Sidd-28/siem-log-correlation-engine

# SIEM Log Correlation Engine A multi-source **Security Information and Event Management (SIEM)** system built in Python that ingests, parses, and correlates logs from multiple sources into a unified schema — with a real-time SOC dashboard replicating core analyst workflows. ## 🔍 What It Does - Ingests **SSH authentication logs, web server access logs, system events, and application logs** into a unified JSON schema - Runs a **7-rule behavioral correlation engine** to detect: - SSH brute-force attacks - Credential stuffing - Web directory scanning - SQL injection campaigns - After-hours logins - Lateral movement indicators - Data exfiltration indicators - Provides a **real-time SOC dashboard** with: - Live alert feed with severity-based triage - Per-IP attack chain reconstruction - 24-hour timeline visualization - Automated incident report generation ## 🛠️ Tech Stack | Layer | Tools | |---|---| | Backend | Python, Flask | | Log Parsing | Regex, JSON | | Dashboard | Chart.js, HTML/CSS | | Detection Engine | Custom rule engine | ## 🚀 Getting Started git clone https://github.com/Sidd-28/siem-log-correlation-engine cd siem-log-correlation-engine pip install -r requirements.txt python app.py Then open `http://localhost:5000` to access the SOC dashboard. ## 📁 Project Structure siem-log-correlation-engine/ ├── app.py # Flask app + dashboard routes ├── parser/ │ ├── ssh_parser.py # SSH log ingestion │ ├── web_parser.py # Web server log ingestion │ └── system_parser.py # System event ingestion ├── engine/ │ └── correlation.py # 7-rule detection engine ├── templates/ │ └── dashboard.html # SOC dashboard UI └── reports/ # Auto-generated incident reports ## 📸 Dashboard Features - **Alert Feed** — live stream of triggered detections with severity labels - **Attack Chain View** — per-source-IP reconstruction of multi-stage attacks - **Timeline** — 24-hour visualization of alert frequency - **Incident Reports** — auto-generated summaries for detected threats