🚀 Devlog #01 |
Building oesk SIEM : An Autonomous, AI-Driven SIEM Agent in C++20
Hey everyone, I have been working on a root-level intrusion detection
and security monitoring agent, designed for linux environments. The goal
is to move away from rigid, signature-based detection and leverage
low-level kernel diagnostics coupled with asynchronous AI reasoning.
Here is a quick breakdown of what’s currently under the hood:1.
Low-Level Process Integrity Monitoring Running with strict root
privileges, oesk constantly audits the /proc filesystem. It inspects
symlinks for all active processes. If a binary is modified in memory or
removed from the disk while running, Linux appends a “deleted” marker to
the symlink. The agent catches this instantly, flagging potential
process masquerading or hijacking attempts.
Asynchronous Gemini 3.5
Flash Integration To prevent security telemetry from blocking the main
system threads, all AI operations run completely out-of-band using C++20
standard concurrency (std::async/std::future).
When an anomaly is triggered, the structured payload is pushed to the
Gemini 3.5 Flash model.
Safety Settings Bypassed (OFF): Crucial for
security tools, ensuring the LLM doesn’t falsely censor raw attack logs
or exploit footprints.
Reasoning Level Set to MEDIUM: Forces the model to perform deeper,
step-by-step chain-of-thought analysis before rendering a verdict.
Grounding via Google Search: The AI can actively execute live web
queries to verify emerging zero-days or check known malicious IP threat
intelligence.
Real-Time Telemetry & Next.js Synchronization
The agent features a dynamic terminal logger that formats alert streams with
ANSI escape colors mapped to the AI’s determined severity level (LOW to
CRITICAL).
Simultaneously, a background worker thread leverages libcurl to pipe the
structured JSON results to a remote Next.js dashboard endpoint via
non-blocking POST requests for live visualization.
In the coming days i want to switch to local LLM models for privacy.
