AegisKit is a powerful, modular Blue Team security toolkit designed for defenders, SOC analysts, and incident responders. It provides a comprehensive CLI for log parsing, IOC extraction, threat intelligence enrichment, file triage, and real-time security monitoring.
Author: Kira
- Log Parsing: Parse syslog, nginx, apache, Windows Event logs into structured JSON
- IOC Extraction: Extract IPs, domains, URLs, hashes, emails, CVEs from any text
- Threat Intelligence: Enrich IOCs with VirusTotal, AbuseIPDB
- File Triage: Analyze suspicious files with hashing, YARA, entropy analysis
- Live Monitoring: Tail logs with real-time IOC detection and alerting
- Rule Engine: YAML-based detection rules with custom alerting
- Webhook Notifications: Send alerts to Slack, Discord, or custom webhooks
- STIX Export: Export IOCs in STIX 2.1 format for threat intelligence sharing
- Interactive TUI: Review file triage results in a beautiful terminal interface
- Beautiful Output: Rich terminal output with tables and colored formatting
git clone https://github.com/Bas3line/aegiskit.git
cd aegiskit
pip install -e .pip install aegiskitaegis log-parse /var/log/auth.log --format syslog --pretty
aegis log-parse access.log --format nginx -o events.jsonl
cat auth.log | aegis log-parse --format syslogaegis ioc-extract /var/log/syslog --pretty
echo "Detected attack from 192.168.1.100" | aegis ioc-extract
aegis ioc-extract events.jsonl --whitelist mynet.txt -o iocs.jsonlexport VT_API_KEY="your_virustotal_key"
export ABUSEIPDB_API_KEY="your_abuseipdb_key"
aegis feed-check iocs.jsonl --providers virustotal,abuseipdb --pretty
aegis ioc-extract logs.txt | aegis feed-check --vt-key YOUR_KEY --prettyaegis file-triage suspicious.exe --pretty
aegis file-triage malware.bin --yara rules.yar -o triage.jsonaegis watch /var/log/auth.log --follow --format syslog
aegis watch nginx/access.log --format nginx --rules alert-rules.yaml --followaegis report events.jsonl --format json -o report.json
aegis report iocs.jsonl --format stix -o threat-intel.jsonaegis tui triage-results.jsonlaegis watch /var/log/auth.log --follow --rules rules.yaml \
--webhook https://hooks.slack.com/services/YOUR/WEBHOOK/URL \
--webhook-type slack
aegis watch nginx.log --format nginx --webhook https://discord.com/api/webhooks/... \
--webhook-type discord --followSet environment variables:
export VT_API_KEY="your_virustotal_api_key"
export ABUSEIPDB_API_KEY="your_abuseipdb_api_key"Or pass directly:
aegis feed-check iocs.jsonl --vt-key YOUR_KEYCreate a whitelist file to exclude known-good indicators:
# whitelist.txt
10.0.0.0/8
192.168.0.0/16
internal.company.com
Use with:
aegis ioc-extract logs.txt --whitelist whitelist.txtCreate YAML rules for custom alerting:
Example: rules.yaml
rules:
- name: Failed SSH Brute Force
severity: high
conditions:
program:
operator: equals
value: sshd
raw:
operator: contains
value: "Failed password"
message: "SSH brute force detected from {src_ip}"
actions:
- alert
- log
- name: Suspicious User Agent
severity: medium
conditions:
fields.user_agent:
operator: regex
value: "sqlmap|nikto|nmap"
message: "Suspicious user agent detected: {fields.user_agent}"
actions:
- alertUse with watch mode:
aegis watch /var/log/auth.log --rules rules.yaml --followcat /var/log/nginx/access.log | \
aegis log-parse --format nginx | \
aegis ioc-extract | \
aegis feed-check --vt-key $VT_API_KEY --prettyfind /tmp/quarantine -type f -exec aegis file-triage {} \; > triage-results.jsonltail -f /var/log/{auth.log,syslog} | aegis ioc-extract --prettyaegiskit/
├── core/
│ ├── models.py # Data models (IOC, LogEvent, Alert, etc.)
│ ├── io_handler.py # File I/O with compression support
│ └── ioc_extractor.py # IOC extraction engine
├── parsers/
│ ├── syslog_parser.py # Syslog (RFC3164/RFC5424)
│ ├── nginx_parser.py # Nginx combined logs
│ └── apache_parser.py # Apache common/combined logs
├── enrichment/
│ ├── base.py # Enrichment provider interface
│ ├── virustotal.py # VirusTotal integration
│ ├── abuseipdb.py # AbuseIPDB integration
│ └── engine.py # Multi-provider enrichment
├── triage/
│ └── file_analyzer.py # File hashing, YARA, entropy
├── rules/
│ ├── engine.py # YAML rule engine
│ └── watcher.py # Real-time log monitoring
├── reporting/
│ └── printer.py # Rich terminal output
└── cli/
└── main.py # CLI commands
Core:
- Python 3.8+
- click
- pyyaml
- requests
- rich
Optional (for enhanced features):
yara-python- YARA rule scanningpython-magic- Better filetype detectionpefile- PE file analysispyelftools- ELF file analysis
Install all:
pip install aegiskit[full]See examples/ directory for:
- Sample log files
- YARA rules
- Detection rules
- Common usage patterns
Contributions welcome! Please:
- Fork the repository
- Create a feature branch
- Add tests for new functionality
- Submit a pull request
MIT License - See LICENSE file
- STIX export
- Interactive TUI for triage review
- Windows Event Log parser
- Webhook notifications (Slack/Discord/Generic)
- PCAP analysis integration
- Docker container
- Plugin system
- Kira - GitHub
- Contact: [email protected]
- Built for defenders, by a defender.
This tool is for defensive security operations only. Use responsibly and in accordance with applicable laws and regulations.