Security Technical Writeup
SOC Log Analyzer
Threat Detection Engine
A comprehensive security analysis tool built to detect, classify, and escalate threats across SSH authentication logs, Apache web server logs, and Windows Event logs in real time.
Version 1.0.029 Detection Rules3 Log Formats89 TestsZero Dependencies
SOC Log Analyzer is a pure Python security tool designed for Security Operations Center analysts to rapidly triage log files and surface active threats. The tool processes raw log data from multiple sources and applies a rule-based detection engine to identify attack patterns including brute-force attempts, injection attacks, privilege escalation, and post-exploitation activity.
Design PhilosophyZero external dependencies. The entire tool runs on Python standard library, making it deployable on any system without package conflicts or installation issues.
CRITICAL Detection
HIGH Severity Rules
MEDIUM Indicators
Zero Dependencies
CI/CD Ready
The system is built as a pipeline with five stages. Each stage has a single responsibility and passes structured data to the next.
Detection Pipeline
Log File
parser.py # Auto-detect format, parse to dicts
rules.py # Apply 29 rules, produce SecurityEvents
geoip.py # Enrich IPs with country/city (optional)
alerting.py # POST to Slack/webhook (optional)
formatters.py # pretty / JSON / CSV / Markdown output
parser.py — Log Ingestion
Handles three distinct log formats through auto-detection. Peeks at the first 20 lines to classify the format, then runs the appropriate parser. Each parser extracts structured fields while tolerating malformed lines.
rules.py — Detection Engine
Each of the 29 rule functions receives a record dictionary and returns either a SecurityEvent or None. Rules are pure functions with no side effects, making them independently testable. After all rules fire, a brute-force escalation pass promotes events from HIGH to CRITICAL when a source IP exceeds the hit threshold.
watcher.py — Live Tail Engine
Uses stdlib polling for cross-platform compatibility. Detects log rotation by monitoring file inodes — when the inode changes the watcher reopens the file automatically without losing any lines.
03
Threat Detection Coverage
SSH Authentication Threats
| Rule ID | Description | MITRE Tactic | Severity |
|---|
| ssh_failed_login | Failed password authentication | Credential Access | HIGH |
| ssh_invalid_user | Login attempt for non-existent user | Reconnaissance | HIGH |
| ssh_root_login | Authentication attempt as root | Privilege Escalation | HIGH |
| ssh_accepted_password | Successful password authentication | Initial Access | LOW |
| sudo_to_root | Sudo privilege escalation to root | Privilege Escalation | HIGH |
| ssh_repeated_failures | Syslog repeated failure pattern | Brute Force | CRITICAL |
Web Application Threats
| Rule ID | Description | MITRE Tactic | Severity |
|---|
| web_lfi_passwd | /etc/passwd in request path | Credential Access | CRITICAL |
| web_path_traversal | Directory traversal pattern | Discovery | CRITICAL |
| web_sqli | SQL injection payload in URL | Collection | CRITICAL |
| web_xss | Cross-site scripting payload | Execution | CRITICAL |
| web_scanner | Known scanner User-Agent (nikto, sqlmap) | Reconnaissance | HIGH |
| web_shell_cmd | Webshell command execution parameter | Execution | CRITICAL |
| web_log4j | Log4Shell CVE-2021-44228 exploit | Initial Access | CRITICAL |
| web_admin_scan | Admin panel probing (401/403/404) | Reconnaissance | MEDIUM |
Windows Event Log Threats
| Rule ID | Event ID | Description | Severity |
|---|
| win_failed_logon | 4625 | Failed Windows logon attempt | HIGH |
| win_account_lockout | 4740 | Account locked out after failures | HIGH |
| win_net_user_add | 4688 | New local user via net user /add | CRITICAL |
| win_add_to_admins | 4688 | User added to Administrators group | CRITICAL |
| win_ps_encoded | 4688 | Encoded PowerShell (-EncodedCommand) | HIGH |
| win_registry_change | 4657 | Registry Run key modified (persistence) | CRITICAL |
| win_log_cleared | 1102 | Security event log cleared | CRITICAL |
| win_wmi_exec | 4688 | WMI remote process execution | HIGH |
04
Real-World Attack Scenarios
Scenario 1 — SSH Brute Force to Root Access
02:14:01
Brute force begins
185.220.101.45 sends rapid failed password attempts against root. Rule: ssh_failed_login at HIGH.
02:14:07
Escalation triggered
After 8 failures from same IP, brute-force escalation promotes all events to CRITICAL.
05:30:00
Successful root login
203.0.113.99 achieves successful password login as root.
Analyst Action RequiredBlock 185.220.101.45 at firewall immediately. Audit all commands run by root after 05:30. Check for new cron jobs, SSH authorized_keys modifications, and new user accounts.
Scenario 2 — Windows Privilege Escalation and Persistence
01:05:00
Credential brute force
185.220.101.45 attempts 6 rapid failed logons against administrator (Event 4625).
01:10:00
Account lockout
Administrator locked out (Event 4740). Brute force escalated to CRITICAL.
01:15:00
Backdoor account created
net user hacker /add and net localgroup administrators hacker /add executed.
01:16:00
Registry persistence
HKCU Run key modified to execute svchost32.exe on every login (Event 4657).
01:18:00
Log cleared — cover-up
Security event log cleared by CORP\hacker (Event 1102).
Incident Response RequiredIsolate CORP-PC-01 immediately. Attacker has SYSTEM-level persistence via registry Run key, a backdoor admin account, and has cleared the security log.
89 tests across 12 test classes, all passing on Python 3.10, 3.11, and 3.12 in CI.
TestDetectLogType
Auto-detection of SSH, Apache, Windows formats
TestSSHParser
Field extraction, IP parsing, timestamp parsing
TestApacheParser
Combined log format, status codes, User-Agent
TestWindowsParser
CSV parsing, Event ID extraction, timestamps
TestSSHRules
All 7 SSH detection rules with escalation
TestApacheRules
All 11 web attack rules including Log4Shell
TestWindowsRules
All 9 Windows Event rules
TestBruteForce
Threshold escalation at 5 and 100 hits
TestFormatters
Pretty, JSON, CSV, Markdown validation
TestWatcher
File tailing, rotation detection
TestGeoIP
Private IP detection, caching, public lookup
TestAlerting
Slack payload, webhook, failure handling
Command Line
soc-analyzer auth.log
soc-analyzer auth.log apache.log windows.csv
soc-analyzer auth.log -s CRITICAL
soc-analyzer auth.log -f json -o report.json
soc-analyzer /var/log/auth.log --watch --alert-webhook https://hooks.slack.com/...
soc-analyzer apache.log --geo
Live ApplicationThe web dashboard is live at https://soc-log-analyzer-ejpx.onrender.com
Supported Formats
- SSH auth logs — /var/log/auth.log, /var/log/secure
- Apache / Nginx — Combined Log Format access.log
- Windows Event Log — CSV export from Event Viewer