A comprehensive Security Operations Center (SOC) platform that detects, analyzes, and responds to cybersecurity threats in real-time. IntelSOC leverages advanced threat intelligence and pattern matching to identify malicious activities, generate professional incident reports, and provide actionable insights for security teams.
- Real-time Log Analysis: Process and analyze security logs for suspicious patterns
- Multi-vector Threat Detection: Identify various attack types (brute force, SQL injection, DDoS, unauthorized access, etc.)
- Intelligent Alerting: Generate severity-based alerts (Critical, High, Medium, Low)
- IP Reputation Tracking: Maintain and manage IP blocklists
- Attack Metrics: Track attack trends and statistics over time
- Professional PDF Reports: Generate comprehensive incident reports with executive summaries
- One-Click Download: Download latest report directly from dashboard
- Report Management: View, organize, and download all historical reports
- Executive Summary: Key metrics for management briefings
- Detailed Threat Analysis: Complete breakdown of detected threats
- Incident Response Documentation: Automated response actions and analyst guidance
- Live Metrics: Real-time threat statistics and alerts
- Charts & Analytics: Visual representation of threat distribution
- Alert Feed: Latest security incidents and alerts
- Quick Access: One-button report download from main dashboard
- Python 3.7 or higher
- pip (Python package manager)
- Windows, Linux, or macOS
# Navigate to project directory
cd ThreatDetection
# Install required packages
pip install -r requirements.txt# Check Python version
python --version
# Verify Flask is installed
python -c "import flask; print('Flask version:', flask.__version__)"
# Verify ReportLab is installed
python -c "import reportlab; print('ReportLab version:', reportlab.__version__)"Windows:
run.batLinux/Mac:
python app.pyManual Start (All Platforms):
python app.py* Serving Flask app 'backend.app'
* Debug mode: on
* Running on http://127.0.0.1:5000
Access IntelSOC at: http://localhost:5000
When you open IntelSOC, you'll see:
- Metrics Cards: Total alerts, critical incidents, high-severity attacks, blocked IPs
- Severity Distribution: Pie chart showing threat distribution
- Attack Types: Bar chart showing attack frequency
- Recent Alerts: Feed of latest detected threats
- SOC Incident Report: Quick download button for latest report
- Click "Upload Logs" in the navigation bar
- Select a log file (text format)
- IntelSOC analyzes the logs for threats
- Detected threats appear on dashboard
Example Log Format:
[2024-01-15 10:23:45] Login attempt from 192.168.1.100
[2024-01-15 10:24:12] Multiple failed passwords detected from 10.0.0.50
[2024-01-15 10:25:33] SQL injection attempt detected in query parameter
[2024-01-15 10:26:01] DDoS traffic spike from 203.0.113.42
- Click "Alerts" in the navigation bar
- View all detected security incidents
- See severity level, detection time, and alert details
- Each alert shows:
- Alert ID and timestamp
- Source IP and attack type
- Severity classification
- Detection confidence
- Scroll down to "SOC Incident Report" card
- Click "β¬οΈ Download Latest"
- Latest report PDF downloads automatically
- Click "Manage Reports" button on dashboard OR navigate to: http://localhost:5000/reports
- Click "Generate Incident Report" button
- System generates PDF with current threat data
- Report appears in "Latest Report" section
- Click download button
- Go to Reports page
- See "All Reports" table listing every generated report
- Each row shows:
- Report filename
- Generation date and time
- File size
- Download button
- Download any historical report
Each PDF incident report contains:
Executive Summary
- Critical incident count
- High-severity incident count
- Total attacks detected
- IP addresses blocked
Incident Statistics
- Breakdown by severity level
- Metrics in professional table format
Detected Threats
- Attack types identified
- Attack frequency and distribution
Incident Response
- Blocked IP addresses and block reasons
- Automated response actions
SOC Analyst Guidance
- Investigation steps to follow
- Escalation criteria
- Documentation requirements
app.py - Main Flask Application
- HTTP request handling
- Route management
- API endpoints
threat_engine.py - Threat Detection Engine
- Pattern matching for threats
- Log analysis algorithms
- Alert generation
- Attack classification
report_generator.py - Report Generation Module
- PDF creation with ReportLab
- Report formatting and styling
- File management
json_handler.py - Data Management
- JSON file operations
- Data persistence
- Alert/attack storage
email_service.py - Email Integration
- Alert notifications (optional)
- Report distribution
Dashboard (index.html)
- Main interface
- Metrics display
- Quick report download
- Navigation
Reports Page (reports.html)
- Report management UI
- Generate/download interface
- Report history listing
- Status updates
Alerts Page (alerts.html)
- Alert viewing interface
- Detailed alert information
- Filtering and sorting
Upload Page (upload.html)
- Log file upload interface
- File selection
- Upload progress
Styling (static/css/style.css)
- Dark SOC-themed design
- Responsive layout
- Professional appearance
JavaScript (static/js/dashboard.js)
- Real-time metric updates
- Interactive charts
- Report download functionality
- User feedback
data/alerts.json
- Detected security incidents
- Alert details and timestamps
data/attacks.json
- Attack type records
- Attack frequency tracking
data/blocklist.json
- Blocked IP addresses
- Block reasons and timestamps
data/stats.json
- Statistical information
- Metrics and aggregations
reports/ folder
- Generated PDF reports
- Timestamped filenames
GET /api/dashboard/metrics
{
"total_alerts": 42,
"critical_count": 3,
"high_count": 8,
"medium_count": 15,
