Mahammad-Huseynov/Host-Based-SIEM-SOAR-Prototype

GitHub: Mahammad-Huseynov/Host-Based-SIEM-SOAR-Prototype

Stars: 2 | Forks: 0

# Host-Based SIEM/SOAR Active Defense Console A prototype of a host-based SIEM/SOAR system designed for real-time Windows Event monitoring, threat detection, and automated incident response. ## 📊 Proof of Concept (PoC) ### 1. System Initialization & GUI The system initializes with `.env` configurations and displays an active defense console. ![Console GUI](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/79b2b36ddf151812.png) ![System Status](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/34e92298e1151818.png) ![Initialization](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/010cebd523151824.png) ### 2. Brute-Force Attack Detection Automated SMB Brute-Force attack simulation via `smbclient` is detected and logged in real-time. ![Brute-Force Attack](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/658d533f31151830.png) ### 3. Automated Mitigation (SOAR) Upon reaching the threshold (5 attempts), the SOAR engine dynamically triggers a Windows Firewall blocking rule and notifies the SOC team. ![Firewall Mitigation](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/db2c92081a151836.png) ![Discord Notification](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/f321d859a4151842.png) ### 4. Anti-Forensic & User Management Suspicious activities, including Security log clearing (Event 1102) and unauthorized account creation (Event 4720), trigger critical alerts on Discord. ![Log Clearing](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/3ae0821d85151847.png) ![User Management](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/3273dfe716151854.png) ## 🛠️ Usage 1. Clone the repository. 2. Configure your `.env` file with your `DISCORD_WEBHOOK_URL`. 3. Run with Administrator privileges: `python backend_runner.py` ## 📜 License Distributed under the MIT License. See `LICENSE` for more information.