LogAnalyzer-ATS

developed by: our team

CONTENTS

Introduction

Proposed Features

Tools and Technologies

Readme Overview

Project Structure

Incident Response Workflow

01

Introduction

Objectives

The objective of this project is to create an automated incident response tool that can identify security events, create incident logs, and carry out preliminary containment measures. Through automated log analysis, incident tracking, and actionable response steps, the tool seeks to decrease the workload of manual analysts, increase response times, and offer a structured triage workflow.

Problem Statement

Logs, endpoints, and network monitoring tools send a lot of security events to organisations. Manually spotting suspicious activity, connecting events, and starting response actions take a lot of time for security analysts. This leads to:

Delayed detection of threats.

Slow incident response.

Increased workload on SOC analysts.

Higher risk of undetected attacks.

There is a need for a lightweight automated system that can log incidents, identify common security events, and carry out initial containment actions with little required manual labour.

02

Proposed Features

Event Detection Logic

Monitor system logs (auth.log, syslog) for suspicious activities.

Detects events such as failed logins, unexpected user creation, and unusual processes.

Assign severity levels (Low, Medium, High) to prioritize incidents.

IR Workflow Steps

Track incidents through the standard workflow: Detection → Analysis → Containment → Recovery.

Maintain timestamps for each step for accurate tracking and reporting.

Storage of Incidents with Timestamps

Log all incidents in a structured format (SQLite database or JSON files).

Store relevant details: event type, severity, system information, and timestamps.

Basic Containment Actions (future improvement)

Automatically perform initial containment actions, such as:

Block suspicious IPs

Terminate malicious processes

Send local notifications to the administrator

Supervised Model Training

Severity-Based Alert System

Automatically notify administrators when high-severity events are detected. Alerts can be sent via email or local notifications to ensure timely response, helping SOC analysts prioritize critical incidents and reduce response time.

Automated Evidence Collection Folder

For each detected incident, automatically create a dedicated folder containing:

System logs

Running processes

Network connections

Metadata

Ensures structured evidence collection for efficient analysis and reporting.

03

Tools and Technologies

Tools and Technologies

Python 3 (Backend Logic)

SQLite (Database)

VS Code / Terminal

Chart.js (Interactive Visualization)

Browser Notification System

File system operations (Evidence Collection)

Linux system logs (auth.log, syslog) & Windows Event Logs

04

Readme Overview

Log Analyzer

A Python-based Log Analyzer and Incident Response (IR) Tool that:

Simulates collecting logs

Analyzes events

Detects anomalies using machine learning

Supports automated incident response actions with evidence collection

Features

Log Analysis & Event Classification

Collects and parses logs. Machine-learning based detection of normal vs suspicious events.

Incident Response Workflow

Full SOC workflow: Detection → Analysis → Containment → Recovery.

Containment Actions

Trigger or simulate response actions (block IP, stop process).

Digital Evidence Collection

Automatically stores evidence for each incident.

Web Interface

Upload logs, view analysis results, and monitor alerts.

Alerting System

Sends alerts when suspicious activity is detected.

05

Project Structure

Project Structure

log-analyzer/ ├── app.py /# Main application / web interface ├── logdb.py /# Log database handling ├── ir_workflow.py /# Incident response workflow management ├── event_classifier.py /# ML-based event classification ├── containment.py /# Containment actions (safe or execute) ├── evidence_collector.py /# Collect and store digital evidence ├── alerts.py /# Alerting for suspicious activity ├── requirements.txt /# Python dependencies ├── evidence/ /# Folder to store collected evidence ├── index.html /# Web interface template └── main.js /# Frontend JS logic

Quickstart

Clone the repository

\

git clone https://github.com/your-username/log-analyzer.git\

cd log-analyzer

Create a virtual environment

\

python -m venv venv\

source venv/bin/activate (Linux / macOS)\

venv\Scripts\activate (Windows)

Install dependencies

\

pip install -r requirements.txt

Run the application

\

python app.py

06

Incident Response Workflow

Incident Response Workflow

Detection → Logs are collected and monitored

Analysis → Events are classified (normal / suspicious)

Containment → Actions triggered or simulated

Evidence → Logs and metadata are stored in the evidence/ folder

Alerting → Notifications sent for suspicious events

Thank You