriggerDescription
WebhookHTTP endpoint for external event ingestion
ScheduleCron-based periodic execution
AlertSIEM/EDR alert correlation
ManualOn-demand execution from UI
EmailInbound email parsing

AI Agent Configuration

Section titled “AI Agent Configuration”

Supported LLM Providers

Section titled “Supported LLM Providers”
ProviderConfiguration
OpenAIAPI key + model selection (GPT-4, GPT-4o)
AnthropicAPI key + model selection (Claude Sonnet, Opus)
Azure OpenAIEndpoint + deployment name
OllamaSelf-hosted, local endpoint (llama3, mistral)
Google GeminiAPI key + model selection

Agent Capabilities

Section titled “Agent Capabilities”
CapabilityDescription
Threat AnalysisAnalyze indicators of compromise and alert context
Decision MakingDetermine response actions based on severity and context
EnrichmentCorrelate data across multiple intelligence sources
SummarizationGenerate incident summaries for human review
Playbook SelectionChoose appropriate response workflow based on alert type

Case Management

Section titled “Case Management”
FeatureDescription
Custom FieldsDefine case-specific metadata fields
Task AssignmentAssign investigation tasks to team members
AttachmentsUpload evidence files and screenshots
Audit TrailComplete history of case actions and changes
SLA TrackingMonitor response and resolution time targets
Escalation RulesAuto-escalate based on severity and time thresholds

Security Features

Section titled “Security Features”
FeatureDescription
AuthenticationBasic, Google OAuth, SAML 2.0 (Okta, Entra ID)
AuthorizationRole-based access control (RBAC)
Workspace IsolationMulti-tenant workspace separation
Secret EncryptionAES-256 encryption with automatic injection
Audit LoggingComplete access and execution history
Script SandboxingWebAssembly isolation with network restrictions
Resource LimitsCPU and memory constraints for script execution

Common Workflow Patterns

Section titled “Common Workflow Patterns”

Phishing Email Triage

Section titled “Phishing Email Triage”
Trigger: Email received →
  AI Agent: Analyze headers and content →
  Condition: Malicious? →
    Yes: Block sender + Create ticket + Notify SOC
    No: Log and close

Suspicious Login Response

Section titled “Suspicious Login Response”
Trigger: SIEM alert (impossible travel) →
  Enrichment: Check user history + Geo IP →
  AI Agent: Assess risk level →
  Condition: High risk? →
    Yes: Disable account + Page on-call + Create case
    No: Add to watchlist + Log event

Malware Detection Response

Section titled “Malware Detection Response”
Trigger: EDR alert (malware detected) →
  Action: Isolate endpoint →
  Enrichment: VirusTotal hash lookup →
  Action: Create Jira ticket →
  Action: Notify Slack channel →
  AI Agent: Generate incident summary

API Endpoints

Section titled “API Endpoints”
EndpointMethodDescription
/api/v1/workflowsGETList all workflows
/api/v1/workflowsPOSTCreate new workflow
/api/v1/workflows/{id}/runPOSTExecute a workflow
/api/v1/casesGETList cases
/api/v1/casesPOSTCreate new case
/api/v1/integrationsGETList configured integrations
/api/v1/agentsGETList AI agents
/api/v1/webhooksPOSTReceive external events

Best Practices

Section titled “Best Practices”
  • Start with pre-built workflow templates before building custom ones
  • Use the AI agent in “supervised” mode initially — review decisions before enabling autonomous response
  • Configure role-based access to limit who can modify production workflows
  • Test workflows in the development environment before deploying to production
  • Store secrets using the built-in encrypted secret manager, not environment variables
  • Set up SLA tracking for compliance requirements (SOC 2, ISO 27001)
  • Use parallel execution branches to speed up enrichment queries
  • Enable audit logging for all workflow executions