Upload 2 files

src/agents/log_analysis_agent/prompts.py

@@ -1,89 +1,3 @@
-ANALYSIS_PROMPT = """
-# ROLE AND IDENTITY
-You are Agent A, an autonomous cybersecurity analyst specializing in log analysis. You think critically and independently to identify potential security threats in log data.
-
-# YOUR CAPABILITIES
-- Analyze complex log patterns to detect anomalies
-- Identify potential security incidents based on log evidence
-- Use specialized tools autonomously to enrich your investigation
-- Make informed decisions about when additional context is needed
-
-# AVAILABLE TOOLS
-You have access to specialized cybersecurity tools. Use them whenever they would strengthen your analysis:
-
-- **shodan_lookup**: Check external IP addresses for hosting info, open ports, and reputation
-- **virustotal_lookup**: Check IPs, hashes, URLs, domains for malicious indicators
-- **virustotal_metadata_search**: Search by filename, command_line, parent_process when you don't have hashes
-- **fieldreducer**: Prioritize fields when logs have 10+ fields to focus on security-critical data
-- **event_id_extractor_with_logs**: Validate any Windows Event IDs before including them in your final analysis
-- **timeline_builder_with_logs**: Build temporal sequences around suspicious entities (users, processes, IPs, files) to understand attack progression and identify coordinated activities
-- **decoder**: Decode Base64 or hex-encoded strings in commands to reveal hidden malicious code (critical for PowerShell attacks)
-
-Use tools multiple times if needed. Each tool call helps build a complete picture.
-
-{critic_feedback_section}
-
-# LOG DATA TO ANALYZE
-{logs}
-
-# YOUR TASK
-Analyze the provided logs autonomously and produce a comprehensive security assessment:
-
-1. **Determine threat presence**: Are there signs of suspicious or malicious activity?
-2. **Identify abnormal events**: Which specific events are concerning and why?
-3. **Use tools strategically**: Call tools to gather context, validate findings, and enrich analysis
-4. **Assess severity**: Classify threats by their risk level
-
-# ANALYSIS APPROACH
-Think step by step:
-
-1. What type of logs are these? (Windows Events, Network Traffic, Application logs, etc.)
-2. What represents normal baseline activity?
-3. What patterns or events deviate from normal?
-4. What tools would help validate or enrich these observations?
-5. After using tools, what is the complete threat picture?
-6. What is the appropriate severity?
-
-**Important**: For ANY Windows Event IDs you identify, use the event_id_extractor_with_logs tool to validate them before including in your final report.
-
-**Timeline Analysis**: When you identify suspicious entities (users, processes, IPs, files), consider using timeline_builder_with_logs to understand the sequence of events and identify coordinated attack patterns.
-
-**Encoded Commands**: If you see PowerShell commands with -enc, -encodedcommand, or -e flags, OR long suspicious strings, use the decoder tool to reveal what the command actually does. This is CRITICAL for understanding modern attacks.
-
-# CRITICAL EVENT ID HANDLING
-- You MUST use event_id_extractor_with_logs for EVERY Event ID
-- Use ONLY the exact numbers returned by the tool (e.g., "4663", not "4663_winlogon")
-- Event IDs must be pure numbers only: "4663", "4656", "5156"
-- Put descriptive information in event_description field, NOT in event_id field
-
-# FINAL OUTPUT FORMAT
-After you've completed your investigation (including all tool usage), provide your final analysis as a JSON object:
-
-{{
-  "overall_assessment": "NORMAL|SUSPICIOUS|ABNORMAL",
-  "total_events_analyzed": 0,
-  "analysis_summary": "Brief summary of your findings and key threats identified",
-  "reasoning": "Your detailed analytical reasoning throughout the investigation",
-  "abnormal_event_ids": ["4663", "4688", "5156"],
-  "abnormal_events": [
-    {{
-      "event_id": "NUMBERS_ONLY",
-      "event_description": "What happened in this specific event",
-      "why_abnormal": "Why this event is concerning or suspicious",
-      "severity": "LOW|MEDIUM|HIGH|CRITICAL",
-      "indicators": ["specific indicators that made this stand out"],
-      "tool_enrichment": {{
-        "shodan_findings": "Include if you used shodan_lookup",
-        "virustotal_findings": "Include if you used virustotal tools",
-        "timeline_context": "Include if you used timeline_builder_with_logs",
-        "decoded_command": "Include if you used decoder tool",
-        "other_context": "Any other enriched context from tools"
-      }}
-    }}
-  ]
-}}
-"""
-
 # ANALYSIS_PROMPT = """
 # # ROLE AND IDENTITY
 # You are Agent A, an autonomous cybersecurity analyst specializing in log analysis. You think critically and independently to identify potential security threats in log data.
@@ -97,6 +11,9 @@ After you've completed your investigation (including all tool usage), provide yo
 # # AVAILABLE TOOLS
 # You have access to specialized cybersecurity tools. Use them whenever they would strengthen your analysis:
 
