souleyez 2.32.0__py3-none-any.whl → 2.36.0__py3-none-any.whl

souleyez/__init__.py

@@ -1 +1,2 @@
-__version__ = '2.32.0'
+__version__ = '2.36.0'
+

souleyez/core/tool_chaining.py

@@ -3972,7 +3972,7 @@ class ToolChaining:
                     # This reduces noise and focuses on high-value targets
                     from souleyez.intelligence.sensitive_tables import is_sensitive_table, is_system_table
 
-                    MAX_TABLES_FOR_COLUMN_ENUM = 15  # Focused on sensitive tables only
+                    MAX_TABLES_FOR_COLUMN_ENUM = 10  # Focused on sensitive tables only
                     tables_queued = 0
                     skipped_tables = 0
 
@@ -5770,6 +5770,17 @@ class ToolChaining:
 
                             status = existing_job.get('status')
 
+                            # === SQLMAP RULE-BASED DEDUP (check ALL completed jobs, not just recent) ===
+                            # For sqlmap: if same rule was already applied to this URL, skip it entirely
+                            # This prevents infinite loops where each sqlmap job re-triggers the same rules
+                            if cmd['tool'] == 'sqlmap' and status in ['done', 'queued', 'running']:
+                                cmd_rule_id = cmd.get('rule_id')
+                                existing_rule_id = existing_job.get('rule_id')
+                                if cmd_rule_id and existing_rule_id and cmd_rule_id == existing_rule_id:
+                                    similar_exists = True
+                                    print(f"  ⏭️  Skipping sqlmap for {cmd_target}: rule #{cmd_rule_id} already applied (job #{existing_job['id']} {status})")
+                                    break
+
                             # Check if job is active (queued/running)
                             is_active = status in ['queued', 'running']
 
@@ -5784,11 +5795,28 @@ class ToolChaining:
                                         current_time = datetime.now(finished_time.tzinfo) if finished_time.tzinfo else datetime.now()
                                         time_delta = (current_time - finished_time).total_seconds()
 
-                                        # Only block if same args AND finished < 5 min ago
+                                        # Only block if finished < 5 min ago AND (same args OR same rule_id for sqlmap)
                                         if time_delta < DUPLICATE_WINDOW_SECONDS:
                                             existing_args = existing_job.get('args', [])
                                             cmd_args = cmd.get('args', [])
-                                            if existing_args == cmd_args:
+
+                                            # For sqlmap: also check rule_id (same rule = duplicate even with different parent)
+                                            if cmd['tool'] == 'sqlmap':
+                                                cmd_rule_id = cmd.get('rule_id')
+                                                existing_rule_id = existing_job.get('rule_id')
+                                                if cmd_rule_id and existing_rule_id and cmd_rule_id == existing_rule_id:
+                                                    is_recent_duplicate = True
+                                                    minutes_ago = int(time_delta // 60)
+                                                    seconds_ago = int(time_delta % 60)
+                                                    time_str = f"{minutes_ago}m {seconds_ago}s ago" if minutes_ago > 0 else f"{seconds_ago}s ago"
+                                                    print(f"  ⏭️  Skipping sqlmap for {cmd_target}: rule #{cmd_rule_id} completed {time_str} (duplicate)")
+                                                elif existing_args == cmd_args:
+                                                    is_recent_duplicate = True
+                                                    minutes_ago = int(time_delta // 60)
+                                                    seconds_ago = int(time_delta % 60)
+                                                    time_str = f"{minutes_ago}m {seconds_ago}s ago" if minutes_ago > 0 else f"{seconds_ago}s ago"
+                                                    print(f"  ⏭️  Skipping sqlmap for {cmd_target}: job #{existing_job['id']} completed {time_str} (duplicate)")
+                                            elif existing_args == cmd_args:
                                                 is_recent_duplicate = True
                                                 minutes_ago = int(time_delta // 60)
                                                 seconds_ago = int(time_delta % 60)
@@ -5810,16 +5838,34 @@ class ToolChaining:
                                             print(f"  ⏭️  Skipping {cmd['tool']} for {cmd_target}: similar job #{existing_job['id']} already exists ({existing_job['status']})")
                                             break
 
-                                    # For sqlmap, gobuster: check if args match (allow different ports/phases)
-                                    elif cmd['tool'] in ['sqlmap', 'gobuster']:
+                                    # For sqlmap: check by rule_id to prevent same rule firing twice on same URL
+                                    elif cmd['tool'] == 'sqlmap':
+                                        cmd_rule_id = cmd.get('rule_id')
+                                        existing_rule_id = existing_job.get('rule_id')
+                                        existing_args = existing_job.get('args', [])
+                                        cmd_args = cmd.get('args', [])
+
+                                        # If both have rule_id and they match, it's a duplicate
+                                        # (same rule already applied to this injection point)
+                                        if cmd_rule_id and existing_rule_id and cmd_rule_id == existing_rule_id:
+                                            similar_exists = True
+                                            print(f"  ⏭️  Skipping sqlmap for {cmd_target}: rule #{cmd_rule_id} already applied (job #{existing_job['id']} {existing_job['status']})")
+                                            break
+                                        # Also check if exact same args (covers manual/no-rule jobs)
+                                        elif existing_args == cmd_args:
+                                            similar_exists = True
+                                            print(f"  ⏭️  Skipping sqlmap for {cmd_target}: similar job #{existing_job['id']} already exists ({existing_job['status']})")
+                                            break
+                                        # If different rule_id and different args, allow it (different SQLMap phase)
+
+                                    # For gobuster: check if args match
+                                    elif cmd['tool'] == 'gobuster':
                                         existing_args = existing_job.get('args', [])
                                         cmd_args = cmd.get('args', [])
-                                        # Compare args - if they're the same, it's a duplicate
                                         if existing_args == cmd_args:
                                             similar_exists = True
                                             print(f"  ⏭️  Skipping {cmd['tool']} for {cmd_target}: similar job #{existing_job['id']} already exists ({existing_job['status']})")
                                             break
-                                        # If args are different, allow it (different SQLMap phase)
 
