npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

alert2action

v1.1.0

Published

SOC Alert to Investigation Guide CLI - Transform security alerts into actionable investigation playbooks with MITRE ATT&CK mapping

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

notsointrestingnotsointresting

Keywords

socsecuritymitre-attackincident-responsethreat-detectioninvestigationclicybersecuritysiemplaybookalertblue-team

Readme

🚨 alert2action

SOC Alert → Investigation Guide CLI

Transform security alerts into actionable investigation guides with MITRE ATT&CK mapping, investigation commands, and containment playbooks.

npm version npm downloads GitHub stars License: MIT Node.js

MITRE ATT&CK SOC Blue Team Incident Response

🎯 What It Does

alert2action alert.json

Input: A security alert JSON file (from any SIEM, EDR, or security tool)

Output: A comprehensive investigation guide with:

  • 📖 What Happened - Plain-English summary
  • 🎯 MITRE ATT&CK Mapping - Matched techniques with confidence scores
  • 📁 Logs to Check - Relevant log sources for investigation
  • Commands to Run - PowerShell & Linux commands for analysis
  • 🛡️ Containment Steps - Prioritized response actions
  • 🤔 False Positive Hints - Common benign causes to rule out

💡 Why This Is GOLD

  • Helps SOC freshers - Learn investigation workflow
  • Saves senior analyst time - Skip the basics, focus on threats
  • No strong open-source competitor - Fills a real gap
  • Works with any SIEM - Normalizes different alert formats
  • Offline capable - No API keys needed

🚀 Quick Start

Installation via npm (Recommended)

npm install -g alert2action

Or Clone from GitHub

git clone https://github.com/notsointresting/alert2action.git
cd alert2action
npm install
npm link  # Makes it globally available

Run on an Example Alert

alert2action examples/brute-force-alert.json
# or
node bin/alert2action.js examples/brute-force-alert.json

📋 Usage

Basic Usage

alert2action <alert-file.json>

Options

alert2action alert.json            # Colored CLI output
alert2action alert.json -o json    # JSON format
alert2action alert.json -o markdown # Markdown for tickets
alert2action alert.json -v         # Verbose mode
alert2action --help                # Show help

Output Formats

  • text (default) - Colorized CLI output for terminal
  • json - Raw JSON for integration with other tools
  • markdown - Perfect for pasting into tickets/docs

📁 Supported Alert Formats

alert2action automatically normalizes alerts from various sources:

  • Generic JSON - Any custom format
  • Splunk - Splunk alert output
  • Microsoft Sentinel - Azure Sentinel incidents
  • Elastic SIEM - Elasticsearch alerts
  • CrowdStrike Falcon - Falcon detection events
  • Microsoft Defender - MDE/MDI alerts
  • Custom SIEM - Maps common field names automatically

Example Alert Structure

{
  "title": "Multiple Failed Login Attempts",
  "severity": "high",
  "timestamp": "2024-01-18T10:30:00Z",
  "source_ip": "185.220.101.45",
  "hostname": "DC01.corp.local",
  "username": "administrator",
  "description": "Over 50 failed login attempts detected"
}

🎯 MITRE ATT&CK Coverage

Currently maps to 21 techniques across all major tactics:

| Tactic | Techniques | |--------|------------| | Reconnaissance | T1595 (Active Scanning) | | Initial Access | T1566 (Phishing), T1190 (Exploit), T1078 (Valid Accounts) | | Execution | T1059 (Command/Script), T1059.001 (PowerShell) | | Persistence | T1053 (Scheduled Task), T1547 (Boot Autostart) | | Privilege Escalation | T1548.002 (UAC Bypass), T1134 (Token Manipulation) | | Defense Evasion | T1055 (Process Injection), T1070 (Indicator Removal) | | Credential Access | T1003 (Credential Dumping), T1110 (Brute Force) | | Discovery | T1087 (Account Discovery) | | Lateral Movement | T1021 (Remote Services) | | Command & Control | T1071 (Application Protocol) | | Exfiltration | T1041 (Exfil Over C2) | | Impact | T1486 (Ransomware) |

📂 Example Alerts Included

Try these sample alerts in the examples/ folder:

# Brute force attack
node bin/alert2action.js examples/brute-force-alert.json

# Malware execution (PowerShell download cradle)
node bin/alert2action.js examples/malware-alert.json

# Phishing email
node bin/alert2action.js examples/phishing-alert.json

# Credential dumping (LSASS access)
node bin/alert2action.js examples/credential-dump-alert.json

# Lateral movement (PsExec)
node bin/alert2action.js examples/lateral-movement-alert.json

# Privilege escalation (UAC Bypass)
node bin/alert2action.js examples/privesc-alert.json

# Multi-stage attack (Encoded PS + C2 + Persistence)
node bin/alert2action.js examples/soc-test-alert.json

🛠️ Programmatic Usage

Use alert2action as a library in your own scripts:

const { analyze, parseAlert, generateGuide } = require('alert2action');

// Quick analysis
const alertJson = require('./my-alert.json');
console.log(analyze(alertJson));

// Or step by step
const parsed = parseAlert(alertJson);
const guide = generateGuide(parsed);
console.log(guide);

🗺️ Roadmap

Coming Soon

  • [ ] More MITRE techniques - Expand to 50+ techniques
  • [ ] Threat intelligence integration - VirusTotal, AbuseIPDB, OTX lookups
  • [ ] Export to TheHive - Create cases directly from alerts
  • [ ] Splunk-specific mapping - Native Splunk field support
  • [ ] Interactive mode - Guided Q&A investigation workflow
  • [ ] Custom playbook templates - YAML-based playbook definitions

Future Ideas

  • [ ] Sigma rule suggestions
  • [ ] YARA rule generation
  • [ ] Timeline visualization
  • [ ] Multi-alert correlation
  • [ ] Webhook integrations (Slack, Teams, Discord)

🤝 Contributing

Contributions welcome! Areas that need help:

  1. More MITRE techniques - Add coverage for more attack patterns
  2. SIEM-specific parsers - Better support for specific products
  3. Investigation commands - More forensic one-liners
  4. False positive knowledge - Common FP patterns

📄 License

MIT License - Use freely in your SOC!

Built with ❤️ for SOC analysts everywhere