Event record analysis platform for Security Operations and Detection Engineering teams.
Event Mill is an open-source platform for analyzing unfamiliar event sources before committing to full SIEM integration. It lives upstream of the SIEM — in the gap between “we just got access to a new event source” and “we have a parser, field mappings, and detection rules in production.”
New source triage: Speed up initial analysis of unfamiliar event sources to determine whether they contain enough security-relevant information to warrant engineering investment.
Incident-time analysis: During incidents, analysts receive event artifacts (logs, PCAPs, audit exports) for unfamiliar systems. Event Mill helps gain context quickly without requiring full knowledge of the event record structure.
Event Mill uses a three-layer architecture:
┌─────────────────────────────────────────────────────────────┐
│ FRAMEWORK LAYER │
│ CLI • Session Management • LLM Orchestration • Routing │
│ Artifact Registry • Plugin Lifecycle • Cloud Abstraction │
└─────────────────────────────────────────────────────────────┘
│
┌─────────────────────────────────────────────────────────────┐
│ PLUGIN LAYER │
│ Self-describing tools following EventMillToolProtocol │
│ Organized by investigation pillar │
└─────────────────────────────────────────────────────────────┘
│
┌─────────────────────────────────────────────────────────────┐
│ ROUTING LAYER │
│ Controls which plugins are visible to LLM per request │
│ Prevents context bloat from full tool catalog │
└─────────────────────────────────────────────────────────────┘
| Pillar | Purpose | Status |
|---|---|---|
log_analysis |
Event source triage, threat intel ingestion, image analysis | MVP |
network_forensics |
PCAP triage, firewall log analysis | MVP |
threat_modeling |
Shostack 4-question framework, attack path visualization | MVP |
cloud_investigation |
Cloud audit log analysis | Post-MVP |
risk_assessment |
Risk scoring, control effectiveness | Post-MVP |
# Clone the repository
git clone https://github.com/dleecefft/event_mill.git
cd event_mill
# Install with pip
pip install -e .[all]
# Or install specific components
pip install -e .[dev,plugins-log-analysis]
# Copy example environment file
cp .env.example .env
# Edit with your API keys and settings
# Required: GEMINI_API_KEY, ANTHROPIC_API_KEY, or OPENAI_API_KEY
# Start the CLI
eventmill
# Or run directly
python -m framework.cli.shell
event_mill/
├── framework/ # Framework layer
│ ├── cli/ # Metasploit-style command shell
│ ├── session/ # Session management (SQLite)
│ ├── routing/ # Plugin routing and filtering
│ ├── llm/ # MCP client and LLM orchestration
│ ├── artifacts/ # Artifact registry
│ ├── plugins/ # Plugin lifecycle management
│ ├── reference_data/ # MITRE ATT&CK, attack chains, vetted sources
│ ├── logging/ # Structured logging
│ └── cloud/ # Cloud abstraction (GCP, local)
├── plugins/ # Plugin layer
│ ├── log_analysis/
│ ├── network_forensics/
│ ├── cloud_investigation/
│ ├── risk_assessment/
│ └── threat_modeling/
├── tests/ # Test suites
├── scripts/ # CI and utility scripts
├── docs/ # Documentation
│ ├── specs/ # Normative specifications
│ ├── guides/ # User guides
│ └── reference/ # Reference documentation
└── workspace/ # Runtime data (gitignored)
Plugins are self-describing tools following the EventMillToolProtocol. Each plugin provides:
manifest.json — Metadata, capabilities, schemastool.py — Protocol implementationschemas/ — Input/output JSON schemasexamples/ — Request/response examplestests/ — Contract testsSee Plugin Development Guide and Tool Plugin Spec.
| Document | Purpose |
|---|---|
| Grounding Document | Strategic context and MVP scope |
| Framework Architecture | Component responsibilities and data flow |
| Tool Plugin Spec | Normative plugin contract |
| Router Design | Routing architecture and scoring |
Contributions welcome! Please read the plugin development guide before submitting new tools.
# Run tests
pytest
# Validate manifests
python scripts/validate_manifests.py
# Validate schemas
python scripts/validate_schemas.py
Event Mill is maintained by a small group of security practitioners focused on detection engineering, incident response, and cyber threat informed detection.
Current maintainers:
Please use GitHub Issues for bug reports, feature requests, and design discussions. Pull Requests are welcome, especially for new plugins, artifact parsers, investigation workflows, documentation improvements, and test coverage.
Apache License 2.0. See LICENSE for details.