                                     # For quick lookup tools (whois, dnsrecon), skip 5-min duplicate check
                                     # They're fast and each theHarvester run should trigger them

souleyez/docs/README.md

@@ -1,6 +1,6 @@
 # SoulEyez Documentation
 
-**Version:** 2.32.0
+**Version:** 2.36.0
 **Last Updated:** January 9, 2026
 **Organization:** CyberSoul Security
 

souleyez/integrations/siem/__init__.py

@@ -30,6 +30,7 @@ from souleyez.integrations.siem.wazuh import WazuhSIEMClient
 from souleyez.integrations.siem.splunk import SplunkSIEMClient
 from souleyez.integrations.siem.elastic import ElasticSIEMClient
 from souleyez.integrations.siem.sentinel import SentinelSIEMClient
+from souleyez.integrations.siem.googlesecops import GoogleSecOpsSIEMClient
 from souleyez.integrations.siem.factory import SIEMFactory
 
 __all__ = [
@@ -45,4 +46,5 @@ __all__ = [
     'SplunkSIEMClient',
     'ElasticSIEMClient',
     'SentinelSIEMClient',
+    'GoogleSecOpsSIEMClient',
 ]

souleyez/integrations/siem/factory.py

@@ -11,7 +11,8 @@ from souleyez.integrations.siem.base import SIEMClient, SIEMConnectionStatus
 
 
 # Registry of available SIEM types
-SIEM_TYPES = ['wazuh', 'splunk', 'elastic', 'sentinel']
+# Ordered: Open Source first, then Commercial
+SIEM_TYPES = ['wazuh', 'elastic', 'splunk', 'sentinel', 'google_secops']
 
 
 class SIEMFactory:
@@ -60,6 +61,10 @@ class SIEMFactory:
             from souleyez.integrations.siem.sentinel import SentinelSIEMClient
             return SentinelSIEMClient.from_config(config)
 
+        elif siem_type_lower == 'google_secops':
+            from souleyez.integrations.siem.googlesecops import GoogleSecOpsSIEMClient
+            return GoogleSecOpsSIEMClient.from_config(config)
+
         else:
             raise ValueError(
                 f"Unsupported SIEM type: {siem_type}. "
@@ -114,7 +119,7 @@ class SIEMFactory:
         info_map = {
             'wazuh': {
                 'name': 'Wazuh',
-                'description': 'Open source security monitoring (OSSEC fork)',
+                'description': '[Open Source] Security monitoring platform (OSSEC fork)',
                 'config_fields': [
                     {'name': 'api_url', 'label': 'Manager API URL', 'required': True,
                      'placeholder': 'https://wazuh.example.com:55000'},
@@ -130,7 +135,7 @@ class SIEMFactory:
             },
             'splunk': {
                 'name': 'Splunk',
-                'description': 'Enterprise SIEM and log management platform',
+                'description': '[Commercial] Enterprise SIEM and log management',
                 'config_fields': [
                     {'name': 'api_url', 'label': 'REST API URL', 'required': True,
                      'placeholder': 'https://splunk.example.com:8089'},
@@ -144,7 +149,7 @@ class SIEMFactory:
             },
             'elastic': {
                 'name': 'Elastic Security',
-                'description': 'Elastic SIEM (formerly Elastic Security)',
+                'description': '[Open Source] Elastic Stack security solution (ELK SIEM)',
                 'config_fields': [
                     {'name': 'elasticsearch_url', 'label': 'Elasticsearch URL', 'required': True,
                      'placeholder': 'https://elastic.example.com:9200'},
@@ -159,7 +164,7 @@ class SIEMFactory:
             },
             'sentinel': {
                 'name': 'Microsoft Sentinel',
-                'description': 'Azure cloud-native SIEM',
+                'description': '[Commercial] Azure cloud-native SIEM',
                 'config_fields': [
                     {'name': 'tenant_id', 'label': 'Azure Tenant ID', 'required': True},
                     {'name': 'client_id', 'label': 'App Client ID', 'required': True},
@@ -170,6 +175,22 @@ class SIEMFactory:
                     {'name': 'workspace_id', 'label': 'Workspace ID (GUID)', 'required': True},
                 ],
             },
+            'google_secops': {
+                'name': 'Google SecOps',
+                'description': '[Commercial] Google Cloud security operations (Chronicle)',
+                'config_fields': [
+                    {'name': 'customer_id', 'label': 'Chronicle Customer ID', 'required': True,
+                     'placeholder': 'Your Chronicle customer ID'},
+                    {'name': 'region', 'label': 'Chronicle Region', 'required': True,
+                     'placeholder': 'us, europe, asia-southeast1'},
+                    {'name': 'project_id', 'label': 'Google Cloud Project ID', 'required': False,
+                     'placeholder': 'Optional if in service account JSON'},
+                    {'name': 'credentials_json', 'label': 'Service Account JSON', 'required': True,
+                     'secret': True, 'type': 'textarea',
+                     'placeholder': 'Paste service account JSON key'},
+                    {'name': 'verify_ssl', 'label': 'Verify SSL', 'required': False, 'type': 'boolean'},
+                ],
+            },
         }
 
