DEV Community

Cover image for I Gave My Home SOC a Local Gemma 4 Analyst
chris wilson
chris wilson

Posted on

I Gave My Home SOC a Local Gemma 4 Analyst

#devchallenge #gemmachallenge #gemma #cybersecurity

Gemma 4 Challenge: Build With Gemma 4 Submission

This is a submission for the Gemma 4 Challenge: Build with Gemma 4

What I Built

I built NetGuard Gemma 4 Local SOC Analyst, a local-first cybersecurity demo that uses Gemma 4 as an analyst for sanitized security telemetry.

Most security dashboards tell you what fired.

They do not always tell you what happened.

This project takes a block of sanitized Suricata/Wazuh-style logs and asks Gemma 4 to connect the events into a structured incident report. Instead of treating every alert as an isolated line, the model reads the event window and returns:

  • incident summary
  • severity
  • confidence
  • attack chain
  • timeline
  • indicators of compromise
  • triage recommendations

The goal is to give a small SOC workflow a local analyst layer: something that can read noisy telemetry, connect related events, and produce a usable incident report without sending sensitive logs to a hosted model.

Demo

The local demo includes:

  • GET / health check
  • POST /analyze for single-event analysis
  • POST /analyze-logs for the main log-autopsy workflow
  • GET /ui for a simple browser demo
  • GET /sample-logs for sanitized sample telemetry

Demo flow:

  1. Start the local FastAPI server.
  2. Open the /ui page.
  3. Click Load sample logs.
  4. Click Analyze logs.
  5. Gemma 4 returns a structured incident report.

The sample log window includes a multi-stage pattern:

  1. TCP scan
  2. SQL injection-style probe
  3. SSH brute force attempts
  4. successful login
  5. privileged payload download
  6. script execution
  7. outbound shell behavior
  8. suspicious root-level user creation

The important part is that Gemma 4 is asked to connect the sequence, not just summarize one alert.

Demo video: Silent walkthrough showing the GitHub repo, local NetGuard UI, sanitized sample logs, and Gemma 4 structured incident output.

GitHub Release: https://github.com/cbw29512/GeminiHackathon/releases/tag/demo-v1

Code

Repository:

https://github.com/cbw29512/GeminiHackathon

Core files:

  • main.py — FastAPI routes and local API guardrails
  • services/llm_analyzer.py — Gemma 4 prompt and response parsing logic
  • services/schemas.py — Pydantic schemas for validated output
  • scripts/sanitize_logs.py—sanitizer for SOC-shaped logs
  • templates/index.html — minimal local web UI
  • `tests/ "— validation tests

The project passed its final local audit with: ** 11 passed**.

I also added guardrails so oversized log windows are rejected before being sent into local inference.

How I Used Gemma 4

I used Gemma 4 E4B Q8_0 locally through Ollama.

Gemma 4 is the core reasoning engine of the project. It is not being used only for copywriting or generic chatbot responses.

The main endpoint is POST /analyze-logs.

That endpoint sends Gemma 4 a sanitized log window and asks it to return a strict JSON incident report containing:

  • incident_summary
  • severity
  • confidence
  • attack_chain
  • timeline
  • iocs
  • triage_recommendations

I chose the E4B model because this project needs local reasoning over security logs, not a huge hosted model. The goal was to keep the system practical on local hardware while still using Gemma 4 for the central analysis task.

Privacy And Local-First Design

Security logs can expose internal IPs, usernames, hostnames, and network behavior.

That is why this project is designed around local inference and sanitized input.

The sanitizer preserves useful event structure while replacing sensitive values. This lets the model reason over realistic telemetry without exposing private data in the demo.

The local-first design uses:

  • FastAPI on 127.0.0.1
  • Ollama for local model runtime
  • Pydantic for schema validation
  • sanitized sample logs
  • no committed model binary
  • no committed secrets
  • no committed raw captures

What I Learned

The strongest version of this project was not single-alert analysis.

The stronger idea was log-window autopsy.

A single alert can tell you something suspicious happened. A sequence of events can tell you the story of the incident.

That is where Gemma 4 became valuable: reading multiple related events and turning them into an analyst-style report.

What I Would Build Next

Next, I would extend the UI into a richer NetGuard dashboard panel with:

  • upload support for local sanitized logs
  • side-by-side raw alert stream and Gemma incident report
  • exportable analyst reports
  • confidence notes for each attack-chain stage
  • larger event windows
  • human review notes for triage decisions

Final Thoughts

This project is about giving a small SOC workflow a local analyst brain.

Gemma 4 reads the evidence window, connects the related activity, and returns a structured report that a defender can actually use.

That is the heart of the build.

Top comments (0)