souleyez 2.28.0__tar.gz → 2.40.0__tar.gz

souleyez-2.40.0/PKG-INFO

@@ -0,0 +1,265 @@
+Metadata-Version: 2.4
+Name: souleyez
+Version: 2.40.0
+Summary: AI-Powered Penetration Testing Platform with 40+ integrated tools
+Author-email: CyberSoul Security <contact@cybersoulsecurity.com>
+Maintainer-email: CyberSoul Security <contact@cybersoulsecurity.com>
+License: MIT
+Project-URL: Homepage, https://github.com/cyber-soul-security/SoulEyez
+Project-URL: Documentation, https://github.com/cyber-soul-security/SoulEyez#readme
+Project-URL: Repository, https://github.com/cyber-soul-security/SoulEyez.git
+Project-URL: Issues, https://github.com/cyber-soul-security/SoulEyez/issues
+Keywords: pentesting,security,hacking,penetration-testing,cybersecurity,nmap,metasploit
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Environment :: Console :: Curses
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Information Technology
+Classifier: Intended Audience :: System Administrators
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Operating System :: MacOS
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: System :: Networking
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: anthropic>=0.40.0
+Requires-Dist: click>=8.0.0
+Requires-Dist: cryptography>=3.4.0
+Requires-Dist: defusedxml>=0.7.0
+Requires-Dist: impacket>=0.11.0
+Requires-Dist: markdown>=3.4.0
+Requires-Dist: msgpack>=1.0.0
+Requires-Dist: ollama>=0.1.0
+Requires-Dist: psycopg2-binary>=2.9.0
+Requires-Dist: psutil>=5.9.0
+Requires-Dist: python-json-logger>=2.0.0
+Requires-Dist: requests>=2.28.0
+Requires-Dist: rich>=10.0.0
+Requires-Dist: wcwidth>=0.2.0
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0.0; extra == "dev"
+Dynamic: license-file
+
+# SoulEyez — AI-Powered Penetration Testing Platform
+
+[![CI](https://github.com/cyber-soul-security/souleyez/actions/workflows/python-ci.yml/badge.svg)](https://github.com/cyber-soul-security/souleyez/actions/workflows/python-ci.yml)
+[![codecov](https://codecov.io/gh/cyber-soul-security/souleyez/branch/main/graph/badge.svg)](https://codecov.io/gh/cyber-soul-security/souleyez)
+[![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/downloads/)
+[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
+[![Security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit)
+
+**LEGAL NOTICE — Use Responsibly**
+Only use SoulEyez on systems you own or have explicit written permission to test.
+Unauthorized scanning or exploitation is illegal. The authors are not responsible for misuse.
+
+---
+
+## Features
+
+### Core Capabilities
+- 🎯 **Interactive Dashboard** - Real-time engagement monitoring with live updates
+- 🔗 **Smart Tool Chaining** - Automatic follow-up scans based on discoveries
+- 📊 **Findings Management** - Track and categorize vulnerabilities by severity
+- 🔑 **Credential Vault** - Encrypted storage for discovered credentials
+- 🌐 **Network Mapping** - Host discovery and service enumeration
+- 📈 **Progress Tracking** - Monitor scan completion and tool execution
+- 💾 **SQLite Storage** - Local database for all engagement data
+- 🔄 **Background Jobs** - Queue-based tool execution with status monitoring
+
+### Integrated Tools (40+)
+- **Reconnaissance**: nmap, masscan, theHarvester, whois, dnsrecon
+- **Web Testing**: nikto, gobuster, ffuf, sqlmap, nuclei, wpscan
+- **Enumeration**: enum4linux-ng, smbmap, crackmapexec, snmpwalk
+- **Exploitation**: Metasploit integration, searchsploit
+- **Password Attacks**: hydra, hashcat, john
+- **Post-Exploitation**: impacket suite, bloodhound
+
+### Pentest Workflow & Intelligence
+- 📁 **Evidence Vault** - Unified artifact collection organized by PTES phases
+- 🎯 **Attack Surface Dashboard** - Track what's exploited vs pending with priority scoring
+- 💣 **Exploit Suggestions** - Automatic CVE/Metasploit recommendations for discovered services
+- 🔗 **Correlation Engine** - Cross-phase attack tracking and gap analysis
+- 📝 **Report Generator** - Professional reports in Markdown/HTML/PDF formats
+- ✅ **Deliverable Tracking** - Manage testing requirements and acceptance criteria
+- 📸 **Screenshot Management** - Organized visual evidence by methodology phase
+
+### Purple Team / SIEM Integration
+- 🛡️ **Wazuh Integration** - Connect to Wazuh Manager for detection validation
+- 📊 **Splunk Integration** - Query Splunk for alerts and vulnerability data
+- ✓ **Detection Validation** - Verify if your attacks triggered SIEM alerts
+- 🔍 **Vulnerability Management** - View CVEs from Wazuh agents synced to Splunk
