SIEM Plugin

Currently supports ELK and Splunk. The plugin provides easy-to-use APIs (Tools) for LLM integration.

Configuration

• Rename CONFIG.example.py to CONFIG.py and fill in the configuration items according to the code comments
• If you only use one of ELK or Splunk, you can leave the configuration items for the other disabled or commented out and use the default values
• The DATA/Indexes directory contains three sample index log configuration files: siem-aws-cloudtrail.yaml, siem-host-events.yaml, and siem-network-traffic.yaml, which should be used with test data generated by the Mock plugin
• New SIEM log configurations can be written with reference to the above three yaml files and placed in the DATA/Indexes directory
• In production environments, the three test yaml files should be deleted to avoid affecting LLM query results

Usage

• The plugin provides three functions: SIEMToolKit.explore_schema, SIEMToolKit.execute_adaptive_query, and SIEMToolKit.keyword_search
• debug.py contains test-related code
• For Agent integration examples, refer to Agent SIEM