         return info_map.get(siem_type.lower(), {

souleyez/integrations/siem/googlesecops.py

@@ -0,0 +1,614 @@
+"""
+Google SecOps (Chronicle) SIEM Client.
+
+Implements the SIEMClient interface for Google SecOps (formerly Chronicle SIEM).
+Uses Chronicle REST APIs for querying detections, events, and rules.
+"""
+
+import base64
+import json
+import time
+from datetime import datetime, timedelta
+from typing import Dict, List, Optional, Any
+
+import requests
+
+from souleyez.integrations.siem.base import (
+    SIEMClient,
+    SIEMAlert,
+    SIEMRule,
+    SIEMConnectionStatus,
+)
+
+
+class GoogleSecOpsSIEMClient(SIEMClient):
+    """Google SecOps (Chronicle) implementation of the SIEMClient interface.
+
+    Uses Chronicle APIs:
+    - Auth: OAuth 2.0 with service account JWT
+    - Search: POST /v1alpha/events:udmSearch
+    - Detections: GET /v1alpha/detections
+    - Rules: GET /v1alpha/rules
+    """
+
+    # Chronicle API regions
+    REGIONS = {
+        'us': 'https://backstory.googleapis.com',
+        'europe': 'https://europe-backstory.googleapis.com',
+        'asia-southeast1': 'https://asia-southeast1-backstory.googleapis.com',
+    }
+
+    def __init__(
+        self,
+        credentials_json: str,
+        customer_id: str,
+        region: str = 'us',
+        project_id: Optional[str] = None,
+        verify_ssl: bool = True,
+    ):
+        """Initialize Google SecOps client.
+
+        Args:
+            credentials_json: Service account JSON key (as string)
+            customer_id: Chronicle customer ID
+            region: Chronicle region ('us', 'europe', 'asia-southeast1')
+            project_id: Google Cloud project ID (optional, extracted from creds if not provided)
+            verify_ssl: Verify SSL certificates
+        """
+        self.customer_id = customer_id
+        self.region = region.lower()
+        self.verify_ssl = verify_ssl
+        self._access_token: Optional[str] = None
+        self._token_expiry: Optional[datetime] = None
+
+        # Parse service account credentials
+        try:
+            if isinstance(credentials_json, str):
+                self._credentials = json.loads(credentials_json)
+            else:
+                self._credentials = credentials_json
+        except json.JSONDecodeError as e:
+            raise ValueError(f"Invalid service account JSON: {e}")
+
+        self.project_id = project_id or self._credentials.get('project_id', '')
+
+        # Set API base URL
+        self.api_base = self.REGIONS.get(self.region, self.REGIONS['us'])
+
+    @classmethod
+    def from_config(cls, config: Dict[str, Any]) -> 'GoogleSecOpsSIEMClient':
+        """Create client from configuration dictionary.
+
+        Args:
+            config: Dict with credentials_json, customer_id, region, etc.
+
+        Returns:
+            GoogleSecOpsSIEMClient instance
+        """
+        return cls(
+            credentials_json=config.get('credentials_json', '{}'),
+            customer_id=config.get('customer_id', ''),
+            region=config.get('region', 'us'),
+            project_id=config.get('project_id'),
+            verify_ssl=config.get('verify_ssl', True),
+        )
+
+    @property
+    def siem_type(self) -> str:
+        """Return the SIEM type identifier."""
+        return 'google_secops'
+
+    def _create_jwt(self) -> str:
+        """Create a signed JWT for service account authentication.
+
+        Returns:
+            Signed JWT string
+        """
+        from cryptography.hazmat.primitives import hashes, serialization
+        from cryptography.hazmat.primitives.asymmetric import padding
+        from cryptography.hazmat.backends import default_backend
+
+        now = int(time.time())
+        expiry = now + 3600  # 1 hour
+
+        # JWT header
+        header = {
+            'alg': 'RS256',
+            'typ': 'JWT',
+            'kid': self._credentials.get('private_key_id', '')
+        }
+
+        # JWT claims
+        claims = {
+            'iss': self._credentials.get('client_email', ''),
+            'sub': self._credentials.get('client_email', ''),
+            'aud': 'https://oauth2.googleapis.com/token',
+            'iat': now,
+            'exp': expiry,
+            'scope': 'https://www.googleapis.com/auth/chronicle-backstory'
+        }
+
+        # Encode header and claims
+        def b64_encode(data: dict) -> str:
+            return base64.urlsafe_b64encode(
+                json.dumps(data, separators=(',', ':')).encode()
+            ).rstrip(b'=').decode()
+
+        header_b64 = b64_encode(header)
+        claims_b64 = b64_encode(claims)
+        message = f"{header_b64}.{claims_b64}".encode()
+
+        # Sign with private key
+        private_key_pem = self._credentials.get('private_key', '')
+        private_key = serialization.load_pem_private_key(
+            private_key_pem.encode(),
+            password=None,
+            backend=default_backend()
+        )
+
+        signature = private_key.sign(
+            message,
+            padding.PKCS1v15(),
+            hashes.SHA256()
+        )
+        signature_b64 = base64.urlsafe_b64encode(signature).rstrip(b'=').decode()
+
+        return f"{header_b64}.{claims_b64}.{signature_b64}"
+
+    def _get_access_token(self) -> str:
+        """Get Google OAuth access token using service account.
+
+        Returns:
+            Access token string
+        """
+        # Check cached token
+        if self._access_token and self._token_expiry:
+            if datetime.now() < self._token_expiry:
+                return self._access_token
+
+        # Create signed JWT
+        jwt = self._create_jwt()
+
+        # Exchange JWT for access token
+        response = requests.post(
+            'https://oauth2.googleapis.com/token',
+            data={
+                'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+                'assertion': jwt,
+            },
+            timeout=30,
+            verify=self.verify_ssl
+        )
+        response.raise_for_status()
+
+        token_data = response.json()
+        self._access_token = token_data['access_token']
+        expires_in = token_data.get('expires_in', 3600)
+        self._token_expiry = datetime.now() + timedelta(seconds=expires_in - 60)
+
+        return self._access_token
+
+    def _request(
+        self,
+        method: str,
+        endpoint: str,
+        params: Optional[Dict] = None,
+        json_data: Optional[Dict] = None,
+    ) -> requests.Response:
+        """Make authenticated API request.
+
+        Args:
+            method: HTTP method
+            endpoint: API endpoint (relative to api_base)
+            params: Query parameters