+- ⚖️ **Gap Analysis** - Compare passive (SIEM) vs active (scan) findings
+- 🗺️ **MITRE ATT&CK Reports** - Detection coverage heatmaps by technique
+- 📡 **Real-time Alerts** - Monitor SIEM alerts during live engagements
+
+---
+
+## 🔐 Security & Data Protection
+
+### Credential Encryption
+
+SoulEyez encrypts all stored credentials using Fernet (AES-128-CBC + HMAC-SHA256) with PBKDF2 key derivation (600k iterations).
+
+```bash
+# Enable encryption with master password
+souleyez db encrypt
+
+# Add credentials (automatically encrypted)
+souleyez creds add --username admin --password secret123 --service ssh --host 10.0.0.82
+
+# View credentials (requires master password)
+souleyez creds list
+```
+
+**Key Points:**
+- Master password is never stored (cannot be recovered if lost)
+- Credentials encrypted at rest with industry-standard cryptography
+- Dashboard shows masked values (••••••••) until explicitly revealed
+- Each user should maintain their own database
+
+### Data Masking
+
+Sensitive data is automatically masked in the UI:
+- Passwords: `Su***********3!`
+- Credit card numbers: `45**************34`
+- Access warning prompts before viewing sensitive data
+
+See [SECURITY.md](SECURITY.md) for complete security guidelines.
+
+---
+
+## 📝 Configuration
+
+SoulEyez uses a flexible configuration system:
+
+1. **Environment Variables** - `SOULEYEZ_*` prefix (highest priority)
+2. **Config File** - `~/.souleyez/config.json` (auto-created)
+3. **Default Values** - Built-in safe defaults
+
+```bash
+# Edit config file
+nano ~/.souleyez/config.json
+
+# Or use environment variables
+export SOULEYEZ_DATABASE_PATH=/custom/path/souleyez.db
+export SOULEYEZ_LOGGING_LEVEL=DEBUG
+```
+
+See [docs/CONFIG.md](souleyez/docs/CONFIG.md) for complete configuration options.
+
+---
+
+## Supported Operating Systems
+
+| OS | Status | Notes |
+|----|--------|-------|
+| **Kali Linux** | ✅ Recommended | All pentesting tools pre-installed |
+| **Ubuntu 22.04+** | ✅ Supported | Tools installed via `souleyez setup` |
+| **Parrot OS** | ✅ Supported | Security-focused distro |
+| **Debian 12+** | ✅ Supported | Stable base system |
+| **Other Linux** | ⚠️ Unofficial | Manual testing required |
+| **macOS/Windows** | ❌ Not Supported | Use Linux in a VM |
+
+**Architectures:** AMD64, ARM64
+
+---
+
+## System Requirements
+
+| Component | Minimum | Recommended |
+|-----------|---------|-------------|
+| **CPU** | 2 cores | 4+ cores |
+| **RAM** | 4GB | 8GB+ |
+| **Disk** | 10GB | 50GB+ |
+| **GPU** | None | Optional (for hashcat) |
+
+---
+
+## Installation
+
+```bash
+# Install pipx if needed
+sudo apt install pipx
+pipx ensurepath
+source ~/.bashrc    # Kali Linux: use 'source ~/.zshrc' instead
+
+# Install SoulEyez
+pipx install souleyez
+
+# Install pentesting tools
+souleyez setup
+```
+
+> **Kali Linux users:** Kali uses zsh by default. Use `source ~/.zshrc` instead of `source ~/.bashrc`
+
+See [docs/user-guide/installation.md](souleyez/docs/user-guide/installation.md) for detailed instructions.
+
+---
+
+## Usage
+
+### Interactive Mode (Recommended)
+
+```bash
+souleyez interactive
+```
+
+Menu-driven interface with guided workflows, tool selection by phase, and integrated help.
+
+### Dashboard
+
+```bash
+souleyez dashboard
+```
+
+Real-time monitoring with hotkeys: `[h]` Help, `[a]` Auto-chain, `[m]` Menu, `[q]` Quit
+
+### Command Line
+
+```bash
+# Engagement management
+souleyez workspace create <name>
+souleyez workspace use <name>
+
+# Run scans
+souleyez run nmap <target>
+souleyez run gobuster <target>
+
+# View results
+souleyez findings list
+souleyez creds list
+```
+
+---
+
+## Documentation
+
+- **[Installation Guide](souleyez/docs/user-guide/installation.md)** - Setup instructions
+- **[Getting Started](souleyez/docs/user-guide/getting-started.md)** - Quick start guide
+- **[Workflows](souleyez/docs/user-guide/workflows.md)** - Complete pentesting workflows
+- **[Evidence Vault](souleyez/docs/user-guide/evidence-vault.md)** - Artifact collection
+- **[Report Generation](souleyez/docs/user-guide/report-generation.md)** - Professional reports
+- **[SECURITY.md](SECURITY.md)** - Security best practices
+- **[AUTO_CHAINING_GUIDE.md](AUTO_CHAINING_GUIDE.md)** - Automated workflows
+
+---
+
+## Support
+
+- **GitHub Issues**: https://github.com/cyber-soul-security/SoulEyez/issues
+- **Security Issues**: Report privately (see SECURITY.md)
+
+---
+
+## License
+
+See [LICENSE](LICENSE) for details.

