A Python-first tool that parses authentication logs (e.g., SSH auth.log) to detect suspicious activity such as brute-force login attempts and high-failure IPs, then generates a structured JSON threat report.
This repo is intentionally built like a practical security automation project: clear modules, reusable detectors, and reproducible output.
- Reads an auth log file (sample included)
- Detects:
- Failed login attempts per IP
- Successful logins per IP
- Brute-force behavior using a time-window heuristic (optional)
- Outputs a JSON report containing:
- Totals and window-based counts
- Detected threats above a configurable threshold