A production-grade SOC platform for UPI fraud detection, SIEM integration, and AI-assisted incident response.
ThreatLens is a production-grade AI-powered Security Operations Center (SOC) platform built for detecting UPI fraud in real time.
It combines:
- Machine Learning fraud detection
- SIEM-based detection engineering
- MITRE ATT&CK mapped alerting
- AI SOC analyst for incident triage
- Real-time dashboard monitoring
- Purple team attack simulation
- Automated PDF reporting
- Slack critical alerting
This project simulates how a real SOC handles financial fraud incidents from detection to response.
Frontend: https://threat-lens-weld.vercel.app
Backend API: https://threatlens-em87.onrender.com/docs
Click to watch the 3-min walkthrough
- XGBoost-based fraud detection model
- Real-time UPI transaction monitoring
- Multiple fraud scenario detection:
- Card Testing
- Velocity Abuse
- Large Fraud
- Account Takeover
- Bot Attack
- Wazuh SIEM integration
- Custom XML detection rules
- Sigma detection rules
- MITRE ATT&CK mapping
- Real log ingestion pipeline
- Live WebSocket alert feed
- Severity triage
- Case management workflow
- Alert drill-down view
- Threat context visualization
- SHAP explainability for fraud predictions
- Top contributing feature visualization
- Transparent ML decision-making
AI-powered incident response assistant that provides:
- Executive summaries
- Risk analysis
- MITRE technique explanation
- Response recommendations
- Analyst-style incident triage
- One-click PDF report generation
- Slack webhook alerting
- Incident workflow tracking
- Fraud attack simulations
- Detection validation
- SOC pipeline testing
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ThreatLens Architecture β
βββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
β
β
ββββββββββββββββββΌββββββββββββββββββ
β fraud_generator.py β
β Writes UPI logs to: β
β /var/log/upi_transactions.log β
ββββββββββββββ¬ββββββββββββββββββββββ
β
β file monitoring
β
ββββββββββββββΌββββββββββββββββββββββ
β Wazuh Manager 4.7 β
β Custom rules: fraud_rules.xml β
β MITRE ATT&CK mapping β
ββββββββββββββ¬ββββββββββββββββββββββ
β
β alerts.json
β
ββββββββββββββΌββββββββββββββββββββββ
β bridge.py β
β Tails Wazuh alerts β
β POSTs to FastAPI β
ββββββββββββββ¬ββββββββββββββββββββββ
β
β HTTP POST
β
Cloud (Production)
ββββββββββββββΌββββββββββββββββββββββ βββββββββββββββββββ
β FastAPI Backend (Render) βββββββββΆβ Supabase β
β - Alert ingestion β β PostgreSQL β
β - XGBoost ML scoring β β (Mumbai) β
β - SHAP explainability β βββββββββββββββββββ
β - ARIA AI analyst (Groq) β
β - PDF report generation β βββββββββββββββββββ
β - Slack notifications βββββββββΆβ Slack Webhook β
β - WebSocket broadcast β β Critical alerts β
ββββββββββββββ¬ββββββββββββββββββββββ βββββββββββββββββββ
β WebSocket + REST
β
ββββββββββββββΌββββββββββββββββββββββ
β React Frontend (Vercel) β
β - Live alert queue β
β - SHAP visualization β
β - Case management β
β - ARIA chat interface β
β - PDF export β
ββββββββββββββββββββββββββββββββββββ
- React
- Vite
- Tailwind CSS
- FastAPI
- SQLAlchemy
- WebSockets
- XGBoost
- SHAP
- Scikit-learn
- Pandas
- NumPy
- Wazuh
- Sigma Rules
- MITRE ATT&CK
- Supabase PostgreSQL
- Render
- Vercel
- Slack Webhooks
- Groq API
- LLaMA 3
The ML model is trained on the Credit Card Fraud Detection dataset from Kaggle.
- Download
creditcard.csvfrom the link above - Place it at
ml/creditcard.csv - Run
python ml/train_model.pyβ this generatesfraud_model.pklandshap_explainer.pkl
Note: The pre-trained model files (
fraud_model.pkl,shap_explainer.pkl) are already committed to the repo, so you can skip training and run the backend directly.
ThreatLens/
β
βββ backend/
β βββ app/
β βββ requirements.txt
β
βββ frontend/
β βββ src/
β
βββ ml/
β βββ train_model.py
β βββ fraud_model.pkl
β βββ shap_explainer.pkl
β
βββ wazuh/
β βββ fraud_generator.py
β βββ bridge.py
β βββ fraud_rules.xml
β βββ sigma/
β
βββ attack_simulation/
βββ screenshots/
βββ docs/git clone https://github.com/lvb05/ThreatLens.git
cd ThreatLenscd backend
python -m venv venv
# Windows
venv\Scripts\activate
# Linux/Mac
source venv/bin/activate
pip install -r requirements.txtCreate .env
DATABASE_URL=your_database_url
SECRET_KEY=your_secret_key
GROQ_API_KEY=your_groq_api_key
SLACK_WEBHOOK_URL=your_slack_webhookRun backend:
uvicorn app.main:app --reloadcd frontend
npm install
npm run devpython ml/train_model.pyUbuntu VM:
python3 fraud_generator.py
sudo python3 bridge.pyThreatLens detects:
- Card Testing
- Velocity Abuse
- Large Fraud
- Account Takeover
- Bot Activity
Mapped to MITRE ATT&CK techniques for security analyst visibility.