{souleyez-2.28.0 → souleyez-2.40.0}/pyproject.toml

@@ -4,9 +4,9 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "souleyez"
-version = "2.28.0"
+version = "2.40.0"
 description = "AI-Powered Penetration Testing Platform with 40+ integrated tools"
-readme = "BETA_README.md"
+readme = "README.md"
 license = {text = "MIT"}
 authors = [{name = "CyberSoul Security", email = "contact@cybersoulsecurity.com"}]
 maintainers = [{name = "CyberSoul Security", email = "contact@cybersoulsecurity.com"}]

souleyez-2.40.0/souleyez/__init__.py

@@ -0,0 +1,2 @@
+__version__ = '2.40.0'
+

{souleyez-2.28.0 → souleyez-2.40.0}/souleyez/core/msf_auto_mapper.py

@@ -49,8 +49,9 @@ class MSFAutoMapper:
                         risk_levels=['safe', 'noisy', 'moderate', 'dangerous']
                     )
 
-                    # Filter to top 10 recommendations
-                    service_map[service_id] = recommendations[:10]
+                    # Only store services with actual recommendations
+                    if recommendations:
+                        service_map[service_id] = recommendations[:10]
 
             return service_map
         except Exception as e:

{souleyez-2.28.0 → souleyez-2.40.0}/souleyez/core/tool_chaining.py

@@ -1759,6 +1759,20 @@ class ToolChaining:
             )
         )
 
+        # Database Admin → SQLMap (gentler settings for phpMyAdmin/Adminer)
+        # These panels are slow and easily overwhelmed - use single thread and basic tests
+        self.rules.append(
+            ChainRule(
+                trigger_tool='gobuster',
+                trigger_condition='category:database_admin',
+                target_tool='sqlmap',
+                priority=6,  # Lower priority than CVE/exploit scans
+                args_template=['-u', '{target}', '--batch', '--forms', '--threads=1', '--time-sec=10',
+                              '--level=1', '--risk=1', '--technique=BEU', '--timeout=30'],
+                description='Database admin panel detected, testing login form for SQL injection (low intensity)'
+            )
+        )
+
         # WordPress → WPScan enumeration
         self.rules.append(
             ChainRule(
@@ -3958,7 +3972,7 @@ class ToolChaining:
                     # This reduces noise and focuses on high-value targets
                     from souleyez.intelligence.sensitive_tables import is_sensitive_table, is_system_table
 
-                    MAX_TABLES_FOR_COLUMN_ENUM = 15  # Focused on sensitive tables only
+                    MAX_TABLES_FOR_COLUMN_ENUM = 10  # Focused on sensitive tables only
                     tables_queued = 0
                     skipped_tables = 0
 
@@ -5017,6 +5031,7 @@ class ToolChaining:
                     label=f"Auto-retry: gobuster (wildcard {exclude_length}b)",
                     engagement_id=engagement_id,
                     parent_id=job.get('id'),
+                    reason=f"Auto-triggered by gobuster: Wildcard response detected, retrying with --exclude-length {exclude_length}",
                     metadata={'retry_attempt': 1, 'retry_parent_job_id': job.get('id')}
                 )
 
