idps-escape

IDPS-ESCAPE user manual

This manual provides detailed documentation for all IDPS-ESCAPE components implementing a comprehensive SOAR system following the MAPE-K paradigm (Monitor, Analyze, Plan, Execute, Knowledge).

Key subsystems: RADAR (automated response), SONAR (production anomaly detection), and ADBox (legacy research framework).

Hybrid detection approach: Signature-based (Wazuh, Suricata) + multivariate AD (SONAR) + streaming AD (RRCF via OpenSearch AD plugin).

Core components

SONAR (Production Anomaly Detection)

Quick start

Full documentation

SONAR (SIEM-Oriented Neural Anomaly Recognition) is our production-grade multivariate time-series anomaly detection subsystem:

• Multivariate anomaly detection using Microsoft MVAD library
• Scenario-based YAML workflows for repeatable detection strategies
• Debug mode for offline testing without Wazuh infrastructure
• Real-time and batch detection modes
• Data shipping integration to Wazuh data streams for RADAR-driven responses

Use SONAR for all production deployments.

RADAR (Automated Response)

Getting started

Full documentation

The RADAR subsystem provides solutions for completing the SOAR mission of IDPS-ESCAPE:

• Risk-aware automated response orchestration
• OpenSearch AD integration (RRCF-based)
• AD scenario implementations with active response solutions
• SOAR playbooks facilitating security orchestration

Map of content

SONAR Documentation

• SONAR user README - Documentation hub
• SONAR developer README - Developer quick reference
• Setup and usage guide - Installation and CLI
• Scenario guide - YAML scenario configuration
• Data injection guide - Testing with synthetic data
• Data shipping guide - Production integration
• Troubleshooting - Common issues and solutions
• Architecture - System design and patterns

RADAR Documentation

• RADAR README - Main documentation
• RADAR developer README - Developer quick reference
• Architecture - System design and components
• Getting started - Setup and deployment
• Ansible playbook - Automated deployment
• Run AD workflow - Detector and monitor creation
• Detection rules - Wazuh rule definitions
• Active response - Response logic flow
• Scenarios overview - Detailed scenario documentation
• Webhook service - Webhook deployment

Deployment and Integration

• Getting started with full stack - Quick deployment
• Joint IDPS + SIEM deployment - Suricata + Wazuh
• Integrations - MISP, OpenCTI, SATRAP, OpenTRICK

ADBox (Legacy - Research Only)

⚠️ DEPRECATED: Use SONAR for production. ADBox maintained for research continuity only.

• ADBox overview - Main documentation
• Installation - Setup instructions
• Quick start - Getting started
• Use case definition - YAML configuration
• Engine documentation - Core components
• MTAD-GAT algorithm - Deep learning model
• Detector data structure - Output format
• Data transformation - Preprocessing pipeline
• Run modes - Batch, realtime, historical
• Wazuh integration - Data shipping
• Dashboard tutorial - Visualization guide
• Example walkthrough - Complete example

Reference

• Glossary - Terminology and definitions

SIEM, network and host IDPS and ML-based AD

To achieve comprehensive monitoring capabilities, we combine Suricata, an open-source Network Intrusion Detection System (NIDS), and Wazuh, a cybersecurity platform that integrates SIEM and XDR capabilities; see the instructions for a joint deployment of IDPS, SIEM/XDR and OpenSearch AD.

This site is open source. Improve this page.