CodcompassCodcompass
← Back to Blog
DevOps2026-05-06Β·37 min read

Building a Production-Ready SOC Triage Tool with Python & Streamlit

By Haningtone stirio

Building a Production-Ready SOC Triage Tool with Python & Streamlit

Current Situation Analysis

Pain Points and Failure Mode Analysis

SOC analysts face a critical scalability bottleneck in manual log triage workflows. The traditional approach relies on linear, repetitive actions that do not scale with alert volume:

  • Time Consumption: Manual investigation of a single suspicious IP requires 5–10 minutes. This involves context-switching between log grep, browser-based threat intelligence lookups (e.g., AbuseIPDB), and ticketing systems.
  • Volume Overload: At scale, investigating 100+ IPs results in 8+ hours of manual labor, exceeding standard shift capacity and delaying incident response.
  • Failure Modes:
    • Analyst Fatigue: Repetitive tasks lead to cognitive decline, increasing the risk of missed threats or false negatives.
    • Inconsistent Enrichment: Manual lookups vary by analyst, leading to non-standardized triage quality and incomplete ticket data.
    • Slow MTTR: The latency between alert generation and actionable insight is measured in hours rather than seconds, allowing attackers to persist in the environment.
  • Why Traditional Methods Fail: Manual workflows cannot parallelize enrichment or detection. Grep-based searching lacks semantic understanding of attack patterns, and manual API calls introduce unacceptable latency.

WOW Moment: Key Findings

Experimental Data Comparison

The SOC Triage Automator demonstrates a paradigm shift from linear manual effort to parallel automated processing. By integrating regex-based detection with bulk API enrichment, the tool achieves near-instant triage capabilities.

Approach Time per IP 100 IP Triage Time Enrichment Method Detection Accuracy Analyst Cognitive Load
Manual Triage 5–10 minutes 8.3 – 16.7 hours Manual Browser Lookup Variable (Human Error) Critical (High)
SOC Triage Tool < 0.005 minutes 30 seconds Automated AbuseIPDB API Consistent (Regex Rules) Minimal (Review Only)

Key Findings:

  • 99% Time Reduction: Total triage workflow reduced from 8+ hours to 30 seconds.
  • Batch Processing: The tool ingests and processes bulk logs, extracting all unique IPs and enriching them in parallel.
  • Actionable Output: Streamlit dashboard presents filtered, enriched data, allowing analysts to focus solely on decision-making rather than data gathering.

Core Solution

Technical Implementation Details

The solution is a Python-based application leveraging Streamlit for rapid UI development, designed to automate the ingestion, detection, and enrichment pipeline.

Architecture Overview:

  1. Ingestion Layer: Parses Apache/Nginx combined log formats to extract request metadata and source IPs.
  2. Detection Engine: Applies optimized REGEX patterns to identify malicious payloads:
    • SQL Injection (SQLi)
    • Cross-Site Scripting (XSS)
    • Path Traversal
  3. Enrichment Service: Integrates with AbuseIPDB API to fetch threat intelligence scores and metadata for extracted IPs.
  4. Presentation Layer: Streamlit dashboard provides interactive filtering, sorting, and export capabilities.

Implementation Highlights:

  • Log Parsing: Robust handling of Apache/Nginx combined log structures ensures accurate extraction of IPs and request URIs.
  • Regex Detection: Custom REGEX patterns target common attack vectors. Patterns are tuned to balance detection coverage with performance.
  • API Integration: Automated calls to AbuseIPDB eliminate manual lookups. The tool aggregates threat scores to prioritize high-risk IPs.
  • Dashboard Features: Clean, actionable interface displaying triage results, threat scores, and attack types.

Live Demo: https://hansec-soc-triage-threat-intelligence-3n25rk85kwfaho2luyss4v.streamlit.app/

Visual Reference: SOC Triage Dashboard

Pitfall Guide

Common Mistakes and Best Practices

  1. Regex Performance Bottlenecks:

    • Risk: Complex or unanchored REGEX patterns can cause significant CPU overhead, especially on large log files, leading to tool hangs.
    • Best Practice: Pre-compile REGEX patterns using re.compile(). Use non-capturing groups where possible and profile regex execution time. Implement timeout mechanisms for pattern matching.

  2. API Rate Limiting and Quotas:

    • Risk: AbuseIPDB and similar APIs enforce rate limits. Bulk enrichment of hundreds of IPs without throttling can result in IP bans or quota exhaustion.
    • Best Practice: Implement rate limiting logic with exponential backoff. Use caching mechanisms (e.g., Redis or local file cache) to store results for previously seen IPs and avoid redundant API calls.

  3. Log Format Variance and Parsing Errors:

    • Risk: Apache/Nginx logs may vary due to custom configurations or modules, causing parsing failures or missing data.
    • Best Practice: Validate log format assumptions. Implement robust error handling for malformed lines. Support multiple log format variations or provide configuration options for custom regex patterns for log parsing.

  4. False Positive Fatigue:

    • Risk: Overly broad REGEX patterns for SQLi/XSS can trigger on benign traffic (e.g., legitimate search queries containing SQL keywords), overwhelming analysts with noise.
    • Best Practice: Tune REGEX patterns based on historical data. Implement confidence scoring or allow analysts to whitelist specific patterns. Regularly review false positives and refine detection rules.

  5. Streamlit Memory Constraints:

    • Risk: Loading massive log files directly into Streamlit memory can cause application crashes or severe performance degradation.
    • Best Practice: Process logs in chunks or streams. Use efficient data structures (e.g., Pandas DataFrames with optimized dtypes). Implement pagination or sampling for display if the result set is too large.

Deliverables

Blueprint and Checklist

πŸ“¦ Downloadable Blueprint:

  • Architecture Diagram: High-level flow of Ingestion β†’ Regex Detection β†’ API Enrichment β†’ Streamlit Dashboard.
  • Data Schema: Definition of log fields, detection payloads, and enrichment metadata structure.
  • Configuration Template: YAML/JSON structure for API keys, log paths, and regex rule sets.

βœ… Implementation Checklist:

  • Environment Setup: Install Python dependencies (streamlit, requests, pandas, re).
  • API Configuration: Obtain AbuseIPDB API key and configure environment variables.
  • Log Validation: Verify Apache/Nginx log format compatibility and test parsing logic.
  • Regex Tuning: Validate detection patterns against known attack samples and benign traffic.
  • Rate Limiting: Implement API throttling and caching strategy.
  • Dashboard Testing: Verify Streamlit UI responsiveness and data accuracy.
  • Deployment: Configure Streamlit Cloud or local server for production access.