PORTSOC- Portable SOC analyst

It is a portable log analyzer which works for isolated network aiming security measure without internet

Comment

Inspiration

As a cybersecurity student preparing for SOC Analyst and Blue Team roles, I realized something important: most of us learn SIEM tools like Splunk or Elastic Stack, but very few actually understand how they work internally. I didn’t want to just say: “I know how to use a SIEM.” I wanted to say: “I understand how a SIEM works — because I built one.” Another key inspiration was portability. Most enterprise SOC tools: Require cloud infrastructure ,Need heavy resources ,Depend on internet connectivity. I wanted to create a lightweight, offline, portable SOC engine that could run anywhere — even on a minimal Linux setup. That idea became PORTSOC – Portable SOC Analyst.

What it does

PORTSOC is a lightweight CLI-based Security Operations Center simulator that: 📥 Ingests log files 🧹 Parses and normalizes log entries 🚨 Detects suspicious activity using rule-based logic 🗄️ Stores structured data in SQLite 📊 Generates alerts for potential security incidents It simulates real SOC detection scenarios like: Brute Force Detection ,Suspicious IP Activity ,Timestamp Normalization, Priviledge Access, Incident Correlation The entire system runs using: ./venv/bin/python portsoc.py start No cloud. No heavy frameworks. Just pure Python.

How we built it

1️⃣ Architecture Design The project follows a modular pipeline: Log Source ↓ Parser ↓ Normalizer ↓ Detection Engine ↓ SQLite Database ↓ Alert Output

Each module is separated into folders like: portsoc/ │ ├── config/ ├── parser/ ├── detection/ ├── database/ ├── logs/ └── portsoc.py

This makes it scalable and maintainable.

2️⃣ Log Parsing Engine We built a custom parser using: ,Python re (regular expressions) ,datetime module ,Structured event extraction. The goal was to convert messy raw logs into structured data: Unstructured Log → Structured Event Object Unstructured Log→Structured Event Object 3️⃣ Detection Logic We implemented rule-based alerting such as: Multiple failed login attempts ,Repeated suspicious IP activity ,Invalid timestamp patterns ,Log anomalies ,Instead of random alerts, we focused on realistic SOC thresholds. 4️⃣ Database Layer We used SQLite to keep the system: Lightweight ,Portable ,Fully offline We optimized performance by indexing frequently queried fields. This improved alert processing speed significantly.

Challenges we ran into

Timestamp Parsing Issues Different log formats caused: Parsing errors ,Incorrect event ordering ,Timezone mismatches We had to: Standardize datetime formats ,Handle invalid entries gracefully ,Build fallback parsing logic

False Positives & Alert Flooding Early versions triggered: Duplicate alerts ,Incorrect brute-force detection ,Over-sensitive thresholds We improved: Threshold validation ,Deduplication logic ,Alert correlation handling

Performance Optimization As log size increased, detection became slower. We optimized: Database queries ,Index usage ,Log iteration logic This made the tool scalable for larger log files.

Accomplishments that we're proud of

What we learned

Through PORTSOC, we learned: 🧠 SOC Workflow Understanding Log ingestion Event normalization Alert correlation Incident detection flow

🧩 Real-World Problem Solving Handling messy logs Dealing with edge cases Debugging complex timestamp issues

⚙️ Engineering Mindset Writing scalable code Designing modular architecture Optimizing database queries

What's next for PORTSOC- Portable SOC analyst

Better detection with much better detection rules , better parsing logic for better detection , better ui with more information , USB based installation to completely make it offline.

Share this project:

Updates