"low_count": 16,
"total_blocked_ips": 12,
"attacks": {...}
}POST /api/reports/generate
- Generates new incident report
- Returns success status and filename
GET /api/reports/latest
{
"success": true,
"filename": "IntelSOC_Incident_Report_20240115_143022.pdf",
"size": 45678,
"timestamp": "2024-01-15 14:30:22"
}GET /api/reports/list
{
"success": true,
"reports": [
{
"filename": "IntelSOC_Incident_Report_20240115_143022.pdf",
"size": 45678,
"timestamp": "2024-01-15 14:30:22"
}
]
}GET /api/reports/download/<filename>
- Downloads PDF file directly
- Example:
/api/reports/download/IntelSOC_Incident_Report_20240115_143022.pdf
GET /api/alerts
- Returns list of all alerts
GET /api/attacks
- Returns attack statistics
GET /api/blocklist
- Returns blocked IP addresses
- Open dashboard each morning
- Check metric cards for overnight activity
- Review alert feed
- Download latest report for team briefing
- Share PDF with security team
- Receive security alert notification
- Go to Alerts page for details
- Analyze threat data on dashboard
- Generate incident report
- Document in PDF for incident response team
- Archive report for compliance
- Receive new security logs
- Click "Upload Logs"
- Select and upload log file
- Wait for analysis (2-5 seconds)
- View detected threats on dashboard
- Review in Alerts section
- Download report with findings
- Go to Reports page
- View all reports for compliance period
- Download reports needed for audit
- Combine PDFs into audit package
- Submit to compliance team
- Archive for records
- Threat Validation: Each detected threat is verified against known patterns
- IP Reputation: Maintained blocklist of malicious IPs
- File Security:
- Filename validation on downloads
- Directory traversal prevention
- Secure file serving with proper headers
- Audit Logging: All operations logged for compliance
- Data Persistence: Secure JSON storage of alerts and threats
- Flask Debug Mode: ON (development)
- Update Interval: 10 seconds
- Report Format: PDF
- Storage Location:
/reports/directory
Create .env file for sensitive configuration:
FLASK_ENV=development
FLASK_DEBUG=True
REPORT_FOLDER=./reports
Solution:
# Use different port
python app.py --port 5001
# Or find process using port 5000 and kill itSolution:
pip install reportlab==4.0.4Solution:
- Refresh browser (Ctrl+F5)
- Check browser console for errors (F12)
- Restart application:
python app.py
Solution:
- Ensure log file is in text format
- Check file permissions
- Verify uploads folder exists
- Check logs match expected format
Solution:
# Create manually
mkdir reports
# Or generate a report (creates folder automatically)Solution:
- Check /reports folder exists
- Verify app has write permissions
- Refresh browser
- Check Python console for errors
- Check browser console (F12)
- Active exploitation attempts
- Data breach indicators
- Unauthorized system access
- Action: Immediate investigation and response
- Multiple failed authentication attempts
- Known exploit patterns
- Suspicious command execution
- Action: Investigate within 1 hour
- Unusual traffic patterns
- Policy violations
- Suspicious but not confirmed threats
- Action: Monitor and investigate
- Benign suspicious activity
- Informational alerts
- Policy deviations
- Action: Log and monitor
Total Alerts: Number of security incidents detected Critical Count: High-priority incidents requiring immediate action High Count: Important threats needing investigation Medium Count: Moderate-priority alerts for monitoring Low Count: Informational alerts Blocked IPs: Number of IP addresses in blocklist
Logs Uploaded β Threat Detection Engine β Alerts Generated
β
Dashboard Display
β
Report Generation on Demand
β
PDF Download & Archive
ThreatDetection/
βββ app.py # Main application (DO NOT EDIT)
βββ main.py # Entry point
βββ requirements.txt # Python dependencies
βββ run.bat # Windows startup script
βββ README.md # This file
β
βββ backend/
β βββ app.py # Flask application
β βββ threat_engine.py # Threat detection logic
β βββ report_generator.py # PDF generation
β βββ json_handler.py # Data management
β βββ email_service.py # Email integration
β
βββ static/
β βββ css/
β β βββ style.css # Dashboard styling
β βββ js/
β βββ dashboard.js # Frontend JavaScript
β
βββ templates/
β βββ index.html # Dashboard page
β βββ alerts.html # Alerts page
β βββ reports.html # Reports management
β βββ upload.html # Log upload page
β
βββ data/
β βββ alerts.json # Alert records
β βββ attacks.json # Attack statistics
β βββ blocklist.json # Blocked IPs
β βββ stats.json # System metrics
β
βββ reports/ # Generated PDF reports
βββ uploads/ # Uploaded log files
- Clean Up Old Uploads: Regularly delete processed logs from uploads/ folder
- Archive Reports: Move old reports to external storage periodically
- Monitor Storage: Ensure disk space is available for reports
- Browser Cache: Clear cache if dashboard appears stale
- Database Maintenance: JSON files are compact but should be pruned occasionally
- Check browser console for errors: Press F12
- Review Python console output for backend errors
- Verify file permissions on reports/ and uploads/ folders
- Ensure all dependencies installed:
pip list
- Upload logs regularly for comprehensive threat tracking
- Generate reports weekly for compliance documentation
- Review alerts feed daily for quick threat assessment
- Use Reports page to manage and archive incidents
- Export and backup reports for permanent records
- Start application:
python app.py - Upload sample logs
- Review detected threats
- Generate your first report
- Download and review PDF
IntelSOC is now installed and ready to use. Start monitoring your security threats and generating professional incident reports.
Next: Open http://localhost:5000 in your browser to begin!
IntelSOC - Log Based Threat Detection System
Professional Security Operations Center Platform