What AIDR Monitors

Complete Security Coverage

Every AIDR and MAIDR deployment includes these eight integrated capability areas — no add-ons, no extra licenses.

Log Collection & Ingestion

Comprehensive log aggregation with configurable filtering, thread-safe ingestion, and TimescaleDB storage.

  • 17+ log source types — auth, kernel, auditd, Nginx, Apache, Docker, Windows Event Logs, and more
  • ECS v8.x compliance — all logs normalized to Elastic Common Schema
  • GeoIP enrichment — automatic country, city, ASN lookup on every IP
  • Configurable per-source ingestion filters — drop noise at the reader level before storage
  • Auditd noise reduction — expanded default filters drop ~57% of log volume while preserving MITRE detections
  • Thread-safe batch ingestion with monotonic clock flushing and shutdown safety nets
  • Syslog UDP listener on port 514 with NUL-byte stripping for network devices
  • Agent API for authenticated HTTPS endpoint log submission

Detection & Alerting

Multi-layered detection with pre-built rules, inline MITRE mapping, and enriched alert detail.

  • 200+ pre-built detection rules with SQL-based queries
  • Inline MITRE ATT&CK mapping — map techniques directly from the rule editor with AI assistance
  • Enriched alert detail — country flags, target domains, structured ECS fields, and GeoIP data
  • Suricata IDS with 30,000+ ET Open network rules
  • ClamAV + TIP hash lookups + VirusTotal enrichment on proxy web downloads
  • Intelligent alert grouping, deduplication, and dashboard drill-down
  • Rule import/export in YAML format with global exclusion management

Multi-Provider AI Analysis

Provider-agnostic AI architecture supporting Gemini and Ollama, with full audit logging across all AI features.

  • Multi-provider AI — swap between Google Gemini and Ollama (local LLMs) from the admin UI
  • AI Analyst — autonomous alert investigation with tool calling
  • AI Rule Wizard — describe a detection in plain English, get working SQL
  • AI Rule Tuner — optimize existing rules from alert context
  • AI Security Advisor — recommends missing rules for your environment
  • AI Indicator Analyzer — VirusTotal-enriched IOC reputation scoring with well-known IOC filtering
  • AI Briefings — generated executive threat summaries
  • AI Dashboard Builder — custom dashboards via natural language
  • AI Memory — learns organizational context with fragment seeding across investigations
  • Full AI audit logging across all features for compliance and traceability

Threat Intelligence

Rich threat intelligence platform with VirusTotal enrichment, MISP export, and defense distribution channels.

  • 55+ feeds — abuse.ch, Spamhaus, FireHOL, MITRE ATT&CK, AbuseIPDB
  • TAXII 2.1 / STIX 2.x standards-based feed ingestion
  • Indicator decay with confidence scoring and auto-expiration
  • VirusTotal enrichment — automatic IOC reputation lookups with vendor flagging thresholds
  • MISP feed export — share indicators with external platforms using standard formats
  • Defense distribution channels — curated indicator sharing with review queue and bulk actions
  • Honeypot session intelligence with campaign fingerprinting
  • RSS news aggregation from 25+ security news sources
  • Browser extension to extract IOCs from any webpage

SOAR & Automation

Headless automation engine with visual playbook builder, REST API, and multi-instance firewall control.

  • Visual playbook builder — drag-and-drop workflow editor with action, condition, and approval steps
  • Headless SOAR REST API — external API with scoped API key authentication and pattern-based permissions
  • AlertWatcher evaluates every new alert and fires matching playbooks
  • Inline variable autocomplete — IntelliSense-style suggestions for alert fields and step results
  • Playbook import/export and backup/restore with sync semantics
  • Multi-instance remote UFW control — manage firewalls across multiple hosts via SSH
  • Configurable per-severity SLA tracking
  • Fernet-encrypted credential vault with SSH key support (RSA/Ed25519/ECDSA)
  • SIEM Response Actions — block IP, run playbook, and more directly from alert detail pages

Network Security

Defense in depth with full proxy admin UI, ICAP parallel scanning, and configurable honeypot.

  • Suricata IDS with AF_PACKET capture and ET Open rules
  • Squid SSL bump/splice proxy with full admin UI — no CLI access needed
  • ICAP parallel scanning — ClamAV and TIP hash lookups run concurrently with per-stage timing metrics
  • Domain policy groups — manage Social Media, Streaming, Gambling, and Adult Content with 405 preset domains
  • Cowrie SSH honeypot with admin configuration UI — SSH version presets, credential rules, container lifecycle controls
  • Container log viewer with live tail for honeypot and proxy containers
  • Proxy status dashboard with health indicators and ICAP stats counters

Endpoint Agents

Cross-platform endpoint visibility with remote management capabilities.

  • Windows C# agent — Security, System, PowerShell, Sysmon, Defender logs
  • HMAC-signed command dispatch for secure remote management
  • macOS agent for system log collection
  • Agent management UI with telemetry and command sending
  • Remote host isolation, Defender scans, process kill
  • Downloadable installers with pre-configured settings

Visualization & Reporting

Rich dashboards with drill-down, database health monitoring, and log analytics.

  • Dashboard drill-down — clickable stat cards, charts, and table rows for instant investigation
  • Log analytics page with time-series visualizations and time range filters
  • MITRE ATT&CK Navigator — visual technique coverage mapping
  • Database health monitoring — tabbed layout with overview, storage, optimization, and TIP database views
  • Real-time sparkline health graphs per log source
  • Log viewer with preset time ranges, custom date picker, and compact density mode
  • AI-generated daily/weekly security reports
  • Light and dark theme support across the entire UI