+            json_data: JSON request body
+
+        Returns:
+            Response object
+        """
+        token = self._get_access_token()
+        url = f"{self.api_base}{endpoint}"
+
+        headers = {
+            'Authorization': f'Bearer {token}',
+            'Content-Type': 'application/json',
+        }
+
+        response = requests.request(
+            method=method,
+            url=url,
+            headers=headers,
+            params=params,
+            json=json_data,
+            verify=self.verify_ssl,
+            timeout=60
+        )
+        return response
+
+    def test_connection(self) -> SIEMConnectionStatus:
+        """Test connection to Google SecOps.
+
+        Returns:
+            SIEMConnectionStatus with connection details
+        """
+        try:
+            # Try to get access token first (validates credentials)
+            self._get_access_token()
+
+            # Query for a small time window to verify API access
+            response = self._request(
+                'GET',
+                '/v1alpha/detect/rules',
+                params={'page_size': 1}
+            )
+
+            if response.status_code == 200:
+                return SIEMConnectionStatus(
+                    connected=True,
+                    version='Chronicle API v1alpha',
+                    siem_type='google_secops',
+                    details={
+                        'region': self.region,
+                        'customer_id': self.customer_id,
+                        'project_id': self.project_id,
+                    }
+                )
+            elif response.status_code == 403:
+                return SIEMConnectionStatus(
+                    connected=False,
+                    error='Permission denied. Check service account permissions.',
+                    siem_type='google_secops'
+                )
+            else:
+                return SIEMConnectionStatus(
+                    connected=False,
+                    error=f'API error: {response.status_code} - {response.text[:200]}',
+                    siem_type='google_secops'
+                )
+
+        except requests.exceptions.ConnectionError as e:
+            return SIEMConnectionStatus(
+                connected=False,
+                error=f'Connection failed: {str(e)}',
+                siem_type='google_secops'
+            )
+        except ValueError as e:
+            return SIEMConnectionStatus(
+                connected=False,
+                error=f'Configuration error: {str(e)}',
+                siem_type='google_secops'
+            )
+        except Exception as e:
+            return SIEMConnectionStatus(
+                connected=False,
+                error=str(e),
+                siem_type='google_secops'
+            )
+
+    def get_alerts(
+        self,
+        start_time: datetime,
+        end_time: datetime,
+        source_ip: Optional[str] = None,
+        dest_ip: Optional[str] = None,
+        rule_ids: Optional[List[str]] = None,
+        search_text: Optional[str] = None,
+        limit: int = 100
+    ) -> List[SIEMAlert]:
+        """Query detections/alerts from Google SecOps.
+
+        Args:
+            start_time: Start of time range
+            end_time: End of time range
+            source_ip: Filter by source IP
+            dest_ip: Filter by destination IP
+            rule_ids: Filter by rule IDs
+            search_text: Free text search
+            limit: Maximum number of results
+
+        Returns:
+            List of normalized SIEMAlert objects
+        """
+        # Format times for Chronicle API (RFC 3339)
+        start_str = start_time.strftime('%Y-%m-%dT%H:%M:%SZ')
+        end_str = end_time.strftime('%Y-%m-%dT%H:%M:%SZ')
+
+        # Query detections endpoint
+        params = {
+            'start_time': start_str,
+            'end_time': end_str,
+            'page_size': min(limit, 1000),
+        }
+
+        response = self._request(
+            'GET',
+            '/v1alpha/detect/detections',
+            params=params
+        )
+
+        if response.status_code != 200:
+            return []
+
+        data = response.json()
+        detections = data.get('detections', [])
+
+        # Filter and normalize results
+        alerts = []
+        for detection in detections:
+            alert = self._normalize_alert(detection)
+
+            # Apply filters
+            if source_ip and alert.source_ip != source_ip:
+                continue
+            if dest_ip and alert.dest_ip != dest_ip:
+                continue
+            if rule_ids and alert.rule_id not in rule_ids:
+                continue
+            if search_text:
+                search_lower = search_text.lower()
+                if (search_lower not in alert.rule_name.lower() and
+                        search_lower not in alert.description.lower()):
+                    continue
+
+            alerts.append(alert)
+
+            if len(alerts) >= limit:
+                break
+
+        return alerts
+
+    def _normalize_alert(self, detection: Dict[str, Any]) -> SIEMAlert:
+        """Convert Chronicle detection to normalized SIEMAlert.
+
+        Args:
+            detection: Raw detection from Chronicle API
+
+        Returns:
+            Normalized SIEMAlert
+        """
+        # Parse timestamp
+        timestamp_str = detection.get('detectionTime', '')
+        try:
+            timestamp = datetime.fromisoformat(timestamp_str.replace('Z', '+00:00'))
+        except (ValueError, AttributeError):
+            timestamp = datetime.now()
+
+        # Extract rule info
+        rule_info = detection.get('detection', [{}])[0] if detection.get('detection') else {}
+        rule_id = rule_info.get('ruleId', detection.get('ruleId', ''))
+        rule_name = rule_info.get('ruleName', detection.get('ruleName', rule_id))
+
+        # Map severity
+        severity_raw = detection.get('severity', rule_info.get('severity', 'INFORMATIONAL'))
+        severity = self._map_severity(severity_raw)
+
+        # Extract IPs from UDM events
+        source_ip = None
+        dest_ip = None
+        events = detection.get('collectionElements', [])
+        for element in events:
+            references = element.get('references', [])
+            for ref in references:
+                event = ref.get('event', {})
+                principal = event.get('principal', {})
+                target = event.get('target', {})
+
+                if not source_ip and principal.get('ip'):
+                    ips = principal.get('ip', [])
+                    source_ip = ips[0] if ips else None
+
+                if not dest_ip and target.get('ip'):
