1-SEC

Automated Response & Enforcement

SOAR-lite · Safe defaults · Audit trail

Overview

1SEC can automatically respond to alerts with enforcement actions. By default, enforcement ships in dry-rununder the safe preset.

Enforcement is configurable per module, with cooldowns, rate limiting, and full action auditing. Full details are in Docs.

Presets & Safety

Presets provide sane defaults for response policies:

  • lax — log + webhook only, never blocks or kills. Pure observe mode.
  • safe — conservative, dry-run oriented
  • balanced — practical defaults for production
  • strict — maximum enforcement (use with care)
  • vps-agent — purpose-built for VPS-hosted AI agents (OpenClaw, Moltbot, Manus)
Config snippet
enforcement:
  enabled: true
  dry_run: true
  preset: "safe"

Actions

Block IP

OS-aware firewall blocking (iptables/pfctl/netsh) with cooldowns and validation.

Kill process

Terminate suspicious processes by PID or name with safety guards.

Quarantine file

Move suspicious files to quarantine and restrict permissions.

Webhook

Send alert payloads to Slack/PagerDuty/custom endpoints via hardened dispatcher with retry, dead-letter queue, and circuit breaker.

Disable user

Disable compromised accounts. Rollback re-enables the user.

Command

Run controlled commands (shell-injection mitigations, allowlisted args).

Log-only

Record an action decision without taking a destructive step.

Approval Gates

For destructive actions, you can require human approval before execution. This is designed for production environments where “auto-block” must be controlled.

See Docs: Approval Gates.

Auditing

Every action decision and execution result is written to the response audit trail. This is critical for forensic review and post-incident accountability.

API: response history
GET /api/v1/enforce/history?limit=50
CLI: webhook & approval management
# Webhook dispatcher stats, dead letters, retry
1sec enforce webhooks stats
1sec enforce webhooks dead-letters
1sec enforce webhooks retry <id>

# Approval gate: pending, approve, reject, history
1sec enforce approvals pending
1sec enforce approvals approve <id>
1sec enforce approvals reject <id>
1sec enforce approvals history

Examples

CLI: test enforcement
# Simulate an alert and preview actions
1sec enforce test injection_shield --severity CRITICAL
API: toggle dry-run
POST /api/v1/enforce/dry-run/on
POST /api/v1/enforce/dry-run/off