@@ -5116,7 +5131,8 @@ class ToolChaining:
                                 args=sqlmap_args,
                                 label=f"Auto-chain: SQLMap testing {endpoint_url}",
                                 engagement_id=engagement_id,
-                                parent_id=job.get('id')
+                                parent_id=job.get('id'),
+                                reason=f"Auto-triggered by ffuf: Database/dynamic endpoint detected ({status_code} response)"
                             )
 
                             job_ids.append(sqlmap_job_id)
@@ -5144,6 +5160,7 @@ class ToolChaining:
                                 label=f"Auto-chain: ffuf recursive {endpoint_url}",
                                 engagement_id=engagement_id,
                                 parent_id=job.get('id'),
+                                reason=f"Auto-triggered by ffuf: {status_code} response suggests deeper path, fuzzing recursively",
                                 metadata={'ffuf_depth': current_depth + 1}
                             )
 
@@ -5367,7 +5384,8 @@ class ToolChaining:
                         args=['-m', '18200', '-a', '0', 'data/wordlists/top100.txt'],
                         label='CRACK_ASREP',
                         engagement_id=engagement_id,
-                        parent_id=job.get('id')
+                        parent_id=job.get('id'),
+                        reason="Auto-triggered by impacket-getnpusers: AS-REP hash extracted, attempting to crack"
                     )
 
                     job_ids.append(job_id)
@@ -5412,7 +5430,8 @@ class ToolChaining:
                         args=['-m', '1000', '-a', '0', 'data/wordlists/top100.txt'],
                         label='CRACK_NTLM',
                         engagement_id=engagement_id,
-                        parent_id=job.get('id')
+                        parent_id=job.get('id'),
+                        reason="Auto-triggered by impacket-secretsdump: NTLM hash extracted, attempting to crack"
                     )
 
                     job_ids.append(job_id)
@@ -5452,7 +5471,8 @@ class ToolChaining:
                             args=[cred_str],
                             label='EXTRACT_CREDS',
                             engagement_id=engagement_id,
-                            parent_id=job.get('id')
+                            parent_id=job.get('id'),
+                            reason="Auto-triggered by hydra: Valid credentials found, attempting to extract domain secrets"
                         )
 
                         job_ids.append(job_id)
@@ -5750,6 +5770,17 @@ class ToolChaining:
 
                             status = existing_job.get('status')
 
+                            # === SQLMAP RULE-BASED DEDUP (check ALL completed jobs, not just recent) ===
+                            # For sqlmap: if same rule was already applied to this URL, skip it entirely
+                            # This prevents infinite loops where each sqlmap job re-triggers the same rules
+                            if cmd['tool'] == 'sqlmap' and status in ['done', 'queued', 'running']:
+                                cmd_rule_id = cmd.get('rule_id')
+                                existing_rule_id = existing_job.get('rule_id')
+                                if cmd_rule_id and existing_rule_id and cmd_rule_id == existing_rule_id:
+                                    similar_exists = True
+                                    print(f"  ⏭️  Skipping sqlmap for {cmd_target}: rule #{cmd_rule_id} already applied (job #{existing_job['id']} {status})")
+                                    break
+
                             # Check if job is active (queued/running)
                             is_active = status in ['queued', 'running']
 
@@ -5764,11 +5795,28 @@ class ToolChaining:
                                         current_time = datetime.now(finished_time.tzinfo) if finished_time.tzinfo else datetime.now()
                                         time_delta = (current_time - finished_time).total_seconds()
 
