A terminal-first OCSF-based incident response manager for security analysts.
- OCSF-native event ingestion
- Keyboard-first TUI for cases & events
- AI assisted Case Management
- Plugin-based enrichment via Redis Streams
- SQLite storage with FTS
- Pluggable LLM providers for summaries
A quick tour of the TUI (cases & events).
- Go ≥ 1.23
- Docker (optional, for Redis)
- Git
git clone https://github.com/Ashfaaq98/ocsf-console-ir.git
cd ocsf-console-ir
make build./bin/console-ir serveOr headless:
./bin/console-ir serve --no-tuiRun a JSONL file directly: ./bin/console-ir ingest <file> — see console-ir/cmd/ingest.go.
Drop files into data/incoming; the folder watcher ingests new files automatically (see console-ir/internal/ingest/folder.go).
Enable the optional HTTP endpoint to POST events into the pipeline (see console-ir/internal/ingest/http_ingest.go).
Real-time OCSF inputs and adapters publish to Redis Streams for processing (see console-ir/internal/ingest/live.go and console-ir/internal/ingest/ocsf.go).
External plugins run as separate processes and consume/publish via Redis Streams. See docs/plugins.md.
By default external plugins are disabled; enable explicitly by creating an enable marker next to the executable (e.g., plugins/llm/llm.enabled) or start plugins manually.
Development is supported via .devcontainer/devcontainer.json and debug settings in .vscode/launch.json.
- Ensure Redis is reachable at the configured URL.
- If TUI fails, run with --no-tui or use a native terminal.
- Build issues: run
go mod downloadandmake build.
- See the full contribution guide in CONTRIBUTING.md for workflow, coding standards, and local checks.
- Quick steps: fork the repo, create a branch, add tests, run
make check, open a PR.
Do NOT commit API keys or secrets. Use the TUI or edit config/llm_settings.sample.json and keep config/llm_settings.json ignored. See SECURITY.md for disclosure guidance.
AGPLv3 - see LICENSE