siemulator

v0.1.0 ● live demo

Stop spinning up real SIEMs for integration tests.

Synthetic SIEM data in three real-vendor shapes (Falcon LogScale, IBM QRadar, Splunk Enterprise) with the chaos-engineering and regression-testing primitives you actually need. 38 multi-source attack scenarios, record/replay/diff, real-time SSE push. Zero customer data — every response carries x-mock-source: siemulator.

▶ Try the live demo GitHub ↗ Ingestion guide ↗ OpenAPI
CI build status MIT License GitHub stars GHCR image
GET /qradar/api/siem/offenses?scenarios=replay 200 OK 
// One of 38 scenarios — stable IDs survive replays
[
  {
    "id": 90011,
    "offense_id": 90011,
    "_scenario_id": "S1",
    "description": "Living-off-the-Land Supply Chain — Proofpoint",
    "severity": 5,
    "start_time": 1780839721000,
    "categories": ["S1", "Sophisticated-Test"],
    "_raw_alert": {
      "source": "Proofpoint TAP",
      "event_type": "MessagesDelivered",
      "timestamp": "2026-05-22T08:14:22Z"
    },
    "x-mock-source": "siemulator"
  },
  // + 37 more
]
38 Scenarios
31 Narrative chains
3 Vendor shapes
6 Templates
156 Contract tests
3 Auth channels

Features

Everything you need to pin SOAR / agent integration behavior, without standing up real SIEMs.

Three real-vendor REST shapes

Falcon LogScale (Humio REST), IBM QRadar (offences + Ariel), Splunk Enterprise (search jobs + oneshot). Consumers drop in unchanged — same fields, same envelopes.

🎯

38 stable scenarios

Multi-source attack narratives (S1–S5), advanced tradecraft (TEST), synthetic-IOC fixtures (DEMO), pentest chains (SCAN), TI-confirmed (ENRICH). Each carries a stable _scenario_id + offence ID for dedup.

🌊

SSE push surface

Real-time alert streaming via EventSource. Configurable rate, method-preserving, with monotonic event IDs. Test push-style ingestion in your SOAR without polling.

🧨

Chaos engineering

Inject configurable faults — ?inject_status=503, latency, malformed JSON. Three layers: per-request, env-default, live admin dials. Validate your consumer's failure handling.

📼

Record / replay / diff

Capture every (request, response) pair. Diff two consumer-version runs to detect behavior regressions. Replay captured responses verbatim to snapshot-pin siemulator's own output.

🔒

Token-redacting access log

Per-request capture (timestamp, path, status, latency, IP, UA) with auth channels logged as names only — Bearer / SEC / query token values are never stored. Pinned by regression test.

How it works

One process, three surface mounts, one shared scenario library. No external dependencies. pip install or docker run and you're done.

Your consumer SOAR · agent · CI /logscale/* Falcon LogScale · Humio REST /qradar/* IBM QRadar · offences + Ariel /splunk/* Splunk Enterprise · REST search Scenario library 38 scenarios 6 detection templates MITRE ATT&CK mapped

Three knobs at every layer

  • Auth Bearer · SEC · ?token=
  • Mode ?scenarios=all|batch|replay|mix
  • Faults ?inject_status / ?inject_latency / ?inject_malformed

Per-request meta-channels

  • Replay ?replay_from=<session>
  • Capture POST /api/sessions/<name>/start
  • Observe GET /api/access-log/stats

Use cases

For SOAR vendors

Validate ingestion across SIEM shapes

Point your XSOAR / Splunk SOAR / Resilient connector at siemulator and exercise three vendor shapes from one fixture. Snapshot-pin the response shape in CI.

?scenarios=all + /api/sessions/<run>/start
For detection engineers

Drive playbooks deterministically

38 scenarios with stable offence IDs let you reproduce the same incident stream every CI run. Diff two consumer versions to catch regressions before prod.

GET /api/sessions/diff?a=v1&b=v2
For AI security teams

Test agent chains end-to-end

Multi-source narratives (S1: Proofpoint→Defender→CrowdStrike→Zscaler) let agents practice correlation across vendors. Real-TI fixtures (ENRICH) test the enrichment path.

