glantheman/Mini-SIEM

# Mini-SIEM Local and friendly log triage and threat hunting in the browser. Upload **NDJSON**, **JSON**, **CSV/TSV**, or line-based **.txt/.log** files; explore events with filters, lenses, timelines, and a detail panel. ## Features - **Ingest**: NDJSON (incl. Elasticsearch-style `_source`), JSON arrays, CSV/TSV with ECS-like column aliases, plain text one-event-per-line - **Investigation**: Smart column lens, field pivots, include/exclude filters, IOC paste, free-text search (default columns or all fields) - **UI**: Event stream + optional details panel, overview/timeline (multi-keyword OR filter, deduplicated counts), Investigation tab (signals, entities, case notes) - **Charts**: Altair timelines with **time** and **date** on two axis lines ## Requirements - Python **3.10+** - Dependencies: see [`requirements.txt`](requirements.txt) ## Setup python -m venv .venv **Windows (PowerShell)** .\.venv\Scripts\Activate.ps1 pip install -r requirements.txt **macOS / Linux** source .venv/bin/activate pip install -r requirements.txt ## Run streamlit run app.py Then open the URL shown in the terminal (usually `http://localhost:8501`). ## Configuration - **Theme**: [`.streamlit/config.toml`](.streamlit/config.toml) — dark theme and accent colors - **Streamlit secrets**: if you add `st.secrets`, create `.streamlit/secrets.toml` locally — it is **gitignored**; do not commit secrets ## Repository layout | Path | Purpose | |------|--------| | `app.py` | Streamlit entrypoint | | `siem/` | Parsing, filters, flattening, lenses, charts | | `.streamlit/config.toml` | App/theme defaults (safe to commit) | | `sample_logs.ndjson` | Tiny sample for smoke testing | ## Security & privacy - **This repository** is intended to contain only generic UI/theme settings and **fictional** sample data (`sample_logs.ndjson` uses [RFC 5737 documentation IPs](https://datatracker.ietf.org/doc/html/rfc5737) and placeholder host/user names). - Do not commit real incident exports, credentials, customer data, or `.streamlit/secrets.toml`. - Optional settings belong in **environment variables** or **local** `secrets.toml` (both are gitignored via `.gitignore` / `.env`). - Before pushing to GitHub, run a quick search for accidental secrets, e.g. `git grep -i password` or use your org’s secret scanner. ## License [MIT](LICENSE)