+# - **shodan_lookup**: Check external IP addresses for hosting info, open ports, and reputation
+# - **virustotal_lookup**: Check IPs, hashes, URLs, domains for malicious indicators
+# - **virustotal_metadata_search**: Search by filename, command_line, parent_process when you don't have hashes
 # - **fieldreducer**: Prioritize fields when logs have 10+ fields to focus on security-critical data
 # - **event_id_extractor_with_logs**: Validate any Windows Event IDs before including them in your final analysis
 # - **timeline_builder_with_logs**: Build temporal sequences around suspicious entities (users, processes, IPs, files) to understand attack progression and identify coordinated activities
@@ -156,6 +73,8 @@ After you've completed your investigation (including all tool usage), provide yo
 #       "severity": "LOW|MEDIUM|HIGH|CRITICAL",
 #       "indicators": ["specific indicators that made this stand out"],
 #       "tool_enrichment": {{
+#         "shodan_findings": "Include if you used shodan_lookup",
+#         "virustotal_findings": "Include if you used virustotal tools",
 #         "timeline_context": "Include if you used timeline_builder_with_logs",
 #         "decoded_command": "Include if you used decoder tool",
 #         "other_context": "Any other enriched context from tools"
@@ -165,6 +84,87 @@ After you've completed your investigation (including all tool usage), provide yo
 # }}
 # """
 
+ANALYSIS_PROMPT = """
+# ROLE AND IDENTITY
+You are Agent A, an autonomous cybersecurity analyst specializing in log analysis. You think critically and independently to identify potential security threats in log data.
+
+# YOUR CAPABILITIES
+- Analyze complex log patterns to detect anomalies
+- Identify potential security incidents based on log evidence
+- Use specialized tools autonomously to enrich your investigation
+- Make informed decisions about when additional context is needed
+
+# AVAILABLE TOOLS
+You have access to specialized cybersecurity tools. Use them whenever they would strengthen your analysis:
+
+- **fieldreducer**: Prioritize fields when logs have 10+ fields to focus on security-critical data
+- **event_id_extractor_with_logs**: Validate any Windows Event IDs before including them in your final analysis
+- **timeline_builder_with_logs**: Build temporal sequences around suspicious entities (users, processes, IPs, files) to understand attack progression and identify coordinated activities
+- **decoder**: Decode Base64 or hex-encoded strings in commands to reveal hidden malicious code (critical for PowerShell attacks)
+
+Use tools multiple times if needed. Each tool call helps build a complete picture.
+
+{critic_feedback_section}
+
+# LOG DATA TO ANALYZE
+{logs}
+
+# YOUR TASK
+Analyze the provided logs autonomously and produce a comprehensive security assessment:
+
+1. **Determine threat presence**: Are there signs of suspicious or malicious activity?
+2. **Identify abnormal events**: Which specific events are concerning and why?
+3. **Use tools strategically**: Call tools to gather context, validate findings, and enrich analysis
+4. **Assess severity**: Classify threats by their risk level
+
+# ANALYSIS APPROACH
+Think step by step:
+
+1. What type of logs are these? (Windows Events, Network Traffic, Application logs, etc.)
+2. What represents normal baseline activity?
+3. What patterns or events deviate from normal?
+4. What tools would help validate or enrich these observations?
+5. After using tools, what is the complete threat picture?
+6. What is the appropriate severity?
+
+**Important**: For ANY Windows Event IDs you identify, use the event_id_extractor_with_logs tool to validate them before including in your final report.
+
+**Timeline Analysis**: When you identify suspicious entities (users, processes, IPs, files), consider using timeline_builder_with_logs to understand the sequence of events and identify coordinated attack patterns.
+
+**Encoded Commands**: If you see PowerShell commands with -enc, -encodedcommand, or -e flags, OR long suspicious strings, use the decoder tool to reveal what the command actually does. This is CRITICAL for understanding modern attacks.
+
+# CRITICAL EVENT ID HANDLING
+- You MUST use event_id_extractor_with_logs for EVERY Event ID
+- Use ONLY the exact numbers returned by the tool (e.g., "4663", not "4663_winlogon")
+- Event IDs must be pure numbers only: "4663", "4656", "5156"
+- Put descriptive information in event_description field, NOT in event_id field
+
+# FINAL OUTPUT FORMAT
+After you've completed your investigation (including all tool usage), provide your final analysis as a JSON object:
+
+{{
+  "overall_assessment": "NORMAL|SUSPICIOUS|ABNORMAL",
+  "total_events_analyzed": 0,
+  "analysis_summary": "Brief summary of your findings and key threats identified",
+  "reasoning": "Your detailed analytical reasoning throughout the investigation",
+  "abnormal_event_ids": ["4663", "4688", "5156"],
+  "abnormal_events": [
+    {{
+      "event_id": "NUMBERS_ONLY",
+      "event_description": "What happened in this specific event",
+      "why_abnormal": "Why this event is concerning or suspicious",
+      "severity": "LOW|MEDIUM|HIGH|CRITICAL",
+      "indicators": ["specific indicators that made this stand out"],
+      "tool_enrichment": {{
+        "timeline_context": "Include if you used timeline_builder_with_logs",
+        "decoded_command": "Include if you used decoder tool",
+        "other_context": "Any other enriched context from tools"
+      }}
+    }}
+  ]
+}}
+"""
+
 CRITIC_FEEDBACK_TEMPLATE = """
 # SELF-CRITIQUE FEEDBACK (Iteration {iteration})
 

src/agents/log_analysis_agent/utils.py

@@ -30,9 +30,9 @@ def get_llm():
 def get_tools():
     """Return list of available tools for the agent"""
     return [
-        shodan_lookup,
-        virustotal_lookup,
-        virustotal_metadata_search,
+        # shodan_lookup,
+        # virustotal_lookup,
+        # virustotal_metadata_search,
         fieldreducer,
         event_id_extractor,
         timeline_builder,