Skip to content

sohankanna/cloudlog-sentinel

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

3 Commits
cloudsentinel
cloudsentinel
Β 
Β 
.gitignore
.gitignore
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

CloudLog Sentinel: A Full-Stack Cloud-Native SIEM

image

CloudLog Sentinel is a full-stack, cloud-native Security Information and Event Management (SIEM) tool. This application monitors AWS CloudTrail logs in real-time, detects 10 different high-value security threats, enriches the data with IP geolocation, and sends instant alerts to an interactive web dashboard and Discord.

This project was built from scratch to simulate a real-world security monitoring tool used by a Security Operations Center (SOC).

Core Features

  • Real-time Log Analysis: Efficiently polls an S3 bucket for new CloudTrail logs, focusing only on the current day's logs to prevent "alert fatigue" and performance issues.
  • 10 High-Value Detections: Includes 10 expert-level rules that detect genuine attack patterns (like privilege escalation, firewall changes, and data exfiltration) while filtering out low-value "noise."
  • Data Enrichment: Automatically enriches alerts with IP geolocation data by calling an external REST API, turning a simple IP address into a human-readable location (e.g., "Bengaluru, India").
  • Persistent Storage: Alerts are saved to a persistent, file-based H2 SQL database, allowing for historical review and data persistence between application restarts.
  • Full-Stack Application: Built with a Spring Boot REST API backend that provides alerts to a vanilla JavaScript frontend.
  • Interactive Web Dashboard: A responsive, single-page application (SPA) dashboard built with Tailwind CSS. Features include:
    • Live-updating alert grid (polls every 5 seconds).
    • Summary "stat cards" for at-a-glance situational awareness.
    • Clickable filters to view alerts by severity (Critical, High, Medium, Low).
  • Instant Push Notifications: Sends beautifully formatted, critical alerts to a Discord webhook for real-time notifications.

Tech Stack

Category Technology
Backend Java 17+, Spring Boot, Spring Data JPA, H2 Database (File-based)
Cloud AWS CloudTrail (Log Source), AWS S3 (Log Storage), AWS IAM
Frontend HTML5, Tailwind CSS, Vanilla JavaScript (Fetch API)
Integrations Discord Webhooks, ip-api.com (for Geolocation)
DevOps Maven, Git

How It Works (Architecture)

This application uses a clean, decoupled architecture:

  1. AWS Services (IAM, EC2, S3) generate audit logs.
  2. AWS CloudTrail captures these logs and delivers them to a central S3 Bucket every ~5-15 minutes.
  3. The LogAnalyzerService (Java/Spring Boot) runs on a 60-second timer, intelligently querying the S3 bucket for only the current day's new log files.
  4. Each log file is downloaded, unzipped, and parsed. Every event is passed through 10 detection rules.
  5. If an event (e.g., CreateUser) triggers a rule:
    • The IpGeolocationService is called to get the location of the source IP.
    • An Alert object is created with all enriched data.
    • The AlertRepository saves the Alert to the H2 Database.
    • The DiscordNotificationService sends a formatted push notification.
  6. The AlertController provides a REST API endpoint (GET /api/alerts).
  7. The JavaScript Frontend (index.html) polls this API every 5 seconds, updates the summary counts, and displays the filterable list of alerts to the user.

Detections Implemented (10 Rules)

This engine is configured to detect 10 high-signal, low-noise security events.

πŸ”΄ CRITICAL SEVERITY

  • CRITICAL: IAM Admin Escalation: Detects a user attaching the AdministratorAccess policy to another user/role.
  • CRITICAL: S3 Policy/ACL Changed: Detects any change to an S3 bucket's policy or ACL (e.g., making a bucket public).
  • CRITICAL: CloudTrail Tampering: Detects an attacker trying to cover their tracks by StopLogging or DeleteTrail.
  • CRITICAL: Public Firewall Change: Detects an EC2 security group (firewall) being opened to the entire internet (0.0.0.0/0).

🟠 HIGH SEVERITY

  • HIGH: IAM User Created: Detects a new IAM user being created, a common persistence technique.
  • HIGH: Access Key Created: Detects a user creating new API keys, another persistence technique.
  • HIGH: IAM Login Profile Created: Detects a password being added to a "service account" user, creating a new login backdoor.
  • HIGH: Secrets Manager Access: Detects a user reading a secret from AWS Secrets Manager (e.g., GetSecretValue).

🟑 MEDIUM SEVERITY

  • MEDIUM: Root User Activity: Detects any non-safelisted action taken by the Root user, which should never be used for daily tasks. (This rule ignores noisy read-only actions like List* or Describe*).

πŸ”΅ LOW SEVERITY

  • LOW: Failed Console Login: Detects a failed password attempt to log in to the AWS console.

How to Run (Local Setup)

  1. Prerequisites:

    • Java 17+
    • Maven
    • An AWS account with CloudTrail logging enabled to an S3 bucket.
    • An IAM user with s3:ListBucket and s3:GetObject permissions on the CloudTrail bucket.

  2. Clone the Repository:

    git clone https://github.com/sohankanna/cloudlog-sentinel.git
cd cloudlog-sentinel

  3. Configure the Application: Create a file at src/main/resources/application.properties and add your secret credentials. This file is git-ignored and should NEVER be committed.

    # Your AWS Credentials for the IAM user
aws.accessKeyId=<YOUR_AWS_ACCESS_KEY>
aws.secretAccessKey=<YOUR_AWS_SECRET_KEY>

# Your AWS Region (e.g., ap-southeast-2)
aws.region=<YOUR_HOME_REGION>

# The name of your CloudTrail S3 bucket
app.bucketName=<YOUR_CLOUDTRAIL_S3_BUCKET_NAME>

# Your Discord Webhook URL for alerts
discord.webhook.url=<YOUR_DISCORD_WEBHOOK_URL>

# H2 Database Configuration (leave this as-is)
spring.datasource.url=jdbc:h2:file:./data/cloudsentineldb
spring.datasource.driverClassName=org.h2.Driver
spring.datasource.username=sa
spring.datasource.password=
spring.jpa.database-platform=org.hibernate.dialect.H2Dialect
spring.h2.console.enabled=true

  4. Run the Application:

    # Run using the Maven wrapper
./mvnw spring-boot:run

# Or run from your IDE by starting the CloudsentinelApplication class

  5. Access the Dashboard:

    • Web Dashboard: http://localhost:8080
    • H2 Database Console: http://localhost:8080/h2-console
      • (Use JDBC URL: jdbc:h2:file:./data/cloudsentineldb)

Project Screenshots

Interactive Dashboard with Live Filters

The dashboard provides an at-a-glance summary and allows for filtering by alert severity.

Main Dashboard (All Alerts View) This is the main view showing the summary counts and all alerts combined. image

Filtering by "Critical" Shows only the most critical alerts, like privilege escalations and data exfiltration attempts. image

Filtering by "High" Shows high-priority alerts, such as the creation of new user backdoors or API keys. image

Filtering by "Medium" Filters for medium-priority events, such as dangerous (but non-critical) actions taken by the Root user. image

(Note: The "Low" filter works the same way for failed logins) image

Real-time Discord Notifications

aler

H2 Database Console

Screenshot 2025-10-30 221234

About

A full-stack, cloud-native SIEM built with Java/Spring Boot to detect real-time threats in AWS CloudTrail logs.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages