// project
Python SIEM
A lightweight command-line SIEM that parses SSH, web, firewall, and Windows logs, runs detection rules, stores alerts in MySQL, and integrates with the IOC database for automatic threat correlation.
Detection Rules
HIGH
SSH Brute Force
5+ failed SSH login attempts from the same IP within a configurable time window.
MED
Web Scanner / 404 Flood
20+ HTTP 404 responses to the same IP, indicative of automated directory enumeration.
HIGH
Port Scan Detected
Same IP hitting 10+ unique destination ports in firewall logs.
CRIT
Windows New Service Installed
Event ID 7045 — frequently used for malware persistence and privilege escalation.
CRIT
IOC Database Match
Source IP matches an active entry in the local IOC database. Fires automatically during ingestion.
Toolchain Architecture
Log files
|
siem.py ingest # parse logs, run rules, fire alerts
|
+-- checks ioc_db.py # cross-reference every IP seen
|
MySQL alerts # persistent alert storage
|
siem.py dashboard # terminal overview
|
siem.py ingest # parse logs, run rules, fire alerts
|
+-- checks ioc_db.py # cross-reference every IP seen
|
MySQL alerts # persistent alert storage
|
siem.py dashboard # terminal overview