A Django REST API backend for threat monitoring and alert management system with JWT authentication, role-based access control, and automatic alert generation.
- JWT Authentication with role-based access control (Admin/Analyst)
- Event Ingestion with automatic alert generation for High/Critical severity events
- Alert Management with status tracking and filtering
- RESTful API with pagination, filtering, and ordering
- Swagger/OpenAPI documentation
- Docker containerization support
- PostgreSQL/SQLite database compatibility
- Comprehensive Unit Tests
- Clone and setup:
git clone https://github.com/imvickykumar999/Threat-Monitoring-Alert-Management-Platform.git
cd Threat-Monitoring-Alert-Management-Platform
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt- Environment setup:
cp .env.example .env
# Edit .env file with your settings- Database setup:
python manage.py makemigrations
python manage.py migrate- Create superuser:
python manage.py createsuperuser- Run server:
python manage.py runserver- Using Docker Compose:
docker-compose up --build- Access the application:
- API: https://siem.imvickykumar999.dpdns.org/api/
- Admin: https://siem.imvickykumar999.dpdns.org/admin/
- Swagger Docs: https://siem.imvickykumar999.dpdns.org/swagger/
POST /api/auth/token/- Obtain JWT tokenPOST /api/auth/token/refresh/- Refresh JWT token
GET /api/users/- List users (Admin only)POST /api/users/- Create user (Admin only)GET /api/users/{id}/- Get user details (Admin only)GET /api/users/me/- Get current user profile
GET /api/events/- List events with filteringPOST /api/events/- Create event (Admin only)GET /api/events/{id}/- Get event details
Query Parameters for Events:
severity: Filter by severity (Low/Medium/High/Critical)event_type: Filter by event typesource_name: Filter by source nameordering: Order by timestamp, severity, etc.
GET /api/alerts/- List alerts with filteringGET /api/alerts/{id}/- Get alert detailsPATCH /api/alerts/{id}/- Update alert status (Admin only)
Query Parameters for Alerts:
status: Filter by status (Open/Acknowledged/Resolved)severity: Filter by event severityordering: Order by created_at, status, etc.
- When an Event is created with severity "High" or "Critical", an Alert is automatically created
- Alerts are linked to their triggering events
- Alert status defaults to "Open"
- Admin: Full access to all endpoints and can update alert status
- Analyst: Read-only access to events and alerts
# Get JWT token
curl -X POST https://siem.imvickykumar999.dpdns.org/api/auth/token/ \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": "password"}'
# Use token in requests
curl -H "Authorization: Bearer <your-token>" \
https://siem.imvickykumar999.dpdns.org/api/events/curl -X POST https://siem.imvickykumar999.dpdns.org/api/events/ \
-H "Authorization: Bearer <your-token>" \
-H "Content-Type: application/json" \
-d '{
"source_name": "Firewall",
"event_type": "intrusion_attempt",
"severity": "High",
"description": "Suspicious login attempt detected"
}'# Get open alerts
curl -H "Authorization: Bearer <your-token>" \
"https://siem.imvickykumar999.dpdns.org/api/alerts/?status=Open"
# Get high severity alerts
curl -H "Authorization: Bearer <your-token>" \
"https://siem.imvickykumar999.dpdns.org/api/alerts/?severity=High"curl -X PATCH https://siem.imvickykumar999.dpdns.org/api/alerts/1/ \
-H "Authorization: Bearer <your-token>" \
-H "Content-Type: application/json" \
-d '{"status": "Resolved"}'- Extends Django's AbstractUser
- Additional field:
role(admin/analyst)
source_name: Source system nameevent_type: Type of security eventseverity: Low/Medium/High/Criticaldescription: Event detailstimestamp: Auto-generated timestamp
event: Foreign key to Eventstatus: Open/Acknowledged/Resolvedcreated_at: Auto-generated timestampresolved_at: Set when status becomes "Resolved"
Run the test suite:
python manage.py test monitoringTest coverage includes:
- User role functionality
- Automatic alert creation for High/Critical events
- API permissions and access control
- Alert status updates
- Filtering and pagination
- Immutable Events: Security events are treated as immutable logs. If an event has the wrong severity, a new corrected event should be ingested rather than patching the old one.
- Alert Deletion: Analysts are restricted from deleting alerts to maintain audit trails; they can only view them.
- Single Admin Level: The system currently assumes a single tier of Admin privilege (Superuser) rather than granular permission groups.
- Timezones: All timestamps are stored in UTC (or Asia/Kolkata as configured) to ensure consistency across distributed systems.
Create a .env file with:
DEBUG=True
SECRET_KEY=your-secret-key-here
ALLOWED_HOSTS=localhost,127.0.0.1
DATABASE_URL=sqlite:///db.sqlite3
JWT_ACCESS_TOKEN_LIFETIME_HOURS=1
JWT_REFRESH_TOKEN_LIFETIME_DAYS=7- Set DEBUG=False
- Use PostgreSQL database
- Configure ALLOWED_HOSTS
- Use strong SECRET_KEY
- Enable HTTPS
- Configure static files serving
# Build and run
docker-compose -f docker-compose.prod.yml up --build- JWT token authentication
- Role-based access control
- Input validation and sanitization
- SQL injection prevention
- Permission checks on all endpoints
- Secure password hashing
Full API documentation is available at /swagger/ when the server is running.
threat_monitoring_platform/
├── monitoring/
│ ├── models.py # Database models
│ ├── serializers.py # DRF serializers
│ ├── views.py # API viewsets
│ ├── urls.py # App URL routing
│ ├── permissions.py # Custom permissions
│ ├── admin.py # Django admin config
│ └── tests.py # Unit tests
├── threat_monitoring_platform/
│ ├── settings.py # Django settings
│ ├── urls.py # Main URL routing
│ └── wsgi.py
├── Dockerfile
├── docker-compose.yml
├── requirements.txt
├── .env.example
└── README.md
- Backend: Django 4.2+, Django REST Framework
- Authentication: JWT (djangorestframework-simplejwt)
- Database: SQLite (dev) / PostgreSQL (prod)
- Documentation: Swagger/OpenAPI (drf-yasg)
- Containerization: Docker & Docker Compose
- Filtering: django-filter
This project is licensed under the MIT License.
