SIEM Integration
AuroraSOC acts as a meta-SIEM, ingesting and correlating events from multiple SIEM sources through a unified interface. Rather than replacing your existing SIEM, AuroraSOC sits above it, adding AI-powered analysis.
Supported SIEM Sources
| Source | Protocol | Description |
|---|---|---|
| Wazuh | REST API / Syslog | Host-based IDS, file integrity monitoring |
| Suricata | EVE JSON / Redis | Network IDS/IPS with full packet inspection |
| Zeek | JSON Logs | Network traffic analysis and protocol logging |
| Velociraptor | REST API | Endpoint visibility and digital forensics |
| Custom | Syslog / JSON | Any source via the Rust normalizer |
Event Normalization Pipeline
Why a Rust Normalizer?
The normalizer is written in Rust for performance-critical event processing. At high event volumes (10,000+ EPS), Python's GIL becomes a bottleneck. Rust provides:
- Zero-copy parsing for known formats
- Async I/O with tokio for concurrent source handling
- Guaranteed memory safety without garbage collection pauses
- Sub-millisecond per-event processing latency
SIEM Dashboard Page
The SIEM page shows:
Log Sources
A card for each connected SIEM source showing:
- Status — Connected / Disconnected
- EPS — Current events per second
- Total Events — Cumulative count for the day
- Last Event — Timestamp of most recent event
Event Search
Full-text search across all ingested events with filters:
- Time range — Last 15m, 1h, 4h, 24h, 7d, custom
- Source — Filter by origin system
- Severity — Filter by normalized severity
- Search query — Lucene-like query syntax
Event Correlation
The CorrelateEvents tool automatically finds relationships between events:
| Correlation Type | Method | Example |
|---|---|---|
| IP-based | Same source/destination IP | Port scan followed by exploit attempt |
| User-based | Same username across events | Brute force followed by successful login |
| Time-based | Events within a window | Multiple alerts within 5 minutes |
| Technique-based | Same MITRE technique | Different hosts showing same attack pattern |
The default correlation window is 15 minutes. Events arriving within this window that share common indicators are automatically linked. Adjust via the AURORA_SIEM_CORRELATION_WINDOW environment variable.
MITRE ATT&CK Mapping
Every normalized event is mapped to MITRE ATT&CK techniques by the AI agents:
The SIEM page includes a MITRE heatmap showing technique prevalence across your environment over time.