+                    ips = target.get('ip', [])
+                    dest_ip = ips[0] if ips else None
+
+        # Extract description
+        description = detection.get('description', rule_info.get('ruleText', ''))
+        if not description:
+            description = f"Chronicle detection: {rule_name}"
+
+        return SIEMAlert(
+            id=detection.get('id', str(hash(str(detection)))[:12]),
+            timestamp=timestamp,
+            rule_id=str(rule_id),
+            rule_name=str(rule_name),
+            severity=severity,
+            source_ip=source_ip,
+            dest_ip=dest_ip,
+            description=str(description)[:200],
+            raw_data=detection,
+            mitre_tactics=[],
+            mitre_techniques=[],
+        )
+
+    def _map_severity(self, severity: str) -> str:
+        """Map Chronicle severity to normalized severity."""
+        severity_upper = str(severity).upper()
+        severity_map = {
+            'CRITICAL': 'critical',
+            'HIGH': 'high',
+            'MEDIUM': 'medium',
+            'LOW': 'low',
+            'INFORMATIONAL': 'info',
+            'INFO': 'info',
+        }
+        return severity_map.get(severity_upper, 'info')
+
+    def get_rules(
+        self,
+        rule_ids: Optional[List[str]] = None,
+        enabled_only: bool = True
+    ) -> List[SIEMRule]:
+        """Get YARA-L detection rules from Google SecOps.
+
+        Args:
+            rule_ids: Optional list of specific rule IDs
+            enabled_only: Only return enabled rules
+
+        Returns:
+            List of normalized SIEMRule objects
+        """
+        response = self._request(
+            'GET',
+            '/v1alpha/detect/rules',
+            params={'page_size': 1000}
+        )
+
+        if response.status_code != 200:
+            return []
+
+        data = response.json()
+        raw_rules = data.get('rules', [])
+
+        rules = []
+        for raw_rule in raw_rules:
+            rule_id = raw_rule.get('ruleId', '')
+
+            # Filter by rule_ids if provided
+            if rule_ids and rule_id not in rule_ids:
+                continue
+
+            # Check if enabled
+            is_enabled = raw_rule.get('liveRuleEnabled', True)
+            if enabled_only and not is_enabled:
+                continue
+
+            rule = SIEMRule(
+                id=rule_id,
+                name=raw_rule.get('ruleName', rule_id),
+                description=raw_rule.get('metadata', {}).get('description', ''),
+                severity=self._map_severity(raw_rule.get('metadata', {}).get('severity', '')),
+                enabled=is_enabled,
+                mitre_tactics=raw_rule.get('metadata', {}).get('mitreTactics', []),
+                mitre_techniques=raw_rule.get('metadata', {}).get('mitreTechniques', []),
+                raw_data=raw_rule,
+            )
+            rules.append(rule)
+
+        return rules
+
+    def get_recommended_rules(self, attack_type: str) -> List[Dict[str, Any]]:
+        """Get recommended rules for detecting an attack type.
+
+        Args:
+            attack_type: Tool/attack name (e.g., 'nmap', 'hydra')
+
+        Returns:
+            List of rule recommendations
+        """
+        # Chronicle/Google SecOps rule recommendations
+        recommendations_map = {
+            'nmap': [
+                {
+                    'rule_id': 'network_port_scan',
+                    'rule_name': 'Network Port Scan Detection',
+                    'yaral': '''
+rule network_port_scan {
+  meta:
+    description = "Detects potential port scanning activity"
+    severity = "MEDIUM"
+  events:
+    $e.metadata.event_type = "NETWORK_CONNECTION"
+    $e.principal.ip = $src_ip
+  match:
+    $src_ip over 5m
+  condition:
+    #e > 100
+}''',
+                },
+            ],
+            'hydra': [
+                {
+                    'rule_id': 'brute_force_auth',
+                    'rule_name': 'Brute Force Authentication',
+                    'yaral': '''
+rule brute_force_authentication {
+  meta:
+    description = "Detects brute force login attempts"
+    severity = "HIGH"
+  events:
+    $e.metadata.event_type = "USER_LOGIN"
+    $e.security_result.action = "BLOCK"
+    $e.principal.ip = $src_ip
+  match:
+    $src_ip over 5m
+  condition:
+    #e > 10
+}''',
+                },
+            ],
+            'sqlmap': [
+                {
+                    'rule_id': 'sql_injection',
+                    'rule_name': 'SQL Injection Attempt',
+                    'yaral': '''
+rule sql_injection_attempt {
+  meta:
+    description = "Detects SQL injection patterns in requests"
+    severity = "HIGH"
+  events:
+    $e.metadata.event_type = "NETWORK_HTTP"
+    re.regex($e.target.url, `(?i)(union|select|insert|update|delete|drop).*`)
+  condition:
+    $e
+}''',
+                },
+            ],
+        }
+
+        attack_lower = attack_type.lower()
+        recommendations = recommendations_map.get(attack_lower, [])
+
+        return [
+            {
+                'rule_id': r['rule_id'],
+                'rule_name': r['rule_name'],
+                'description': f"YARA-L rule for detecting {attack_type}",
+                'severity': 'high',
+                'enabled': False,  # These are recommendations, not deployed
+                'siem_type': 'google_secops',
+                'yaral_rule': r.get('yaral', ''),
+            }
+            for r in recommendations
+        ]
+
+    def search_udm_events(
+        self,
+        query: str,
+        start_time: datetime,
+        end_time: datetime,
+        limit: int = 100
+    ) -> List[Dict[str, Any]]:
+        """Search UDM events with a custom query.
+
+        This is a Chronicle-specific method for advanced queries.
+
+        Args:
+            query: UDM search query
+            start_time: Start of time range
+            end_time: End of time range
+            limit: Maximum results
+
+        Returns:
+            List of UDM events
+        """
+        start_str = start_time.strftime('%Y-%m-%dT%H:%M:%SZ')
+        end_str = end_time.strftime('%Y-%m-%dT%H:%M:%SZ')
+
+        response = self._request(
+            'POST',
+            '/v1alpha/events:udmSearch',
+            json_data={
+                'query': query,
+                'time_range': {
+                    'start_time': start_str,
+                    'end_time': end_str,
+                },
+                'limit': limit,
+            }
+        )
+
+        if response.status_code != 200:
+            return []
+
+        data = response.json()
+        return data.get('events', {}).get('events', [])

