Autonomous orchestrated incident response system based on SIEM

doi:10.26565/2304-6201-2026-69-02

Dmytro Bratko Institute of Special Communication and Information Protection of the National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, 4 Verkhnokliuchova St., Kyiv, Ukraine, 03056 https://orcid.org/0009-0001-0863-9285
Volodymyr Kubrak PhD, Senior Lecturer of Special Department № 1 https://orcid.org/0000-0001-8877-5289
Aleksandra Matiiko Institute of Special Communication and Information Protection of the National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, 4 Verkhnokliuchova St., Kyiv, Ukraine, 03056 https://orcid.org/0000-0002-6947-5958

DOI: https://doi.org/10.26565/2304-6201-2026-69-02

Keywords: Splunk, Ansible, SIEM, orchestrated response, autonomous response, SSH brute-force, SSH Host CA

Abstract

Relevance. Modern information systems generate security events from various sources, including operating system and service logs, network sensors, vulnerability scanners, and other monitoring tools. In such conditions, SIEM enables the centralized collection, indexing, and correlation of telemetry; however, the transition from analytical results to practical response often remains insufficiently formalized. This leads to delays, dependence on manual actions, difficulties in ensuring the repeatability of procedures, and the absence of a unified mechanism for confirming executed response actions. An additional challenge is the provision of secure autonomous access to endpoints during an incident, when both manual confirmation of SSH connections and insecure trust on first use are unacceptable. In this context, the development of an architectural bridge between SIEM analytics and an orchestration system is highly relevant, as it can ensure controlled, repeatable, and auditable incident response regardless of the original source of events.

Goal. The purpose of this work is to substantiate and experimentally validate an architectural approach to autonomous orchestrated incident response, in which the results of SIEM analytics are transformed into a structured incident record and then used to initiate response procedures in an orchestration system. To achieve this goal, the detector is described in a declarative form, the incident record is standardized, repeated triggering is controlled through a unique incident key and a re-execution lockout interval, target assets are aligned with inventory data, execution results are logged, and secure access to endpoints based on SSH Host CA is implemented. The scenario of detecting and responding to an SSH brute-force attack was chosen as a demonstration case.

Results. As a result of the study, an architectural approach that combines SIEM analytics with the automated execution of response actions on target assets was developed and experimentally validated. It was shown that the result of an analytical query in a SIEM can be consistently transformed into an incident record, used to construct a unique incident key, verify re-execution policies, align the target asset with the inventory, and transfer parameters to a playbook. The implemented prototype confirmed the technical feasibility of building a complete cycle from event detection in the SIEM to the execution of a response procedure on an endpoint and the recording of the result in a structured log. It was also confirmed that the use of SSH Host CA makes it possible to provide secure autonomous access to endpoints without manual confirmation during an incident. The obtained results further demonstrated that the proposed architecture can be scaled to other response scenarios provided that the detection rules and execution procedures are adapted accordingly.

Conclusions. The obtained results confirm that the integration of SIEM analytics with an orchestration system makes it possible to implement a controlled framework for autonomous incident response. The result of SIEM analytics is transformed into an incident record, which is then used to control repeated executions, align the target asset with the inventory, and initiate a response scenario. Practical validation based on the SSH brute-force case confirmed the technical feasibility of this approach: a complete cycle was implemented, from event detection to response execution and the recording of its result in the log. The proposed architecture is suitable for responding to incidents identified from various event sources, provided that their results are aggregated and correlated in the SIEM. The use of SSH Host CA ensures secure autonomous access to endpoints without manual confirmation during an incident. Further development of this work should be associated with the software implementation of the bridge module, the expansion of the response scenario library, and the transfer of response logs back to the SIEM for further analysis.

Downloads

Download data is not yet available.

Author Biographies

Dmytro Bratko, Institute of Special Communication and Information Protection of the National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, 4 Verkhnokliuchova St., Kyiv, Ukraine, 03056

undergraduate, cadet

Volodymyr Kubrak, PhD, Senior Lecturer of Special Department № 1

Institute of Special Communication and Information Protection of the National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, 4 Verkhnokliuchova St., Kyiv, Ukraine, 03056

Aleksandra Matiiko, Institute of Special Communication and Information Protection of the National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, 4 Verkhnokliuchova St., Kyiv, Ukraine, 03056

PhD, Associate Professor of Special Department № 1

References

C. Pascoe, S. Quinn, K. Scarfone. The NIST Cybersecurity Framework (CSF) 2.0. NIST Cybersecurity White Paper 29. Gaithersburg, MD, USA : National Institute of Standards and Technology, 2024. DOI: 10.6028/NIST.CSWP.29. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf

K. Rigopoulos, S. Quinn, C. Pascoe, J. Marron, A. Mahn, D. Topper. NIST Cybersecurity Framework 2.0: Resource & Overview Guide. NIST Special Publication 1299. Gaithersburg, MD, USA : National Institute of Standards and Technology, 2024. DOI: 10.6028/NIST.SP.1299. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1299.pdf

A. Nelson, S. Rekhi, M. Souppaya, K. Scarfone. Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile. NIST Special Publication 800-61 Rev. 3. Gaithersburg, MD, USA : National Institute of Standards and Technology, 2025. DOI: 10.6028/NIST.SP.800-61r3. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdf

European Union Agency for Cybersecurity (ENISA). ENISA Threat Landscape 2024. 2024. (дата звернення: 23.03.2026) URL: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024

MITRE ATT&CK. Brute Force, Technique T1110 - Enterprise. (дата звернення: 23.03.2026) URL: https://attack.mitre.org/techniques/T1110/

Splunk. Search | Splunk Enterprise. (дата звернення: 23.03.2026) URL: https://docs.splunk.com/Documentation/Splunk/9.4.2/SearchReference/Search

Splunk. savedsearches.conf | Platform. (дата звернення: 23.03.2026) URL: https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Savedsearchesconf

Ansible Project. How to build your inventory. https://docs.ansible.com/projects/ansible/latest/inventory_guide/intro_inventory.html

Ansible Project. ansible-playbook. (дата звернення: 23.03.2026) URL: https://docs.ansible.com/projects/ansible/latest/cli/ansible-playbook.html

OpenBSD. ssh-keygen(1). (дата звернення: 23.03.2026) URL: https://man.openbsd.org/OpenBSD-7.6/ssh-keygen.1

Anderson R. Security Engineering: A Guide to Building Dependable Distributed Systems. 3rd ed. Hoboken, NJ, USA : Wiley, 2020. https://www.wiley.com/en-cn/Security+Engineering%3A+A+Guide+to+Building+Dependable+Distributed+Systems%2C+3rd+Edition-p-9781119642787

Bejtlich R. The Tao of Network Security Monitoring: Beyond Intrusion Detection. Boston, MA, USA : Addison-Wesley, 2004. https://www.informit.com/store/tao-of-network-security-monitoring-beyond-intrusion-9780321246776