Plataforma SOAR de automação de segurança IA de código aberto com construtor visual de fluxo de trabalho, 80+ integrações e agentes autônomos de resposta a ameaças.
Installation
Quick Start (Development)
# Clone the repository
git clone https://github.com/digitranslab/allama.git
cd allama
# Initialize the project
make init
# Start development environment
make dev
Demo Environment
# One-command demo deployment
./demo.sh
Docker Compose (Production)
# Production deployment
docker-compose up -d
# Development environment
docker-compose -f docker-compose.dev.yml up -d
# Local testing
docker-compose -f docker-compose.local.yml up -d
# View logs
docker-compose logs -f
# Stop all services
docker-compose down
System Requirements
| Requirement | Minimum |
|---|
| Python | 3.12+ |
| Docker | Latest stable |
| RAM | 4 GB |
| Disk Space | 10 GB |
Basic Commands
| Command | Description |
|---|
make init | Inicializar projeto e instalar dependências |
make dev | Iniciar servidor de desenvolvimento |
make test | Executar suite de testes |
make lint | Executar linting de código |
docker-compose up -d | Iniciar implementação de produção |
docker-compose down | Parar todos os serviços |
docker-compose logs -f | Seguir logs de serviço |
./demo.sh | Lançar ambiente de demonstração |
Technology Stack
| Component | Technology |
|---|
| API Server | FastAPI (Python) |
| Workflow Engine | Temporal |
| AI Agents | PydanticAI + LiteLLM |
| Database | PostgreSQL |
| Object Storage | S3-compatible |
| Script Sandbox | WebAssembly (Wasm) |
| Frontend | React |
Integrations (80+)
| Integration | Description |
|---|
| Splunk | Log ingestion, search queries, alert correlation |
| Elastic SIEM | Elasticsearch queries, Kibana dashboards |
| Datadog | Metrics, logs, and security signals |
| Wazuh | Host-based intrusion detection, compliance |
| QRadar | IBM security intelligence platform |
| Microsoft Sentinel | Cloud-native SIEM and SOAR |
EDR/XDR Solutions
| Integration | Description |
|---|
| CrowdStrike Falcon | Endpoint detection and response |
| SentinelOne | Autonomous endpoint security |
| Carbon Black | VMware endpoint protection |
| Microsoft Defender | Endpoint and identity protection |
| Cortex XDR | Palo Alto extended detection |
Identity Providers
| Integration | Description |
|---|
| Okta | Identity and access management |
| Microsoft Entra ID | Azure Active Directory |
| Google Workspace | User and device management |
| OneLogin | Single sign-on and directory |
Ticketing Systems
| Integration | Description |
|---|
| Jira | Issue tracking and project management |
| ServiceNow | IT service management |
| PagerDuty | Incident management and alerting |
| Opsgenie | Alert and on-call management |
Communication
| Integration | Description |
|---|
| Slack | Channel notifications and bot commands |
| Microsoft Teams | Adaptive cards and webhooks |
| Email (SMTP) | Alert notifications and reports |
| Telegram | Bot-based notifications |
Threat Intelligence
| Integration | Description |
|---|
| VirusTotal | File and URL analysis |
| AbuseIPDB | IP reputation checking |
| Shodan | Internet-facing asset discovery |
| AlienVault OTX | Open threat exchange feeds |
| MISP | Threat intelligence sharing |
| Integration | Description |
|---|
| AWS | CloudTrail, GuardDuty, Security Hub |
| Azure | Sentinel, Defender, Activity Logs |
| GCP | Security Command Center, Cloud Audit |
Workflow Builder
Workflow Components
| Component | Description |
|---|
| Trigger | Event that starts the workflow (webhook, schedule, alert) |
| Action | Integration call (query SIEM, block IP, create ticket) |
| Condition | If/else branching based on data values |
| Loop | Iterate over lists (IP addresses, users, alerts) |
| Parallel | Run multiple branches simultaneously |
| Delay | Wait for specified duration before continuing |
| Script | Custom Python code in WebAssembly sandbox |
| AI Agent | LLM-powered decision making and analysis |
Trigger Types
| Trigger | Description |
|---|
| Webhook | HTTP endpoint for external event ingestion |
| Schedule | Cron-based periodic execution |
| Alert | SIEM/EDR alert correlation |
| Manual | On-demand execution from UI |
| Email | Inbound email parsing |
AI Agent Configuration
Supported LLM Providers
| Provider | Configuration |
|---|
| OpenAI | API key + model selection (GPT-4, GPT-4o) |
| Anthropic | API key + model selection (Claude Sonnet, Opus) |
| Azure OpenAI | Endpoint + deployment name |
| Ollama | Self-hosted, local endpoint (llama3, mistral) |
| Google Gemini | API key + model selection |
Agent Capabilities
| Capability | Description |
|---|
| Threat Analysis | Analyze indicators of compromise and alert context |
| Decision Making | Determine response actions based on severity and context |
| Enrichment | Correlate data across multiple intelligence sources |
| Summarization | Generate incident summaries for human review |
| Playbook Selection | Choose appropriate response workflow based on alert type |
Case Management
| Feature | Description |
|---|
| Custom Fields | Define case-specific metadata fields |
| Task Assignment | Assign investigation tasks to team members |
| Attachments | Upload evidence files and screenshots |
| Audit Trail | Complete history of case actions and changes |
| SLA Tracking | Monitor response and resolution time targets |
| Escalation Rules | Auto-escalate based on severity and time thresholds |
Security Features
| Feature | Description |
|---|
| Authentication | Basic, Google OAuth, SAML 2.0 (Okta, Entra ID) |
| Authorization | Role-based access control (RBAC) |
| Workspace Isolation | Multi-tenant workspace separation |
| Secret Encryption | AES-256 encryption with automatic injection |
| Audit Logging | Complete access and execution history |
| Script Sandboxing | WebAssembly isolation with network restrictions |
| Resource Limits | CPU and memory constraints for script execution |
Common Workflow Patterns
Phishing Email Triage
Trigger: Email received →
AI Agent: Analyze headers and content →
Condition: Malicious? →
Yes: Block sender + Create ticket + Notify SOC
No: Log and close
Suspicious Login Response
Trigger: SIEM alert (impossible travel) →
Enrichment: Check user history + Geo IP →
AI Agent: Assess risk level →
Condition: High risk? →
Yes: Disable account + Page on-call + Create case
No: Add to watchlist + Log event
Malware Detection Response
Trigger: EDR alert (malware detected) →
Action: Isolate endpoint →
Enrichment: VirusTotal hash lookup →
Action: Create Jira ticket →
Action: Notify Slack channel →
AI Agent: Generate incident summary
API Endpoints
| Endpoint | Method | Description |
|---|
/api/v1/workflows | GET | List all workflows |
/api/v1/workflows | POST | Create new workflow |
/api/v1/workflows/{id}/run | POST | Execute a workflow |
/api/v1/cases | GET | List cases |
/api/v1/cases | POST | Create new case |
/api/v1/integrations | GET | List configured integrations |
/api/v1/agents | GET | List AI agents |
/api/v1/webhooks | POST | Receive external events |
Best Practices
- Start with pre-built workflow templates before building custom ones
- Use the AI agent in “supervised” mode initially — review decisions before enabling autonomous response
- Configure role-based access to limit who can modify production workflows
- Test workflows in the development environment before deploying to production
- Store secrets using the built-in encrypted secret manager, not environment variables
- Set up SLA tracking for compliance requirements (SOC 2, ISO 27001)
- Use parallel execution branches to speed up enrichment queries
- Enable audit logging for all workflow executions
