Modular SOC analyst toolkit with REST API backend and React frontend. Designed for day-to-day security operations: email triage, log investigation, and threat intelligence enrichment.

Upload .eml files for automated analysis:

• Header analysis - SPF/DKIM/DMARC verification, sender anomaly detection, Received chain tracing
• URL scanning - Pattern-based detection (brand impersonation, suspicious TLDs, shorteners) + VirusTotal/URLScan.io lookup
• Attachment scanning - Hash computation, double extension detection, VirusTotal/MalwareBazaar lookup
• Verdict engine - Automated risk scoring (0-100) with confidence level and actionable recommendations

Upload log files for threat detection:

• SSH logs - Brute force detection, failed/successful login correlation, attacker IP geolocation
• Web logs - SQL injection, path traversal, command injection, scanner/enumeration detection
• Windows Security logs - Event ID correlation (4625, 4697, 7045...), lateral movement detection, persistence mechanism alerts
• Alert engine - Severity-based alerts with AbuseIPDB enrichment and MITRE ATT&CK mapping

Extract indicators from threat reports, emails, and raw text:

• Supported IOC types - IPv4, domains, URLs, email addresses, MD5/SHA1/SHA256 hashes, CVE identifiers
• Input formats - PDF (threat reports), .eml (emails), plain text, HTML, CSV
• Enrichment - Automated validation via VirusTotal, AbuseIPDB, AlienVault OTX
• Context preservation - Surrounding text captured for each IOC

┌──────────────────────────────────────────────┐
│                  Frontend                     │
│            React + TypeScript + Vite          │
│         Tailwind CSS + shadcn/ui              │
└──────────────────┬───────────────────────────┘
                   │ REST API
┌──────────────────▼───────────────────────────┐
│                  Backend                      │
│              FastAPI (Python)                 │
│                                               │
│  ┌────────────┐ ┌──────────┐ ┌────────────┐  │
│  │  Phishing  │ │   Logs   │ │    IOC     │  │
│  │  Analyzer  │ │ Analyzer │ │ Extractor  │  │
│  └─────┬──────┘ └────┬─────┘ └─────┬──────┘  │
│        └──────────────┼─────────────┘         │
│                       │                       │
│  ┌────────────────────▼──────────────────┐    │
│  │           Integrations                │    │
│  │  VirusTotal │ AbuseIPDB │ Shodan      │    │
│  │  URLScan.io │ MalwareBazaar │ OTX     │    │
│  └───────────────────────────────────────┘    │
│                       │                       │
│  ┌────────────────────▼──────────────────┐    │
│  │     SQLite Cache + Rate Limiter       │    │
│  └───────────────────────────────────────┘    │
└──────────────────────────────────────────────┘

cp .env.example .env
# Edit .env with your API keys
docker compose up --build

• Frontend: http://localhost:3000
• Backend API: http://localhost:8000/api/docs

Backend:

cd backend
poetry install
cp ../.env.example ../.env
poetry run uvicorn api.app:app --reload

Frontend:

cd frontend
npm install
npm run dev

cd backend
poetry run python cli.py phishing suspicious_email.eml
poetry run python cli.py logs /var/log/auth.log --log-type ssh
poetry run python cli.py ioc threat_report.pdf

Full interactive docs at /api/docs (Swagger UI).

• JSON - Machine-readable, for SIEM import or further processing
• CSV - Spreadsheet-compatible, for IOC lists and alert tables
• PDF - Professional reports with severity badges, suitable for management

• Backend: Python 3.12, FastAPI, SQLAlchemy, Pydantic, WeasyPrint
• Frontend: React 18, TypeScript, Vite, Tailwind CSS, shadcn/ui
• Database: SQLite (API response caching)
• Deployment: Docker Compose
• CI/CD: GitHub Actions (Ruff linting, MyPy type checking, pytest)

MIT License - see LICENSE for details.