souleyez/integrations/wazuh/config.py

@@ -10,8 +10,8 @@ from pathlib import Path
 from souleyez.storage.database import get_db
 from souleyez.storage.crypto import get_crypto_manager
 
-# Supported SIEM types
-SIEM_TYPES = ['wazuh', 'splunk', 'elastic', 'sentinel']
+# Supported SIEM types (Open Source first, then Commercial)
+SIEM_TYPES = ['wazuh', 'elastic', 'splunk', 'sentinel', 'google_secops']
 
 
 class WazuhConfig:

souleyez/main.py

@@ -173,7 +173,7 @@ def _check_privileged_tools():
 
 
 @click.group()
-@click.version_option(version='2.32.0')
+@click.version_option(version='2.36.0')
 def cli():
     """SoulEyez - AI-Powered Pentesting Platform by CyberSoul Security"""
     from souleyez.log_config import init_logging

souleyez/ui/interactive.py

@@ -8930,18 +8930,48 @@ def _select_siem_type(engagement_id: int):
     config = WazuhConfig.get_config(engagement_id)
     current_type = config.get('siem_type', 'wazuh') if config else 'wazuh'
 
-    # Show available SIEM types
-    siem_types = SIEMFactory.get_available_types()
-    click.echo("  Available SIEM platforms:")
+    # Define SIEM categories with emojis
+    siem_emojis = {
+        'wazuh': '🦎',
+        'elastic': '🦌',
+        'splunk': '⚡',
+        'sentinel': '🛡️',
+        'google_secops': '🔍',
+    }
+    open_source_siems = ['wazuh', 'elastic']
+    commercial_siems = ['splunk', 'sentinel', 'google_secops']
+
+    # Build ordered list for selection (open source first)
+    siem_types = open_source_siems + commercial_siems
+
+    # Show Open Source section
+    click.echo("  🌐 " + click.style("OPEN SOURCE", fg='green', bold=True))
+    click.echo("  " + "─" * 60)
+    idx = 1
+    for siem_type in open_source_siems:
+        info = SIEMFactory.get_type_info(siem_type)
+        emoji = siem_emojis.get(siem_type, '📊')
+        current_marker = click.style(" (current)", fg='green') if siem_type == current_type else ""
+        # Remove [Open Source] prefix from description since we have section header
+        desc = info['description'].replace('[Open Source] ', '')
+        click.echo(f"    [{idx}] {emoji} {click.style(info['name'], bold=True)}{current_marker}")
+        click.echo(f"        {click.style(desc, dim=True)}")
+        idx += 1
     click.echo()
 
-    for i, siem_type in enumerate(siem_types, 1):
+    # Show Commercial section
+    click.echo("  💼 " + click.style("COMMERCIAL", fg='cyan', bold=True))
+    click.echo("  " + "─" * 60)
+    for siem_type in commercial_siems:
         info = SIEMFactory.get_type_info(siem_type)
-        is_current = " (current)" if siem_type == current_type else ""
-        marker = click.style("*", fg='green') if siem_type == current_type else " "
-        click.echo(f"  {marker} [{i}] {click.style(info['name'], bold=True)}{is_current}")
-        click.echo(f"       {info['description']}")
-        click.echo()
+        emoji = siem_emojis.get(siem_type, '📊')
+        current_marker = click.style(" (current)", fg='green') if siem_type == current_type else ""
+        # Remove [Commercial] prefix from description since we have section header
+        desc = info['description'].replace('[Commercial] ', '')
+        click.echo(f"    [{idx}] {emoji} {click.style(info['name'], bold=True)}{current_marker}")
+        click.echo(f"        {click.style(desc, dim=True)}")
+        idx += 1
+    click.echo()
 
     click.echo("    [q] Cancel")
     click.echo()

{souleyez-2.32.0.dist-info → souleyez-2.36.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: souleyez
-Version: 2.32.0
+Version: 2.36.0
 Summary: AI-Powered Penetration Testing Platform with 40+ integrated tools
 Author-email: CyberSoul Security <contact@cybersoulsecurity.com>
 Maintainer-email: CyberSoul Security <contact@cybersoulsecurity.com>
@@ -78,7 +78,7 @@ Welcome to the SoulEyez beta! Thank you for helping us test and improve this pen
 
 > ⚠️ **Important**: Only use SoulEyez on systems you have explicit authorization to test.
 
-## Version: 2.32.0
+## Version: 2.36.0
 
 ### What's Included
 
@@ -316,4 +316,4 @@ Happy hacking! 🛡️
 
 ---
 
-**Version**: 2.32.0 | **Release Date**: January 2026 | **Maintainer**: CyberSoul Security
+**Version**: 2.36.0 | **Release Date**: January 2026 | **Maintainer**: CyberSoul Security

{souleyez-2.32.0.dist-info → souleyez-2.36.0.dist-info}/RECORD

@@ -1,10 +1,10 @@
-souleyez/__init__.py,sha256=kYTzrOjUQok3QAN5C-3OM0LpxmGiH8Rnrv0NH_BrrRo,23
+souleyez/__init__.py,sha256=HEBfUyspLrKCZucYurMXlYQAAw-Suz7LX59o47d1D6Q,24
 souleyez/config.py,sha256=av357I3GYRWAklv8Dto-9-5Db699Wq5znez7zo7241Q,11595
 souleyez/devtools.py,sha256=rptmUY4a5eVvYjdEc6273MSagL-D9xibPOFgohVqUno,3508
 souleyez/feature_flags.py,sha256=mo6YAq07lc6sR3lEFKmIwTKxXZ2JPxwa5X97uR_mu50,4642
 souleyez/history.py,sha256=gzs5I_j-3OigIP6yfmBChdqxaFmyUIxvTpzWUPe_Q6c,2853
 souleyez/log_config.py,sha256=MMhPAJOqgXDfuE-xm5g0RxAfWndcmbhFHvIEMm1a_Wo,5830
-souleyez/main.py,sha256=qG2GlC_8xPsKzzWOIDFBXpoY12JFfDoyDX7XRYS9N-w,130228
+souleyez/main.py,sha256=MhSJMRbHN0BMNFdAGq7-pgHEND96ua118mlbnv_AsJs,130228
 souleyez/scanner.py,sha256=U3IWHRrJ5aQ32dSHiVAHB60w1R_z0E0QxfM99msYNlw,3124
 souleyez/security.py,sha256=S84m1QmnKz_6NgH2I6IBIAorMHxRPNYVFSnks5xjihQ,2479
 souleyez/ui.py,sha256=15pfsqoDPnojAqr5S0TZHJE2ZkSHzkHpNVfVvsRj66A,34301
@@ -59,7 +59,7 @@ souleyez/core/network_utils.py,sha256=-4WgUE91RBzyXDFgGTxMa0zsWowJ47cEOAKXNeVa-W
 souleyez/core/parser_handler.py,sha256=cyZtEDctqMdWgubsU0Jg6o4XqBgyfaJ_AeBHQmmv4hM,5564
 souleyez/core/pending_chains.py,sha256=Dnka7JK7A8gTWCGpTu6qrIgIDIXprkZmwJ0Rm2oWqRE,10972
 souleyez/core/templates.py,sha256=DzlXlAz8_lwAFjjUWPp3r81KCCzbNeK-bkN1IlgQBSU,18112
-souleyez/core/tool_chaining.py,sha256=9GOE8gBMJ8PHjD8Yj8YcpehL2PEoURwUKG9mHQsjmUE,277495
+souleyez/core/tool_chaining.py,sha256=x1cJ6icuWu5YBZJ31q_Jm2iahGC3mBoUCnfYrkT0Kcc,281598
 souleyez/core/version_utils.py,sha256=UOrOa3qfUdLKdzWT6GAGNV9TauwinXyLyelS8sOk0eE,11769
 souleyez/core/vuln_correlation.py,sha256=U69MSI5I-AtiyOAbXohGDKMpEHRW9y4G_0M1ppRGX18,14765
 souleyez/core/web_utils.py,sha256=f-Dqa6tH8ROnygn6-k7J1y8Qz2f1FmeJnPjPE0WRn34,4902
@@ -104,7 +104,7 @@ souleyez/detection/__init__.py,sha256=QIhvXjFdjrquQ6A0VQ7GZQkK_EXB59t8Dv9PKXhEUe
 souleyez/detection/attack_signatures.py,sha256=akgWwiIkh6WYnghCuLhRV0y6FS0SQ0caGF8tZUc49oA,6965
 souleyez/detection/mitre_mappings.py,sha256=xejE80YK-g8kKaeQoo-vBl8P3t8RTTItbfN0NaVZw6s,20558
 souleyez/detection/validator.py,sha256=-AJ7QSJ3-6jFKLnPG_Rc34IXyF4JPyI82BFUgTA9zw0,15641
-souleyez/docs/README.md,sha256=KLyTnR-Wd5XWsg5-i7LKdru4qfJknI1e1a8Pp7KvXOE,7183
+souleyez/docs/README.md,sha256=m5TvWRRtfLwpPLWEF9xJ6pXGqO_l9FlQCSNgVCJOqJg,7183
 souleyez/docs/api-reference/cli-commands.md,sha256=lTLFnILN3YRVdqCaag7WgsYXfDGglb1TuPexkxDsVdE,12917
 souleyez/docs/api-reference/engagement-api.md,sha256=nd-EvQMtiJrobg2bzFEADp853HP1Uhb9dmgok0_-neE,11672
 souleyez/docs/api-reference/integration-guide.md,sha256=c96uX79ukHyYotLa54wZ20Kx-EUZnrKegTeGkfLD-pw,16285
@@ -162,10 +162,11 @@ souleyez/importers/__init__.py,sha256=FNeqzNzKnaO7NUpoHt2IjXpA0g2eGl8YQwwfg2LhFE
 souleyez/importers/msf_importer.py,sha256=pPeXKqIv5ML2mu2Ew_BFI3vJbqDuBc53OHE4GJmqd5A,11754
 souleyez/importers/smart_importer.py,sha256=hem7Zhvurl8Lm_qY1qeOF-JigQWClXtdmKKlzavvHbo,14425
 souleyez/integrations/__init__.py,sha256=AG15oe2CIfQIJCUCOnMifj-EeZdzCe0A764ZU2gKVCo,79
-souleyez/integrations/siem/__init__.py,sha256=CVeHwXX8wstISL-0nZgffWgdMJQO1Aji0wVAKX67Ouw,1263
+souleyez/integrations/siem/__init__.py,sha256=6KWX7hgTvoOiD5upV7nmBph1e1WOyrMdtN_JfFRJ_pc,1368
 souleyez/integrations/siem/base.py,sha256=JmbhRlHl7wsRyd3nOhCqDHFP4VwBv-VR7uIKWoohKDE,8144
 souleyez/integrations/siem/elastic.py,sha256=LuxheashiOO-AJbtUEK_BZ1T8EUAr1KlZkOheWPPgrQ,14712
-souleyez/integrations/siem/factory.py,sha256=aRTV2IFTF1e5PvmTrAVk1UsrVzm476esY2mLsey3F9Q,8061
