top of page
Search

Building Real-Time Email Alerts for a SOC System (Elastic Stack + Node.js)


Introduction

In a modern Security Operations Center (SOC), detecting threats is not enough — timely notification is critical. While dashboards provide visibility, real-time alerting ensures immediate response to security incidents.

In this phase of my project, I implemented multi-channel alerting (Telegram + Email) along with an anti-spam mechanism, transforming the system into a more realistic SOC solution.


Why Multi-Channel Alerting?

Relying on a single alerting channel is risky. By combining Telegram and Email, we gain:

  • Instant notifications (Telegram)

  • Reliable communication (Email)

  • Redundancy in alert delivery


Detection Logic

The system monitors Windows Security logs:

  • Event ID 4625 → Failed login attempt

  • Aggregation by username

  • Threshold-based detection

Rule:

If failed login attempts ≥ 5 → Trigger alert

Backend API

GET /api/detect/bruteforce

This endpoint:

  1. Queries ElasticSearch

  2. Aggregates failed login attempts

  3. Applies detection rules

  4. Sends alerts

Alerting Implementation

🔸 Telegram

await axios.post(`https://api.telegram.org/bot<TOKEN>/sendMessage`, {
  chat_id: "<CHAT_ID>",
  text: message
});

🔸 Email

await transporter.sendMail({
  from: 'your_email@gmail.com',
  to: 'receiver@gmail.com',
  subject: '🚨 SOC Alert - Brute Force Detected',
  text: message
});

Multi-Channel Trigger

await sendTelegramAlert(msg);
await sendEmailAlert(msg);

Preventing Alert Spam (Cooldown Mechanism)

One major challenge in real-world SOC systems is alert flooding. Without control, the system may send hundreds of alerts for the same attack.

To solve this, I implemented a cooldown mechanism.

Concept

  • Store the last alert time per user

  • Only send a new alert if enough time has passed

Implementation

const alertCache = {};
const COOLDOWN = 60 * 1000; // 1 minute

for (let user of buckets) {

  const now = Date.now();
  const lastTime = alertCache[user.key] || 0;

  if (user.doc_count >= 5 && (now - lastTime > COOLDOWN)) {

    const msg = "🚨 Brute Force Detected!\nUser: " 
      + user.key + "\nAttempts: " + user.doc_count;

    await sendTelegramAlert(msg);
    await sendEmailAlert(msg);

    alertCache[user.key] = now;
  }
}

Result

  • ❌ No more alert spam

  • ✅ Controlled notifications

  • ✅ More realistic SOC behavior

Testing

After generating multiple failed login attempts:

  • Alerts were triggered once

  • No repeated spam within the cooldown period

Challenges & Lessons Learned

  • ❗ Avoiding duplicate alerts

  • ❗ Managing async alert flows

  • ❗ Debugging Telegram & SMTP errors

  • ❗ Designing realistic detection logic


Outcome

The system now includes:

  • Real-time brute-force detection

  • Telegram alerting

  • Email alerting

  • Anti-spam cooldown logic


Conclusion

By adding a cooldown mechanism, the alerting system becomes significantly more practical and production-ready. This ensures that security teams receive meaningful alerts without being overwhelmed.

🚨 From detection to intelligent alerting — building real-world SOC systems step by step.



 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page