TECHNICAL DEEP-DIVE · SCHEMA v3.0

How SOaC Works

0 packages, 0+ MITRE techniques, 4 architecture pillars. Every layer — Body, Brain, Purpose, Edge — is codified, versionable, and deployable through Git.

End-to-End Pipeline

Package UploadZIP with manifest.json + detections + playbooks
Registry IngestionFilesystem extraction → /api/packages/registry
Harness v3 ValidationSchema + cross-ref + replay engine
Lab ScenariosTeam games with Red/Blue/SOC/CISO roles
Detection RulesSigma · KQL · SPL · Wazuh · CrowdStrike
SOAR PlaybooksCLAW engine: automated containment & response

Kill Chain Example: M365 → Entra → AWS → SaaS

A real-world cross-cloud attack path that SOaC packages detect and respond to at each phase.

1.
Initial Access
M365 / Entra ID
T1566 Phishing → AiTM token theft
2.
Privilege Escalation
Azure AD / Entra
T1078.004 Cloud credential abuse → Global Admin
3.
Lateral Movement
AWS (Cross-Cloud)
T1550 Federated trust pivoting → AWS assume-role
4.
Collection & Exfil
SaaS / SharePoint
T1530 Data from cloud storage → exfiltration
5.
Impact
All Targets
T1486 Ransomware deployment / data destruction
SOaC Response

Packages pkg-001 (Identity Intrusion), pkg-006 (Cloud Infrastructure), and pkg-009 (SaaS Application) provide end-to-end detection coverage for this kill chain — from initial AiTM phishing through cross-cloud lateral movement to SaaS data exfiltration. Each package includes Sigma rules, CLAW playbooks, and evidence replay bundles.

The Four Pillars

BODY

Detection & Response Layer

YAML-based detection rules, automated playbooks, and incident-response logic. Each package ships detections in Sigma, KQL, SPL, and Wazuh formats.

detection.yamlplaybook.yamlpolicy.yaml
BRAIN

Intelligence & Decision Engine

Threat-intelligence enrichment, risk scoring, and adaptive thresholds. The Brain reads detection signals and applies contextual logic to reduce alert fatigue.

threat-intel enrichmentrisk-scoring modeladaptive thresholds
PURPOSE

Governance & Compliance

Policy-as-code manifests that enforce organizational security posture. Each package includes policy.yaml mapped to NIST, CIS, and ISO 27001.

policy.yamlevidence-manifest.jsonreplay-report.md
EDGE

Integration & Deployment

Adapters and deployment manifests for Sentinel, CrowdStrike, Splunk, and more. The Edge layer ensures every package can be dropped into your existing stack.

stack adaptersdeploy manifestsCI/CD templates
PLUG-AND-PLAY

From GitHub to Your SOC in 4 Steps

No vendor lock-in. No proprietary agents. Just Git, YAML, and your existing security stack.

01

Clone the Repository

Pull the full SOaC framework including all packages, detection rules, playbooks, and lab scenarios.

$ git clone https://github.com/ge0mant1s/SOaC-Enterprise.git
02

Choose Your Package

Each numbered directory is a self-contained threat-domain package with everything needed for detection, response, and validation.

$ cd packages/001_identity_intrusion_defense
03

Copy Artifacts to Your Stack

Drop the detection files directly into your SIEM, SOAR, or XDR platform. SOaC artifacts are vendor-agnostic and stack-portable.

$ cp detections/*.sigma /path/to/sentinel/analytics-rules/
04

Validate with Harness v3

Run the Harness v3.0 validator to verify schema compliance, MITRE coverage, detection format presence, and simulation step integrity.

$ npx tsx scripts/validate-packages.ts

Ready to Plug In?

0 packages validated against Harness v3.0 with 0+ MITRE techniques. Tested against Sentinel, CrowdStrike, Splunk, AWS, Chronicle, and Cortex XSIAM.

View RepositoryBrowse PackagesValidation Evidence