SIEM Tools
The SIEM tool module provides four tools for log search, event correlation, IOC extraction, and MITRE ATT&CK mapping. Located in aurorasoc/tools/siem/.
Tool Inventory
SearchLogs
Queries SIEM data sources for log events matching criteria.
class SearchLogs(AuroraTool):
name = "search_logs"
description = "Search SIEM logs across all data sources"
input_schema = {
"properties": {
"query": {"type": "string", "description": "Search query"},
"time_range": {"type": "string", "default": "15m"},
"source": {"type": "string", "enum": ["wazuh", "suricata", "zeek", "velociraptor"]},
"max_results": {"type": "integer", "default": 100}
},
"required": ["query"]
}
async def _execute(self, query, time_range="15m", source=None, max_results=100):
# Query SIEM backend
events = await siem_client.search(query, time_range, source, max_results)
return {
"events": events,
"count": len(events),
"query": query,
"time_range": time_range
}
Used by: Security Analyst, Threat Hunter, Forensic Analyst
CorrelateEvents
Finds relationships between events based on shared indicators.
class CorrelateEvents(AuroraTool):
name = "correlate_events"
description = "Correlate security events by shared indicators"
input_schema = {
"properties": {
"event_ids": {"type": "array", "items": {"type": "string"}},
"correlation_fields": {
"type": "array",
"items": {"type": "string"},
"description": "Fields to correlate on (src_ip, dst_ip, user, hash)"
},
"time_window": {"type": "string", "default": "15m"}
},
"required": ["event_ids"]
}
async def _execute(self, event_ids, correlation_fields=None, time_window="15m"):
correlated = await correlator.find_related(
event_ids, correlation_fields, time_window
)
return {
"correlated_events": correlated,
"correlation_graph": build_graph(correlated),
"total_related": len(correlated)
}
Used by: Security Analyst
ExtractIOC
Extracts Indicators of Compromise from raw event data using regex patterns and heuristics.
class ExtractIOC(AuroraTool):
name = "extract_ioc"
description = "Extract IOCs (IPs, domains, hashes, emails) from text"
input_schema = {
"properties": {
"text": {"type": "string", "description": "Raw event data or log text"},
"ioc_types": {
"type": "array",
"items": {"type": "string", "enum": ["ip", "domain", "hash", "email", "url", "cve"]},
"description": "IOC types to extract (default: all)"
}
},
"required": ["text"]
}
async def _execute(self, text, ioc_types=None):
iocs = []
patterns = {
"ip": r'\b(?:\d{1,3}\.){3}\d{1,3}\b',
"domain": r'\b(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}\b',
"md5": r'\b[a-fA-F0-9]{32}\b',
"sha256": r'\b[a-fA-F0-9]{64}\b',
"email": r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b',
"url": r'https?://[^\s<>"{}|\\^`\[\]]+',
"cve": r'CVE-\d{4}-\d{4,7}',
}
for ioc_type, pattern in patterns.items():
if ioc_types and ioc_type not in ioc_types:
continue
matches = re.findall(pattern, text)
for match in set(matches):
iocs.append({"type": ioc_type, "value": match})
return {"iocs": iocs, "count": len(iocs)}
Used by: Security Analyst
MitreMap
Maps events and findings to MITRE ATT&CK techniques.
class MitreMap(AuroraTool):
name = "mitre_map"
description = "Map security findings to MITRE ATT&CK techniques"
input_schema = {
"properties": {
"description": {"type": "string", "description": "Description of the observed behavior"},
"indicators": {
"type": "array",
"items": {"type": "string"},
"description": "Process names, commands, or behavior indicators"
}
},
"required": ["description"]
}
async def _execute(self, description, indicators=None):
# LLM-powered technique mapping
techniques = await mitre_mapper.map(description, indicators)
return {
"techniques": [
{
"id": t.id,
"name": t.name,
"tactic": t.tactic,
"url": f"https://attack.mitre.org/techniques/{t.id}",
"confidence": t.confidence
}
for t in techniques
]
}
Used by: Security Analyst