-                                        # Only block if same args AND finished < 5 min ago
+                                        # Only block if finished < 5 min ago AND (same args OR same rule_id for sqlmap)
                                         if time_delta < DUPLICATE_WINDOW_SECONDS:
                                             existing_args = existing_job.get('args', [])
                                             cmd_args = cmd.get('args', [])
-                                            if existing_args == cmd_args:
+
+                                            # For sqlmap: also check rule_id (same rule = duplicate even with different parent)
+                                            if cmd['tool'] == 'sqlmap':
+                                                cmd_rule_id = cmd.get('rule_id')
+                                                existing_rule_id = existing_job.get('rule_id')
+                                                if cmd_rule_id and existing_rule_id and cmd_rule_id == existing_rule_id:
+                                                    is_recent_duplicate = True
+                                                    minutes_ago = int(time_delta // 60)
+                                                    seconds_ago = int(time_delta % 60)
+                                                    time_str = f"{minutes_ago}m {seconds_ago}s ago" if minutes_ago > 0 else f"{seconds_ago}s ago"
+                                                    print(f"  ⏭️  Skipping sqlmap for {cmd_target}: rule #{cmd_rule_id} completed {time_str} (duplicate)")
+                                                elif existing_args == cmd_args:
+                                                    is_recent_duplicate = True
+                                                    minutes_ago = int(time_delta // 60)
+                                                    seconds_ago = int(time_delta % 60)
+                                                    time_str = f"{minutes_ago}m {seconds_ago}s ago" if minutes_ago > 0 else f"{seconds_ago}s ago"
+                                                    print(f"  ⏭️  Skipping sqlmap for {cmd_target}: job #{existing_job['id']} completed {time_str} (duplicate)")
+                                            elif existing_args == cmd_args:
                                                 is_recent_duplicate = True
                                                 minutes_ago = int(time_delta // 60)
                                                 seconds_ago = int(time_delta % 60)
@@ -5790,16 +5838,34 @@ class ToolChaining:
                                             print(f"  ⏭️  Skipping {cmd['tool']} for {cmd_target}: similar job #{existing_job['id']} already exists ({existing_job['status']})")
                                             break
 
-                                    # For sqlmap, gobuster: check if args match (allow different ports/phases)
-                                    elif cmd['tool'] in ['sqlmap', 'gobuster']:
+                                    # For sqlmap: check by rule_id to prevent same rule firing twice on same URL
+                                    elif cmd['tool'] == 'sqlmap':
+                                        cmd_rule_id = cmd.get('rule_id')
+                                        existing_rule_id = existing_job.get('rule_id')
+                                        existing_args = existing_job.get('args', [])
+                                        cmd_args = cmd.get('args', [])
+
+                                        # If both have rule_id and they match, it's a duplicate
+                                        # (same rule already applied to this injection point)
+                                        if cmd_rule_id and existing_rule_id and cmd_rule_id == existing_rule_id:
+                                            similar_exists = True
+                                            print(f"  ⏭️  Skipping sqlmap for {cmd_target}: rule #{cmd_rule_id} already applied (job #{existing_job['id']} {existing_job['status']})")
+                                            break
+                                        # Also check if exact same args (covers manual/no-rule jobs)
+                                        elif existing_args == cmd_args:
+                                            similar_exists = True
+                                            print(f"  ⏭️  Skipping sqlmap for {cmd_target}: similar job #{existing_job['id']} already exists ({existing_job['status']})")
+                                            break
+                                        # If different rule_id and different args, allow it (different SQLMap phase)
+
+                                    # For gobuster: check if args match
+                                    elif cmd['tool'] == 'gobuster':
                                         existing_args = existing_job.get('args', [])
                                         cmd_args = cmd.get('args', [])
-                                        # Compare args - if they're the same, it's a duplicate
                                         if existing_args == cmd_args:
                                             similar_exists = True
                                             print(f"  ⏭️  Skipping {cmd['tool']} for {cmd_target}: similar job #{existing_job['id']} already exists ({existing_job['status']})")
                                             break
-                                        # If args are different, allow it (different SQLMap phase)
 
                                     # For quick lookup tools (whois, dnsrecon), skip 5-min duplicate check
                                     # They're fast and each theHarvester run should trigger them

{souleyez-2.28.0 → souleyez-2.40.0}/souleyez/docs/README.md

@@ -1,6 +1,6 @@
 # SoulEyez Documentation
 
-**Version:** 2.28.0
+**Version:** 2.40.0
 **Last Updated:** January 9, 2026
 **Organization:** CyberSoul Security
 

{souleyez-2.28.0 → souleyez-2.40.0}/souleyez/integrations/siem/__init__.py

@@ -30,6 +30,7 @@ from souleyez.integrations.siem.wazuh import WazuhSIEMClient
 from souleyez.integrations.siem.splunk import SplunkSIEMClient
 from souleyez.integrations.siem.elastic import ElasticSIEMClient
 from souleyez.integrations.siem.sentinel import SentinelSIEMClient
+from souleyez.integrations.siem.googlesecops import GoogleSecOpsSIEMClient
 from souleyez.integrations.siem.factory import SIEMFactory
 
