Skip to content

OpenSOAR Docs

Getting Started

OpenSOAR Docs

Overview
Getting Started Getting Started
On this page
Playbooks
Playbooks
- Overview
- Loading and Syncing
Deployment
Deployment
- Docker
Integrations
Integrations
- Overview
API
API
- Overview
Migrations
Migrations
- From TheHive
Troubleshooting
Troubleshooting
- Playbooks
Engineering
Engineering

Getting Started¶

This guide is the practical setup path: get a local OpenSOAR stack running, confirm the services work, and understand what to do next.

Before You Start¶

You need:

Docker
Docker Compose
a clone of opensoar-core

What You Start¶

The default stack starts:

API
worker
PostgreSQL
Redis
UI

Start the Stack¶

git clone https://github.com/opensoar-hq/opensoar-core.git
cd opensoar-core
docker compose up -d

Then open:

API: http://localhost:8000
UI: http://localhost:3000
API docs: http://localhost:8000/docs

Verify Ingestion¶

curl -X POST http://localhost:8000/api/v1/webhooks/alerts \
  -H "Content-Type: application/json" \
  -d '{
    "rule_name": "Brute Force Detected",
    "severity": "high",
    "source_ip": "203.0.113.42",
    "hostname": "web-prod-01",
    "tags": ["authentication", "brute-force"]
  }'

If the stack is healthy, the alert should be accepted and routed through the normal ingestion flow.

Understand The Automation Model¶

OpenSOAR does not use a visual playbook builder or a YAML workflow DSL.

Instead:

a playbook is a Python module
a trigger is declared with @playbook(...)
tracked steps use @action(...)
parallel work uses asyncio.gather()
playbooks are loaded from configured directories on startup or worker execution

Next Steps¶