Log File Analysis
1. Select or Generate Log Files

In [27]:
%pip install pandas

Defaulting to user installation because normal site-packages is not writeableNote: you may need to restart the kernel to use updated packages.



2. Read and Parse the Log Files

In [None]:
import pandas as pd

#Selecting log files from part 1 here
url = 'Windows_2k.log_structured.csv'
logs = pd.read_csv(url)
print(logs)



3. Filter relevant data

In [29]:
#combing through log files for suspicious activity, we chose warnings and failed login attempts
sus_logs =  logs[logs['Content'].str.contains('Warning') | 
                        logs['Content'].str.contains('Failed')]

print(sus_logs)

      LineId        Date      Time Level Component  \
10        11  2016-09-28  04:30:31  Info       CBS   
11        12  2016-09-28  04:30:31  Info       CBS   
13        14  2016-09-28  04:30:31  Info       CBS   
25        26  2016-09-28  04:30:31  Info       CBS   
27        28  2016-09-28  04:30:31  Info       CBS   
...      ...         ...       ...   ...       ...   
1430    1431  2016-09-29  02:03:49  Info       CBS   
1432    1433  2016-09-29  02:03:49  Info       CBS   
1434    1435  2016-09-29  02:03:49  Info       CBS   
1436    1437  2016-09-29  02:03:49  Info       CBS   
1609    1610  2016-09-29  02:04:11  Info       CBS   

                                                Content EventId  \
10    SQM: Failed to start upload with file pattern:...     E39   
11    SQM: Failed to start standard sample upload. [...     E38   
27    Failed to get next element [HRESULT = 0x800f08...     E20   
...                                                 ...     ...   
1430  Failed to 

4. Generate a summary report

In [30]:
#this was our script to create a summary report of the logs, simply listing all the suspicious logs found
sum_report = open('summary_report.txt', 'w')
sum_report.write(f"Total suspicious logs found: {len(sus_logs)}\n")
for log in sus_logs:
    sum_report.write(log + '\n')

sum_report = open('summary_report.txt', 'r')
report = sum_report.read()
print(report)

Total suspicious logs found: 530
LineId
Date
Time
Level
Component
Content
EventId
EventTemplate



System performance monitoring
1. Install psutil library

2. Collect system metrics

In [31]:
import psutil
#get CPU usage
cpu_usage = psutil.cpu_percent(interval=1)
print(f"CPU Usage: {cpu_usage}%")

#get memory usage
memory_info = psutil.virtual_memory()
print(f"Memory Usage: {memory_info.percent}%")

CPU Usage: 8.1%
Memory Usage: 49.1%


3. Log the performance data

In [32]:
#Here we logged the data to a text file
perf_logs = open('performance_log.txt','a')
perf_logs.write(f"CPU: {cpu_usage}%, Memory: {memory_info.percent}%\n")

perf_logs = open('performance_log.txt', 'r')
perf_report = perf_logs.read()
print(perf_report)


CPU: 7.9%, Memory: 48.3%
CPU: 7.9%, Memory: 48.3%
CPU: 12.8%, Memory: 50.7%
CPU: 5.3%, Memory: 44.2%
CPU: 6.2%, Memory: 41.7%
CPU: 10.3%, Memory: 49.2%
CPU: 4.4%, Memory: 50.8%
CPU: 8.1%, Memory: 49.1%



4. Generate alerts for high usage

In [33]:
if cpu_usage > 90:
    print("ALERT: High CPU usage detected!")

Alert generation
1. Define the event to monitor

2. Send alerts via email

In [38]:
#Here we set up the email alert to send
import smtplib
from email.message import EmailMessage
sender = 'cyse130g5@gmail.com'
receiver = 'dillon.furey@gmail.com'
password = 'giyu nrry bupm wawb'

def send_alert(subject, body):
    msg = EmailMessage()
    msg.set_content(body)
    msg['Subject'] = subject
    msg['From'] = sender
    msg['To'] = receiver

    try:
        with smtplib.SMTP_SSL('smtp.gmail.com', 465) as smtp:
            smtp.login(sender, password)
            smtp.send_message(msg)
        print('Email sent successfully')
    except Exception as failed:
        print(f'Email failed to send: {failed}')



if cpu_usage > 90:
    send_alert('High CPU Usage Alert', f'CPU Usage is {cpu_usage}%')

3. Log alerts

Automate routine security checks
1. Install and use nmap for vulnerability scanning

In [35]:
import subprocess

#here we used nmap to scan a generic host for vulnerable ports

def run_nmap(target):
    result = subprocess.run(['nmap', '-sV', target], capture_output=True, text=True)
    print(result.stdout)

run_nmap('127.0.0.1') #Scan localhost

Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-04 13:48 Eastern Standard Time
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0010s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
445/tcp  open  microsoft-ds?
9000/tcp open  zmtp          ZeroMQ ZMTP 2.0
9001/tcp open  zmtp          ZeroMQ ZMTP 2.0
9002/tcp open  zmtp          ZeroMQ ZMTP 2.0
9003/tcp open  zmtp          ZeroMQ ZMTP 2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.06 seconds



2. Monitor network traffic with scapy

In [36]:
from scapy.all import *

#captured network packets with scapy here

def monitor_packets(pkt):
    if pkt.haslayer(TCP) and pkt.haslayer(IP):
        print(f"Source IP: {pkt[IP].src}, Destination IP: {pkt[IP].dst}")

sniff(prn=monitor_packets, count = 10) #capturing 10 packets

Source IP: 10.151.218.133, Destination IP: 20.189.173.7
Source IP: 10.151.218.133, Destination IP: 20.189.173.7
Source IP: 10.151.218.133, Destination IP: 20.189.173.7
Source IP: 20.189.173.7, Destination IP: 10.151.218.133
Source IP: 20.189.173.7, Destination IP: 10.151.218.133
Source IP: 162.159.136.234, Destination IP: 10.151.218.133
Source IP: 10.151.218.133, Destination IP: 52.182.141.63


<Sniffed: TCP:7 UDP:3 ICMP:0 Other:0>