Getting Started

Getting Started

A fast editorial walkthrough of what the first OpenSOAR experience feels like. For canonical setup and operational docs, use docs.opensoar.app.

Need the exact install and deployment path? Go to the docs.

1. Install

This is the shortest path to seeing the product live locally. The docs cover the full setup, verification, and operational details.

terminal — install
$

Then bootstrap the first local admin. Additional local accounts are created from Settings by that admin; public self-registration is off by default in core.

bootstrap-admin.sh 
docker compose exec api opensoar-bootstrap-admin \
  --username admin \
  --password changeme \
  --display-name "OpenSOAR Admin"

2. Write your first playbook

This is the core product idea in one screen: playbooks are plain Python, not visual blocks or YAML definitions.

my_first_playbook.py 
from opensoar import add_current_alert_comment, playbook, update_current_alert

@playbook(
    trigger="webhook",
    conditions={"severity": ["high", "critical"]},
    description="Enrich high-signal alerts and leave them ready for analyst follow-up",
)
async def enrich_and_decide(alert):
    reputation = await check_ip(alert.get("source_ip"))

    if reputation.get("malicious"):
        await update_current_alert(
            status="in_progress",
            determination="suspicious",
            reason="Escalated after IP enrichment",
        )
        await add_current_alert_comment(
            "Threat intel came back hot. Analyst follow-up required."
        )

    return {"reputation": reputation}

3. Test it

Because playbooks are real code, you can test them with pytest. This page is showing the shape of the workflow, not replacing the full docs.

test_playbook.py 
import pytest
from my_first_playbook import enrich_and_decide

@pytest.mark.asyncio
async def test_malicious_ip_marks_alert_for_follow_up(monkeypatch):
    async def fake_check_ip(ip):
        assert ip == "45.33.32.156"
        return {"malicious": True}

    monkeypatch.setattr("my_first_playbook.check_ip", fake_check_ip)

    result = await enrich_and_decide({"source_ip": "45.33.32.156"})

    assert result["reputation"]["malicious"] is True

4. Deploy

In practice, deployment means shipping code and reloading the services that discover and run it. The detailed loading model is documented separately.

terminal — deploy
$

For the exact loading and sync behavior, see the docs.

Next steps

Docs: Playbooks

Canonical playbook docs

Incident Workflow

How alerts become working incidents

AI Triage

Add LLM-powered alert analysis

One command. No credit card.

Apache 2.0 licensed. Self-host on your infrastructure. No feature gates, no per-action billing, no vendor lock-in. Your playbooks are yours.

$curl -fsSL https://opensoar.app/install.sh | sh
GitHub