 __all__ = [
@@ -45,4 +46,5 @@ __all__ = [
     'SplunkSIEMClient',
     'ElasticSIEMClient',
     'SentinelSIEMClient',
+    'GoogleSecOpsSIEMClient',
 ]

{souleyez-2.28.0 → souleyez-2.40.0}/souleyez/integrations/siem/factory.py

@@ -11,7 +11,8 @@ from souleyez.integrations.siem.base import SIEMClient, SIEMConnectionStatus
 
 
 # Registry of available SIEM types
-SIEM_TYPES = ['wazuh', 'splunk', 'elastic', 'sentinel']
+# Ordered: Open Source first, then Commercial
+SIEM_TYPES = ['wazuh', 'elastic', 'splunk', 'sentinel', 'google_secops']
 
 
 class SIEMFactory:
@@ -60,6 +61,10 @@ class SIEMFactory:
             from souleyez.integrations.siem.sentinel import SentinelSIEMClient
             return SentinelSIEMClient.from_config(config)
 
+        elif siem_type_lower == 'google_secops':
+            from souleyez.integrations.siem.googlesecops import GoogleSecOpsSIEMClient
+            return GoogleSecOpsSIEMClient.from_config(config)
+
         else:
             raise ValueError(
                 f"Unsupported SIEM type: {siem_type}. "
@@ -114,7 +119,7 @@ class SIEMFactory:
         info_map = {
             'wazuh': {
                 'name': 'Wazuh',
-                'description': 'Open source security monitoring (OSSEC fork)',
+                'description': '[Open Source] Security monitoring platform (OSSEC fork)',
                 'config_fields': [
                     {'name': 'api_url', 'label': 'Manager API URL', 'required': True,
                      'placeholder': 'https://wazuh.example.com:55000'},
@@ -130,7 +135,7 @@ class SIEMFactory:
             },
             'splunk': {
                 'name': 'Splunk',
-                'description': 'Enterprise SIEM and log management platform',
+                'description': '[Commercial] Enterprise SIEM and log management',
                 'config_fields': [
                     {'name': 'api_url', 'label': 'REST API URL', 'required': True,
                      'placeholder': 'https://splunk.example.com:8089'},
@@ -144,7 +149,7 @@ class SIEMFactory:
             },
             'elastic': {
                 'name': 'Elastic Security',
-                'description': 'Elastic SIEM (formerly Elastic Security)',
+                'description': '[Open Source] Elastic Stack security solution (ELK SIEM)',
                 'config_fields': [
                     {'name': 'elasticsearch_url', 'label': 'Elasticsearch URL', 'required': True,
                      'placeholder': 'https://elastic.example.com:9200'},
@@ -159,7 +164,7 @@ class SIEMFactory:
             },
             'sentinel': {
                 'name': 'Microsoft Sentinel',
-                'description': 'Azure cloud-native SIEM',
+                'description': '[Commercial] Azure cloud-native SIEM',
                 'config_fields': [
                     {'name': 'tenant_id', 'label': 'Azure Tenant ID', 'required': True},
                     {'name': 'client_id', 'label': 'App Client ID', 'required': True},
@@ -170,6 +175,22 @@ class SIEMFactory:
                     {'name': 'workspace_id', 'label': 'Workspace ID (GUID)', 'required': True},
                 ],
             },
+            'google_secops': {
+                'name': 'Google SecOps',
+                'description': '[Commercial] Google Cloud security operations (Chronicle)',
+                'config_fields': [
+                    {'name': 'customer_id', 'label': 'Chronicle Customer ID', 'required': True,
+                     'placeholder': 'Your Chronicle customer ID'},
+                    {'name': 'region', 'label': 'Chronicle Region', 'required': True,
+                     'placeholder': 'us, europe, asia-southeast1'},
+                    {'name': 'project_id', 'label': 'Google Cloud Project ID', 'required': False,
+                     'placeholder': 'Optional if in service account JSON'},
+                    {'name': 'credentials_json', 'label': 'Service Account JSON', 'required': True,
+                     'secret': True, 'type': 'textarea',
+                     'placeholder': 'Paste service account JSON key'},
+                    {'name': 'verify_ssl', 'label': 'Verify SSL', 'required': False, 'type': 'boolean'},
+                ],
+            },
         }
 
         return info_map.get(siem_type.lower(), {