A Python-based Security Log Correlation Engine that simulates core SIEM functionality by collecting logs from multiple sources, correlating events, detecting attack patterns, and generating an attack timeline.
- Multiple Log Sources
- Event Correlation
- Brute Force Detection
- Privilege Escalation Detection
- Attack Timeline Generation
- JSON Reporting
- Unit Testing
security-log-correlation-engine/
│
├── logs/
│ ├── firewall_logs.json
│ ├── auth_logs.json
│ └── system_logs.json
│
├── rules/
│ └── correlation_rules.json
│
├── reports/
│ └── attack_timeline.json
│
├── engine/
│ ├── __init__.py
│ ├── parser.py
│ ├── correlator.py
│ ├── detector.py
│ └── timeline.py
│
├── tests/
│ └── test_engine.py
│
├── main.py
├── requirements.txt
├── README.md
└── .gitignore
Clone the repository:
git clone https://github.com/dhillon65/security-log-correlation-engine
cd security-log-correlation-engineCreate virtual environment:
python -m venv venvActivate environment:
venv\Scripts\activatesource venv/bin/activateInstall dependencies:
pip install -r requirements.txtpython main.pyExpected Output:
==================================================
SECURITY LOG CORRELATION ENGINE
==================================================
[+] Total Events Loaded: 10
[+] Attacks Detected: 2
[+] Timeline saved to reports/attack_timeline.json
Using unittest:
python -m unittest tests/test_engine.pyOr:
pytest- Five failed logins
- Followed by successful login
- Successful login
- Followed by privilege escalation event
- Multiple connection attempts
- SIEM Concepts
- Detection Engineering
- Event Correlation
- Security Monitoring
- Threat Detection
- Python Programming
- Log Analysis
- Incident Response
- MITRE ATT&CK Mapping
- Sigma Rule Support
- Risk Scoring
- Real-Time Monitoring
- Dashboard Visualization
- Splunk Integration
- Wazuh Integration
- Elasticsearch Support
MIT License