Skip to content

Sevdevs/Windows-Log-Analyzer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.vscode
.vscode
 
 
data
data
 
 
src/soc_log_analyzer
src/soc_log_analyzer
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

SOC Log Analyzer

SOC Log Analyzer is a CLI tool that parses Windows event logs (JSONL or CSV) and highlights suspicious activity. It is designed for a cybersecurity portfolio and demonstrates log normalization, rule-based detections, and reporting.

Features

  • Detects failed logon bursts (event ID 4625).
  • Flags successful logons (event ID 4624).
  • Flags privileged logons (event ID 4672).
  • Flags logoffs (event ID 4634).
  • Flags explicit credential logons (event ID 4648).
  • Flags account lockouts (event ID 4740).
  • Flags process creation (event ID 4688).
  • Flags scheduled tasks created (event ID 4698).
  • Flags audit policy changes (event ID 4719).
  • Flags log clears (event ID 1102).
  • Flags service installs (event ID 7045).
  • Flags account creation and admin group changes (event IDs 4720, 4728, 4732).
  • Flags account management events (event IDs 4722, 4723, 4724, 4725, 4738, 4767).
  • Flags security group changes (event IDs 4727, 4730, 4756, 4757).
  • Flags Kerberos/NTLM activity (event IDs 4768, 4769, 4771, 4776).
  • Supports JSON output for further tooling.

Requirements

  • Python 3.10+

Quick Start

python -m soc_log_analyzer.cli
python -m soc_log_analyzer.cli data/sample_events.jsonl --window-min 5 --min-failed 5
python -m soc_log_analyzer.cli C:\path\to\my_logs.csv --format csv --summary
python -m soc_log_analyzer.cli C:\path\to\my_logs.csv --format csv --limit 10
python -m soc_log_analyzer.cli C:\path\to\my_logs.csv --format csv --top-ids 20

Input Formats

JSONL

Each line is a JSON object with these fields:

{"timestamp":"2026-02-07T08:15:00Z","event_id":4625,"event_type":"Security","user":"alex","ip":"203.0.113.10","host":"dc-01","message":"Failed logon: bad password"}

CSV

CSV can be exported from Windows Event Viewer or PowerShell. The parser supports common columns including:

  • TimeCreated or Date and Time
  • Id or Event ID
  • ProviderName or Source
  • MachineName or Computer
  • UserId or User
  • Message or Description

PowerShell export example:

Get-WinEvent -LogName Security |
Select-Object TimeCreated, Id, ProviderName, MachineName, UserId, Message |
Export-Csv -NoTypeInformation -Encoding UTF8 C:\path\to\my_logs_full.csv

Output Modes

  • Default report with detailed events
  • --summary for counts only
  • --limit N to cap output per section
  • --top-ids N to list the most common Event IDs in the input
  • --json for machine-readable output

Project Layout

  • src/soc_log_analyzer: analyzer and CLI implementation.
  • data/sample_events.jsonl: sample anonymized Windows events.
  • tests: sample pytest tests.

Notes

  • Sample data is anonymized and for demonstration only.
  • CSV exports with multi-line messages are supported.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages