We can make a better one but with so many API's out in the wild, this proof of concept doesn't rely on an API.
- Monitors system logs (auth, syslog, kernel)
- Detects SSH brute force, sudo misuse, service instability, kernel errors
- Correlates suspicious SSH successes after failures
- Stores all events in SQLite for analysis
- Prints alerts to console (extensible for email/webhooks later)
- Collects logs → normalizes → stores in SQLite.
- Runs detection rules for common attack & instability patterns.
- Raises alerts when suspicious activity is detected.
- Lghtweight, extensible, and no reliance on APIs.
Disclaimer: This is for proof of concept purposes only. You may want to build a better one or just not try this at all.
- We suggest buying a SEIM or researching open source ones like Wazuh (still costs) Wazuh - https://wazuh.com/ - CrowdStrike https://www.crowdstrike.com