+souleyez/integrations/siem/factory.py,sha256=8OBoVpVSjnQQ5oXjcq3iJUEK-ItnyCVkcZV8wHbWEug,9424
+souleyez/integrations/siem/googlesecops.py,sha256=HY832skGOlpidH9KdvvSmvMXP-fxT5S90BD6gFwMKnU,19419
 souleyez/integrations/siem/sentinel.py,sha256=8zxuMgqlfCeGu_gHPNjfmBfBR5PEmtMTbqliC9dnbcI,15789
 souleyez/integrations/siem/splunk.py,sha256=Vi6RMSqjXCVhy6AmQ0kFs_OrP6jDez3Vis8ZYJtWIGA,28587
 souleyez/integrations/siem/wazuh.py,sha256=vltBhkP5BkgJLmdmF6u_b2RgTvP7iE9sFDxOt9v71qM,10245
@@ -173,7 +174,7 @@ souleyez/integrations/siem/rule_mappings/__init__.py,sha256=PbCLigl6Zo8ClvxZ29yd
 souleyez/integrations/siem/rule_mappings/wazuh_rules.py,sha256=tfduSFFVxUOgL19w4ZFmOC0JDlnewz3PwA94a_XFTmI,8307
 souleyez/integrations/wazuh/__init__.py,sha256=d-zfG_enCStagLZNf3bZ57GujT64jsfI7zS3gJDui10,288
 souleyez/integrations/wazuh/client.py,sha256=Gc42bYP-dh2sDJNLh2WYt6iK0OUMnE9WYkegaZ_qUwk,21824
-souleyez/integrations/wazuh/config.py,sha256=B670Z1jE0q6u8JsmA9YM-k-P66XXe0tjeaGvlvB6HbQ,14866
+souleyez/integrations/wazuh/config.py,sha256=WGOkc53EKZFsriUgs8xK26g6UBGvoGnK1Gcc-cRxDYU,14920
 souleyez/integrations/wazuh/host_mapper.py,sha256=e5wKLb3KbkWLOry8z-8WMD36hmRSWO6ZhB_-iyfgKjg,9047
 souleyez/integrations/wazuh/sync.py,sha256=lrZ-9Fd1HKm2ZHPvj83MCFL9UhZqAowWEXTidXDizw0,12168
 souleyez/intelligence/__init__.py,sha256=oLjyxmSk5VgLxYnkSM9PmrREpiGAVmnqrRBxRGf4cQo,423
@@ -346,7 +347,7 @@ souleyez/ui/export_view.py,sha256=0nQvVsKk7FU4uRzSfJ_qBZh_Lfn8hgGA2rbJ5bNg5-Y,65
 souleyez/ui/gap_analysis_view.py,sha256=AytAOEBq010wwo9hne1TE-uJpY_xicjLrFANbvN3r3w,30727
 souleyez/ui/help_system.py,sha256=nKGxLaMi-TKYs6xudTyw_tZqBb1cGFEuYYh6N-MAsJE,16648
 souleyez/ui/intelligence_view.py,sha256=VeAQ-3mANRnLIVpRqocL3JV0HUmJtADdxDeC5lzQhE0,32168
-souleyez/ui/interactive.py,sha256=-f58u20sNMsNPgcPjadPQABuN4vDBI6DY_gl7-3YGRc,1405285
+souleyez/ui/interactive.py,sha256=dkyIys13Q6_OsDO84-sg1DNQvVTttVOBHjIZV2sSM7w,1406611
 souleyez/ui/interactive_selector.py,sha256=6A51fgmFRnemBY0aCPHIhK2Rpba16NjSGKLzC0Q5vI8,16407
 souleyez/ui/log_formatter.py,sha256=akhIkYoO_cCaKxS1V5N3iPmIrHzgsU7pmsedx70s9TI,3845
 souleyez/ui/menu_components.py,sha256=N8zq2QXGmfaLJ08l53MMYt1y-5LRWgpZH6r8nXHonj8,3519
@@ -369,9 +370,9 @@ souleyez/ui/tutorial_state.py,sha256=Thf7_qCj4VKjG7UqgJqa9kjIqiFUU-7Q7kG4v-u2B4A
 souleyez/ui/wazuh_vulns_view.py,sha256=3vJJEmrjgS2wD6EDB7ZV7WxgytBHTm-1WqNDjp7lVEI,21830
 souleyez/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 souleyez/utils/tool_checker.py,sha256=kQcXJVY5NiO-orQAUnpHhpQvR5UOBNHJ0PaT0fBxYoQ,30782
-souleyez-2.32.0.dist-info/licenses/LICENSE,sha256=J7vDD5QMF4w2oSDm35eBgosATE70ah1M40u9W4EpTZs,1090
-souleyez-2.32.0.dist-info/METADATA,sha256=2pO4jHAKDY_Jw2kR40v1Iwh00vU0QpGjZ-Cm59pqmx4,11345
-souleyez-2.32.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-souleyez-2.32.0.dist-info/entry_points.txt,sha256=bN5W1dhjDZJl3TKclMjRpfQvGPmyrJLwwDuCj_X39HE,48
-souleyez-2.32.0.dist-info/top_level.txt,sha256=afAMzS9p4lcdBNxhGo6jl3ipQE9HUvvNIPOdjtPjr_Q,9
-souleyez-2.32.0.dist-info/RECORD,,
+souleyez-2.36.0.dist-info/licenses/LICENSE,sha256=J7vDD5QMF4w2oSDm35eBgosATE70ah1M40u9W4EpTZs,1090
+souleyez-2.36.0.dist-info/METADATA,sha256=MUHVkcAp8S5N_wcVMGA_-fL5xYr2Uc5RN3EtRaxfSQw,11345
+souleyez-2.36.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+souleyez-2.36.0.dist-info/entry_points.txt,sha256=bN5W1dhjDZJl3TKclMjRpfQvGPmyrJLwwDuCj_X39HE,48
+souleyez-2.36.0.dist-info/top_level.txt,sha256=afAMzS9p4lcdBNxhGo6jl3ipQE9HUvvNIPOdjtPjr_Q,9
+souleyez-2.36.0.dist-info/RECORD,,