?scenarios=batch for slow-drip / ?scenarios=replay for bulk
For training labs

Reproducible analyst exercises

Reset the served-scenarios set, replay the same chain every cohort. EICAR + WannaCry + Tor egress + Shodan scanner cover the full disposition spectrum.

POST /qradar/_debug/reset_scenarios

Quickstart

Paste a token to populate every curl example with your value, then run them in-browser via the Try it panel below. Defaults assume the local-dev token logscale-dev-token / qradar-dev-token.

Health (no auth required):

LogScale alerts:

QRadar offences (5 synthetic):

All 38 multi-source attack scenarios at once:

Splunk oneshot search:

Try it live against this host

Runs same-origin against the API you're already looking at. No CORS, no relay.

Response will appear here.

Live alert ticker Server-Sent Events · same-origin

Streams synthetic alerts from /logscale/api/v1/repositories/detections/stream via the browser's EventSource API. One alert per rate seconds. Disconnects cleanly when you click Stop or leave the page.

0 alerts received
Click Start to begin the live stream.

Failure injection chaos engineering · admin-gated

Inject configurable faults to test how your consumer handles 5xx, rate-limits, slow responses, and corrupt JSON. Per-request overrides (anyone can use) attach a ?inject_… param to any request. Live-tunable env-default % via the admin endpoints below.

Try a one-shot fault on any endpoint:

curl -i "/qradar/api/help?inject_status=503"
curl -i "/qradar/api/help?inject_latency=2000"
curl -i "/qradar/api/siem/offenses?inject_malformed=1" -H "SEC: qradar-dev-token"

Live-tune env-default fault rates (admin-key required):

Faults config will appear here.

Multi-source attack scenarios loading…

Twenty-two hand-crafted offences across two batches. S1–S5 are multi-alert narrative chains (e.g. S1 spans 5 alerts across Proofpoint → Defender → CrowdStrike → Zscaler); TEST-A through TEST-J are single-offence advanced-tradecraft scenarios. Click a chip to expand.

loading…

Detection templates 6 · MITRE ATT&CK mapped

Rotating pool drawn from by LogScale /alerts and QRadar default-mode /offenses. Every alert response picks a random template; multi-response polls show variety across the pool.

TacticTechniqueDetectNameSeverity
TA0006 Credential AccessT1003.001 LSASS MemoryCredential Dumping via MimikatzCritical
TA0002 ExecutionT1059.001 PowerShellSuspicious PowerShell with Base64 Encoded CommandHigh
TA0008 Lateral MovementT1021.002 SMB Admin SharesLateral Movement via PsExecHigh
TA0001 Initial AccessT1566.001 Spearphishing AttachmentPhishing — Suspicious Outlook AttachmentMedium
TA0011 Command and ControlT1071.001 Web ProtocolsBeaconing C2 Traffic to Known Bad DomainCritical
TA0003 PersistenceT1547.001 Registry Run KeysSuspicious File Write to Startup FolderMedium

Endpoint inventory

Admin debug endpoints (require X-Admin-Key)
  • GET/qradar/_debug/recentlast 100 requests
  • POST/qradar/_debug/reset_scenariosclear served-set so ?scenarios=all replays
  • GET/qradar/_debug/scenarios_stateserved vs remaining

Set X-Admin-Key here to probe:

Admin response will appear here.

Record / replay / diff regression testing · admin-gated

Capture every (request, response) pair into a named session, then diff two sessions to detect consumer-behaviour regressions. Snapshot-pin siemulator's own output by replaying captured responses via ?replay_from=<session> on any bound endpoint.

Diff two sessions (request-stream regression):

Session response will appear here.

Access log who consumed what · admin-gated

Every request to /logscale/* and /qradar/* is captured with timestamp, method, path, redacted query, auth channel, client IP, user-agent, status, duration, and response size. Token values are never recorded — only the channel name (bearer / sec / query / none). Set X-Admin-Key below to probe.

Access-log response will appear here.