For Nerds

Under the Hood

The AIDR platform is built on battle-tested technology. Here's everything happening behind the scenes.

terminal

$ git clone miniaisoc && cd miniaisoc

$ cp .env.example .env

$ docker compose up -d

✓ SIEM running on :6007

✓ TIP running on :6009

✓ SOAR running on :6010

✓ Honeypot listening on :2222

Your SOC is ready.

The entire stack deploys with a single Docker Compose command.

Integrated Architecture

All components share a unified PostgreSQL/TimescaleDB backend with three dedicated databases.

:6007

SIEM

Dashboard, Rules, AI Analyst, MITRE ATT&CK

:6008

Ingestion API

Multi-source, ECS Mapping, GeoIP

:6009

TIP

55+ Feeds, IOC Browser, Indicator Decay

:6010

SOAR

Visual Playbook Builder, REST API, Auto-Triggers

:2222

Cowrie Honeypot

Configurable SSH Honeypot, Session Intel

:Host

Suricata IDS

30K+ ET Open Rules

:3128

Proxy Stack

Admin UI, ICAP Parallel Scan, ClamAV

:5433

PostgreSQL

TimescaleDB, Health Monitoring, FTS

All services connected viaPostgreSQL / TimescaleDBwithECS v8.xnormalized schema

Key Technical Highlights

ECS v8.x Compliance

All logs normalized to Elastic Common Schema. Every field, every source — consistent and queryable.

TimescaleDB

Hypertable conversion with compression policies, approximate row counts, and full-text search. Built for high-volume log storage.

Multi-Provider AI

Swap between Google Gemini and Ollama (local LLMs) from the admin UI. Full AI audit logging for compliance.

GeoIP Enrichment

Automatic country, city, and ASN lookup on every IP at ingestion time using GeoIP2Fast.

MITRE ATT&CK Mapping

Inline technique mapping from the rule editor with AI assistance. Full Navigator coverage visualization.

Visual SOAR Builder

Drag-and-drop playbook editor with action, condition, and approval gates. IntelliSense-style variable autocomplete.

Full Capability Reference

Every feature, every integration, every capability — in detail.

Log Collection & Ingestion

Comprehensive log aggregation with configurable filtering, thread-safe ingestion, and TimescaleDB storage.

  • 17+ log source types — auth, kernel, auditd, Nginx, Apache, Docker, Windows Event Logs, and more
  • ECS v8.x compliance — all logs normalized to Elastic Common Schema
  • GeoIP enrichment — automatic country, city, ASN lookup on every IP
  • Configurable per-source ingestion filters — drop noise at the reader level before storage
  • Auditd noise reduction — expanded default filters drop ~57% of log volume while preserving MITRE detections
  • Thread-safe batch ingestion with monotonic clock flushing and shutdown safety nets
  • Syslog UDP listener on port 514 with NUL-byte stripping for network devices
  • Agent API for authenticated HTTPS endpoint log submission

Detection & Alerting

Multi-layered detection with pre-built rules, inline MITRE mapping, and enriched alert detail.

  • 200+ pre-built detection rules with SQL-based queries
  • Inline MITRE ATT&CK mapping — map techniques directly from the rule editor with AI assistance
  • Enriched alert detail — country flags, target domains, structured ECS fields, and GeoIP data
  • Suricata IDS with 30,000+ ET Open network rules
  • ClamAV + TIP hash lookups + VirusTotal enrichment on proxy web downloads
  • Intelligent alert grouping, deduplication, and dashboard drill-down
  • Rule import/export in YAML format with global exclusion management

Multi-Provider AI Analysis

Provider-agnostic AI architecture supporting Gemini and Ollama, with full audit logging across all AI features.

  • Multi-provider AI — swap between Google Gemini and Ollama (local LLMs) from the admin UI
  • AI Analyst — autonomous alert investigation with tool calling
  • AI Rule Wizard — describe a detection in plain English, get working SQL
  • AI Rule Tuner — optimize existing rules from alert context
  • AI Security Advisor — recommends missing rules for your environment
  • AI Indicator Analyzer — VirusTotal-enriched IOC reputation scoring with well-known IOC filtering
  • AI Briefings — generated executive threat summaries
  • AI Dashboard Builder — custom dashboards via natural language
  • AI Memory — learns organizational context with fragment seeding across investigations
  • Full AI audit logging across all features for compliance and traceability

Threat Intelligence

Rich threat intelligence platform with VirusTotal enrichment, MISP export, and defense distribution channels.

  • 55+ feeds — abuse.ch, Spamhaus, FireHOL, MITRE ATT&CK, AbuseIPDB
  • TAXII 2.1 / STIX 2.x standards-based feed ingestion
  • Indicator decay with confidence scoring and auto-expiration
  • VirusTotal enrichment — automatic IOC reputation lookups with vendor flagging thresholds
  • MISP feed export — share indicators with external platforms using standard formats
  • Defense distribution channels — curated indicator sharing with review queue and bulk actions
  • Honeypot session intelligence with campaign fingerprinting
  • RSS news aggregation from 25+ security news sources
  • Browser extension to extract IOCs from any webpage

SOAR & Automation

Headless automation engine with visual playbook builder, REST API, and multi-instance firewall control.

  • Visual playbook builder — drag-and-drop workflow editor with action, condition, and approval steps
  • Headless SOAR REST API — external API with scoped API key authentication and pattern-based permissions
  • AlertWatcher evaluates every new alert and fires matching playbooks
  • Inline variable autocomplete — IntelliSense-style suggestions for alert fields and step results
  • Playbook import/export and backup/restore with sync semantics
  • Multi-instance remote UFW control — manage firewalls across multiple hosts via SSH
  • Configurable per-severity SLA tracking
  • Fernet-encrypted credential vault with SSH key support (RSA/Ed25519/ECDSA)
  • SIEM Response Actions — block IP, run playbook, and more directly from alert detail pages

Network Security

Defense in depth with full proxy admin UI, ICAP parallel scanning, and configurable honeypot.

  • Suricata IDS with AF_PACKET capture and ET Open rules
  • Squid SSL bump/splice proxy with full admin UI — no CLI access needed
  • ICAP parallel scanning — ClamAV and TIP hash lookups run concurrently with per-stage timing metrics
  • Domain policy groups — manage Social Media, Streaming, Gambling, and Adult Content with 405 preset domains
  • Cowrie SSH honeypot with admin configuration UI — SSH version presets, credential rules, container lifecycle controls
  • Container log viewer with live tail for honeypot and proxy containers
  • Proxy status dashboard with health indicators and ICAP stats counters

Endpoint Agents

Cross-platform endpoint visibility with remote management capabilities.

  • Windows C# agent — Security, System, PowerShell, Sysmon, Defender logs
  • HMAC-signed command dispatch for secure remote management
  • macOS agent for system log collection
  • Agent management UI with telemetry and command sending
  • Remote host isolation, Defender scans, process kill
  • Downloadable installers with pre-configured settings

Visualization & Reporting

Rich dashboards with drill-down, database health monitoring, and log analytics.

  • Dashboard drill-down — clickable stat cards, charts, and table rows for instant investigation
  • Log analytics page with time-series visualizations and time range filters
  • MITRE ATT&CK Navigator — visual technique coverage mapping
  • Database health monitoring — tabbed layout with overview, storage, optimization, and TIP database views
  • Real-time sparkline health graphs per log source
  • Log viewer with preset time ranges, custom date picker, and compact density mode
  • AI-generated daily/weekly security reports
  • Light and dark theme support across the entire UI