Inspiration

What it does

How we built itEye of Odin: A High-Resilience Hybrid SIEM

Eye of Odin is a high-resilience, hybrid SIEM (Security Information and Event Management) system designed to ensure continuous network visibility, even when cloud services fail or API limits are reached.

The system follows a local-first security model, where sensitive data is processed close to its source while still enabling global access for monitoring and analysis.

Inspiration

Modern cybersecurity tools often depend heavily on cloud availability. This creates a risk: when connectivity fails or quotas are exhausted, visibility is lost.

The goal was to design a Hardened Security Operations Center (SOC) built around the principle of Local Data Gravity:

Process sensitive data locally + Provide secure remote visibility Process sensitive data locally+Provide secure remote visibility

This ensures:

Reduced data exposure

Faster analysis

Operational continuity during cloud disruptions

How It Was Built

The system architecture is divided into three functional layers.

1. The Core (Local Processing Layer)

Running on an HP Victus 15 (Athena), this layer:

Ingests raw system and network logs

Normalizes and structures the data

Stores events in a local SQLite database

Mathematically, the ingestion flow can be modeled as:

Raw Logs → Parser → Normalized Events → SQLite Raw Logs→Parser→Normalized Events→SQLite

1. The Detection Engine (Logic Layer)

This layer performs threat analysis using a multi-tier approach:

Signature Matching

𝐸 ∩ 𝑇 ≠ ∅ ⇒ Known Threat Detected E∩T  =∅⇒Known Threat Detected

Where:

𝐸 E = Incoming events

𝑇 T = Local threat database

Behavioral Analysis

The rule engine detects anomalies such as:

Mass authentication failures

Brute-force patterns

Suspicious activity bursts

Example threshold logic:

Failed Logins

𝑁 within Δ 𝑡 ⇒ Alert Failed Logins>N within Δt⇒Alert

1. The Dashboard (Cloud Visibility Layer)

Built with Next.js 15

Styled using Tailwind CSS

Displays real-time metrics and alerts

Connected to the local core via a secure Localtunnel bridge

This layer provides remote SOC visibility without exposing raw infrastructure directly.

Challenges Faced Local-to-Cloud Connectivity

Bridging a local service (port 8000) to a public deployment environment required careful handling of terminal paths and environment configurations. The solution involved migrating from Ngrok to Localtunnel for a stable data channel.

Type Safety and Build Stability

Deployment was blocked by TypeScript errors caused by missing environment type definitions. Installing the required type packages enabled a clean production build.

API Resilience

The system was designed to remain operational even during API quota exhaustion.

If:

API Status

Unavailable API Status=Unavailable

Then:

System Mode

Local Processing Only System Mode=Local Processing Only

This fallback mechanism allowed the system to successfully process over:

1000 log events 1000 log events

without service interruption.

What Was Learned

This project reinforced key principles of modern security architecture:

Distributed system design

Local-first processing for sensitive data

State synchronization between local and cloud environments

Building production-ready dashboards for real-time monitoring

Most importantly, it demonstrated that resilient security systems should be designed under the assumption:

Cloud Availability ≠ 100 % Cloud Availability  =100%

and must continue operating regardless of external dependencies.

Challenges we ran into

Accomplishments that we're proud of

What we learned

What's next for Eye of Odin

Built With

• fastapi
• next.js
• python
• sqlite
• typescript