A lightweight, fully functional SIEM built in Python that ingests real Linux and firewall logs, detects attack patterns, classifies them using the MITRE ATT&CK framework, and visualizes everything in a real-time web dashboard with VirusTotal IP enrichment.
Built as a hands-on SOC portfolio project during a career transition from 10 years in physical security operations to cybersecurity.
- Log Ingestion — Parses Linux
auth.logand UFW firewall logs into a normalized format - Threat Detection Engine — 5 detection rules with configurable thresholds:
- 🔴 SSH Brute Force (≥5 failed logins in 5 min)
- 🟠 Port Scan (≥8 distinct ports in 2 min)
- 🔴 Privilege Escalation (suspicious sudo commands)
- 🔴 Credential Dumping (
/etc/shadowaccess) - 🟡 Off-Hours Login (connections outside business hours)
- MITRE ATT&CK Mapping — Every alert tagged with technique ID and tactic
- Real-Time Dashboard — Flask web app with Chart.js visualizations
- VirusTotal Enrichment — On-demand IP reputation lookup via VT API v3
| Rule | MITRE ID | Tactic | Severity |
|---|---|---|---|
| SSH Brute Force | T1110 | Credential Access | 🔴 HIGH |
| Port Scan | T1046 | Discovery | 🟡 MEDIUM |
| Privilege Escalation | T1548 | Privilege Escalation | 🔴 CRITICAL |
| Credential Dumping | T1003 | Credential Access | 🔴 CRITICAL |
| Off-Hours Login | T1078 | Initial Access | 🟡 MEDIUM |
| Layer | Technology |
|---|---|
| Backend | Python 3.11, Flask |
| Data Processing | Pandas |
| Frontend | HTML, CSS, JavaScript, Chart.js |
| Threat Intelligence | VirusTotal API v3 |
| Framework | MITRE ATT&CK |
| Environment | python-dotenv |
git clone https://github.com/NSVEXL/siem-lite.git
cd siem-litepip install -r requirements.txtcp .env.example .env
# Edit .env and add your VT API key
# Get a free key at: https://www.virustotal.com/gui/my-apikeypython app.pyOpen your browser at http://localhost:5000
siem-lite/
├── app.py # Flask web application
├── requirements.txt
├── .env.example
├── logs/
│ └── samples/
│ ├── auth.log # Sample Linux auth log
│ └── firewall.log # Sample UFW firewall log
├── src/
│ ├── parser/
│ │ └── log_parser.py # Log ingestion & normalization
│ ├── detector/
│ │ └── detection_engine.py # Threat detection rules
│ └── enrichment/
│ └── vt_enrichment.py # VirusTotal API integration
└── templates/
└── dashboard.html # Web dashboard
- Parse — Raw log files are parsed with regex patterns and normalized into a common schema (timestamp, event_type, source_ip, user, details)
- Detect — The detection engine applies rule-based logic with time-window analysis to identify attack patterns
- Classify — Each alert is mapped to a MITRE ATT&CK technique and tactic
- Visualize — Flask renders the dashboard with real-time charts and a sortable alert feed
- Enrich — On-demand VirusTotal lookups provide threat intelligence context for suspicious IPs
[CRITICAL] PRIVILEGE_ESCALATION | local | T1548
[CRITICAL] CREDENTIAL_DUMP | local | T1003
[HIGH ] BRUTE_FORCE | 203.0.113.42 | T1110
[HIGH ] BRUTE_FORCE | 192.168.1.105 | T1110
[MEDIUM ] PORT_SCAN | 203.0.113.42 | T1046
[MEDIUM ] SUSPICIOUS_LOGIN | 185.220.101.5 | T1078
Real VirusTotal result:
185.220.101.5→ MALICIOUS — 11 engines flagged, reputation -16, Tor exit node (DE)
- Phase 1 — Log parser (auth.log + firewall logs)
- Phase 2 — Threat detection engine with MITRE ATT&CK mapping
- Phase 3 — Web dashboard with Chart.js visualizations
- Phase 4 — VirusTotal IP enrichment
- Phase 5 — Windows Event Log support
- Phase 6 — Export alerts to CSV/PDF report
Built by Nelson Silva Valderas as a hands-on SOC portfolio project.
10 years in physical security operations → Cybersecurity transition. This project applies real SOC analyst workflows: log ingestion, correlation, alert triage, and threat intelligence enrichment.
