Skip to content

DatTran26/SOC-System

BranchesTags

Repository files navigation

SOC System - Security Operations Center

🔒 Tổng Quan

Hệ thống SOC (Security Operations Center) độc lập, có khả năng giám sát an ninh mạng thời gian thực cho các website/backend thông qua phân tích log từ AWS CloudWatch.

🏗️ Kiến Trúc Hệ Thống

┌─────────────────────────┐
│  Existing Web Backend   │
│  (Node.js + Express)    │
└────────────┬────────────┘
             │ Security Logs (JSON)
             ▼
┌─────────────────────────┐
│  AWS CloudWatch Logs    │
└────────────┬────────────┘
             │ Log Stream
             ▼
┌─────────────────────────┐
│ Log Subscription Filter │
└────────────┬────────────┘
             │ Trigger
             ▼
┌─────────────────────────┐
│   AWS Lambda Function   │
│   - Log Analyzer        │
│   - Rule Detection      │
│   - Severity Classification │
│   - Deduplication       │
└────────────┬────────────┘
             │
             ├──► PostgreSQL (RDS)
             │    - Users, Roles, Alerts
             │    - Rules, Logs
             │
             └──► DynamoDB (Optional)
                  - Realtime Alerts
             │
             ▼
┌─────────────────────────┐
│   AWS API Gateway       │
│   - REST API            │
│   - WebSocket API       │
└────────────┬────────────┘
             │
             ▼
┌─────────────────────────┐
│   SOC Dashboard         │
│   (React + TypeScript)  │
│   - Realtime Alerts     │
│   - Analytics           │
│   - User Management     │
└─────────────────────────┘

📂 Cấu Trúc Dự Án

SOC-Systems/
├── backend/                    # Backend Lambda Functions
│   ├── lambdas/
│   │   ├── log-analyzer/      # Main log analyzer
│   │   ├── api-handler/       # REST API handler
│   │   ├── websocket-handler/ # WebSocket connections
│   │   └── alert-processor/   # Alert processing
│   ├── shared/
│   │   ├── models/            # Database models
│   │   ├── rules/             # Detection rules
│   │   ├── utils/             # Utilities
│   │   └── types/             # TypeScript types
│   ├── infrastructure/
│   │   ├── cloudformation/    # CF templates
│   │   └── terraform/         # Terraform configs
│   └── package.json
├── frontend/                   # React Dashboard
│   ├── src/
│   │   ├── components/        # React components
│   │   ├── pages/             # Page components
│   │   ├── stores/            # Zustand stores
│   │   ├── api/               # API clients
│   │   ├── hooks/             # Custom hooks
│   │   ├── utils/             # Utilities
│   │   ├── types/             # TypeScript types
│   │   └── App.tsx
│   ├── public/
│   └── package.json
├── database/
│   ├── schema.sql             # Database schema (3NF)
│   ├── migrations/            # Migration scripts
│   └── seeds/                 # Seed data
├── docs/
│   ├── API.md                 # API documentation
│   ├── DEPLOYMENT.md          # Deployment guide
│   └── ARCHITECTURE.md        # Architecture details
└── README.md

🛠️ Công Nghệ Sử Dụng

Backend

  • AWS Lambda - Node.js 18
  • AWS API Gateway - REST + WebSocket
  • AWS CloudWatch - Log collection
  • AWS IAM - Authentication & Authorization
  • PostgreSQL (RDS) - Primary database
  • DynamoDB - Realtime alerts (optional)
  • TypeScript - Type safety
  • JWT - Authentication tokens

Frontend

  • React 18 - UI framework
  • TypeScript - Type safety
  • Tailwind CSS - Styling
  • React Router v6 - Routing
  • Zustand - State management
  • React Query - API data fetching
  • Recharts - Charts & analytics
  • WebSocket - Realtime updates

🔐 Tính Năng Chính

1. Dashboard Tổng Quan

  • Tổng số cảnh báo theo ngày
  • Phân bố theo mức độ nghiêm trọng
  • Xu hướng 24h (biểu đồ)
  • Top IP tấn công
  • Thời gian phản hồi TB

2. Quản Lý Cảnh Báo

  • Danh sách alerts realtime
  • Filter theo severity, status, source
  • Trạng thái: NEW, ACKNOWLEDGED, IN_PROGRESS, RESOLVED
  • Assign alerts cho analysts
  • Export CSV/JSON

3. Log Sources & Analysis Rules

  • Quản lý nguồn log (CloudWatch, Syslog, Azure Monitor)
  • Tạo/sửa/xóa rule phát hiện
  • Bật/tắt rules
  • Test rule với sample data
  • Rule templates

4. Cấu Hình Thông Báo

  • Email gateway
  • Slack integration
  • SMS gateway
  • Webhook
  • Phân phối theo severity

5. Quản Lý Người Dùng & Quyền

  • Role-based access control (RBAC)
  • 3 roles: Admin, Analyst, Viewer
  • Phân quyền chi tiết
  • MFA support
  • Audit trail

6. Lịch Sử Log & Báo Cáo

  • Tra cứu log gốc
  • Export reports
  • Alert statistics
  • Compliance reports
  • Audit logs

🚨 Detection Rules (Mặc Định)

1. Brute Force Login

  • Điều kiện: LOGIN_FAILED ≥ 5 lần / 1 phút
  • Severity: HIGH / CRITICAL
  • Action: Alert + Block IP (optional)

2. Admin Login Detection

  • Điều kiện: ADMIN_LOGIN event
  • Severity: HIGH
  • Action: Alert + Notification

3. SQL Injection Pattern

  • Điều kiện: Log chứa SELECT, UNION, DROP, --, OR 1=1
  • Severity: CRITICAL
  • Action: Immediate alert + Block

