ARCHIVES

The escalating complexity of web-application threat landscapes demands security tooling that is simultaneously com- prehensive, cost-effective, and operationally self-contained. Enter- prise Security Information and Event Management (SIEM) plat- forms address detection at scale but impose licensing costs exceed- ing USD $50,000 annually, placing them beyond reach for small- to-medium organisations and academic environments. This paper presents Courra-Sec, an open-source, production-grade, multi-tenant SIEM implemented as a full-stack Python/Flask platform comprising 20 backend modules, 20 database models, 123 API routes, and 29 HTML dashboard templates. Courra-Sec integrates four log ingestion channels (HTTP REST, WebSocket, RFC 3164/5424 Syslog, and file upload), a six-pattern log normalisation engine, five built-in detection rules, a three-tier custom rule system with a Python DSL sandbox, a time-windowed correlation engine, and a machine learning pipeline combining Isolation Forest anomaly detection with User and Entity Behaviour Analytics (UEBA). The system further pro- vides automated Security Orchestration, Automation and Response (SOAR) with ten playbook action types; threat intelligence integration with AlienVault OTX, VirusTotal v3, and MISP; full incident case management with SLA tracking; compliance report generation for PCI-DSS, HIPAA, SOC2, and ISO 27001 frameworks; a KQL-style unified search engine; asset inventory management; a Prometheus observability stack; and a drop-in JavaScript browser SDK requiring a single script tag. The multi-tenant architecture enforces complete organisational data isolation through API-key-authenticated ingest and organisation_id-scoped database queries, deployable on a Hostinger KVM2 virtual private server (2 vCPU, 8 GB RAM, 100 GB NVMe SSD) providing full root access, persistent storage, and continuous 24/7 uptime. Experimental evaluation on 50,000 synthetic log events demonstrates a mean detection F1 score of 0.961 across six attack categories with a false-positive rate of 3.1% and sustained WebSocket ingest throughput exceeding 1,500 events per second; results are averaged over five independent runs and standard deviation is reported to ensure statistical stability.