Project Name

Python Log Parser — Automated Threat Detection Tool

One-line Summary

Built a Python log parser that scans event logs, detects suspicious activity, maps events to MITRE ATT&CK techniques, identifies brute force attempts, and generates a threat report automatically.

Background

I built this project to better understand how log analysis and threat detection work in cybersecurity. Instead of manually reading through log files, I wanted to create a tool that could automatically identify suspicious activity and highlight possible threats.

The goal was to learn more about how security analysts work with logs and how detection rules can be applied to raw event data to spot unusual behaviour more efficiently.

Full Description

This project is written in Python and designed to scan Windows-style event log files line by line. I used regex to extract useful information from each log entry, including the date, time, log level, event description, username, and IP address.

Once the logs are parsed, the extracted events are checked against a THREAT_RULES dictionary that I created. This dictionary maps specific event keywords to MITRE ATT&CK techniques and tactics. If an event matches one of the rules, it is flagged as suspicious. I also included additional checks for WARNING or ERROR logs coming from external IP addresses.

Failed login attempts are tracked by IP address. If the same IP address has three or more failed login attempts, the parser automatically flags it as a possible brute force attack and includes the related timestamps in the final report.

Execution

The parser is run from the command line and outputs results to both the terminal and a report file:

Each log line is parsed using a regex pattern that extracts the important fields:

Security Analysis

The sample log used for testing includes events that simulate suspicious activity such as repeated failed login attempts, account creation, PowerShell execution, and scheduled tasks.

A possible attack flow in the logs could involve an attacker attempting multiple failed logins, gaining access to an account, creating a new user account, using PowerShell commands, and setting up scheduled tasks for persistence. The parser automatically detects and flags these events, making it easier to identify suspicious activity without manually reviewing every log entry.

Key Skills Demonstrated

• Python scripting and file I/O
• Regex pattern matching
• Log parsing and analysis
• Threat detection rule development
• MITRE ATT&CK mapping
• Brute force detection logic
• Automated report generation
• Security event analysis

This project helped me better understand how automated threat detection works by parsing log data, applying detection rules, and generating findings in a readable format. It also gave me more hands-on experience with regex, file handling, and analysing security-related events.

View on GitHub

Built for educational purposes as part of a cybersecurity learning portfolio.