4. Port Scan / 404 Flood

  • Điều kiện: ≥ 20 requests 404 từ 1 IP / 1 phút
  • Severity: MEDIUM
  • Action: Alert + Monitor

5. Data Exfiltration

  • Điều kiện: Outbound traffic > 1GB
  • Severity: HIGH
  • Action: Alert + Investigate

6. Privilege Escalation

  • Điều kiện: User role change hoặc sudo command
  • Severity: CRITICAL
  • Action: Immediate alert

📊 Database Schema (3NF)

Core Tables

  • users - User accounts
  • roles - User roles
  • permissions - System permissions
  • role_permissions - Role-permission mapping
  • alert_sources - Log sources
  • severity_levels - Severity definitions
  • alert_status - Alert statuses
  • analysis_rules - Detection rules
  • alerts - Security alerts
  • log_events - Raw logs
  • alert_history - Audit trail
  • notification_channels - Notification config
  • notification_rules - Notification routing
  • notification_history - Notification logs
  • audit_logs - System audit

Views

  • v_alert_stats_by_severity - Alert statistics
  • v_top_attacking_ips - Top attacking IPs
  • v_alert_timeline_hourly - Hourly alert trends

🔧 Cài Đặt & Triển Khai

🎯 Demo Mode (No AWS Required) ⭐

Chạy nhanh với dữ liệu mẫu:

# Windows
start-demo.bat

# Hoặc thủ công:
# Terminal 1
cd backend && npm install && npm run demo

# Terminal 2
cd frontend && npm install && npm run dev

Truy cập: http://localhost:3000
Login: admin / Admin@123

Xem QUICKSTART.mdDEMO-GUIDE.md để biết thêm chi tiết.

🚀 Production Mode (AWS)

Prerequisites

  • Node.js 18+
  • AWS Account
  • PostgreSQL 14+
  • AWS CLI configured

1. Database Setup

# Create database
createdb soc_system

# Run schema
psql -d soc_system -f database/schema.sql

# Run migrations (if any)
npm run migrate

2. Backend Setup

cd backend
npm install
npm run build

# Deploy Lambda functions
npm run deploy:dev

3. Frontend Setup

cd frontend
npm install

# Development
npm run dev

# Production build
npm run build

4. AWS Configuration

See docs/DEPLOYMENT.md for detailed AWS setup including:

  • CloudWatch Logs subscription
  • Lambda function deployment
  • API Gateway configuration
  • IAM roles & policies

🔑 Environment Variables

Backend (.env)

# Database
DB_HOST=localhost
DB_PORT=5432
DB_NAME=soc_system
DB_USER=postgres
DB_PASSWORD=your_password

# JWT
JWT_SECRET=your_secret_key
JWT_EXPIRES_IN=24h

# AWS
AWS_REGION=ap-southeast-1
CLOUDWATCH_LOG_GROUP=/aws/lambda/soc-analyzer

# WebSocket
WEBSOCKET_API_ENDPOINT=wss://your-api-id.execute-api.region.amazonaws.com/prod

Frontend (.env)

VITE_API_BASE_URL=https://your-api-gateway.com/prod
VITE_WEBSOCKET_URL=wss://your-websocket-api.com/prod

📖 API Documentation

Authentication

POST /api/auth/login
POST /api/auth/logout
POST /api/auth/refresh
GET  /api/auth/me

Alerts

GET    /api/alerts
GET    /api/alerts/:id
PATCH  /api/alerts/:id/acknowledge
PATCH  /api/alerts/:id/assign
PATCH  /api/alerts/:id/resolve
GET    /api/alerts/stats

Rules

GET    /api/rules
POST   /api/rules
PUT    /api/rules/:id
DELETE /api/rules/:id
PATCH  /api/rules/:id/toggle

Users

GET    /api/users
POST   /api/users
PUT    /api/users/:id
DELETE /api/users/:id

Logs

GET    /api/logs
GET    /api/logs/export

WebSocket

wss://your-api/prod
- Connection: JWT in query string
- Events: alert.new, alert.updated, system.status

🧪 Testing

# Backend
cd backend
npm test
npm run test:coverage

# Frontend
cd frontend
npm test
npm run test:e2e

📝 Chuẩn Log Input

Website backend cần gửi log theo format:

{
  "timestamp": "2025-01-01T10:15:30Z",
  "service": "WebBackend",
  "event": "LOGIN_FAILED",
  "username": "admin",
  "ip": "203.0.113.10",
  "path": "/api/login",
  "status": 401,
  "message": "Invalid password",
  "user_agent": "Mozilla/5.0...",
  "request_id": "uuid-here"
}

🎯 Mức Độ Nghiêm Trọng (Severity)

Level Value Color Description
INFO 1 Blue Thông tin
LOW 2 Green Bất thường nhẹ
MEDIUM 3 Yellow Nguy cơ
HIGH 4 Orange Tấn công rõ ràng
CRITICAL 5 Red Sự cố nghiêm trọng

🚀 Roadmap

Phase 1 - Core (Current)

  • Database schema
  • Backend Lambda functions
  • REST API
  • WebSocket API
  • Basic frontend

Phase 2 - Enhanced

  • Advanced rule engine
  • Machine learning detection
  • Threat intelligence integration
  • Automated response (SOAR)

Phase 3 - Enterprise

  • Multi-tenant support
  • Compliance reporting
  • Integration marketplace
  • Mobile app

📄 License

MIT License - See LICENSE file for details

👥 Contributors

📞 Support

For issues and questions:

Version: 2.1.0-alpha
Last Updated: December 2025

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages