🔍 A Flask-based threat intelligence dashboard that parses SSH authentication logs to detect brute force attacks, suspicious IPs, credential breach indicators, and targeted usernames — visualized through an interactive dark-themed web interface.
SOC Context: Automates the SSH log triage workflow a L1 SOC analyst performs during incident response — parsing thousands of log lines in under a second, surfacing attacker IPs, breach indicators, and targeted accounts with actionable remediation steps.
Log File: auth.log (2,847 entries)
┌──────────────────────────────────────────────────────────────┐
│ 🚨 CRITICAL THREAT DETECTED │
│ 14 brute force IPs detected — 1,243 failed login attempts │
├────────────────┬─────────────┬──────────────┬───────────────┤
│ Total Records │ Failed Logins│ Brute Force │ Unique IPs │
│ 2,847 │ 1,243 │ 14 │ 67 │
├────────────────┴─────────────┴──────────────┴───────────────┤
│ Top Attacker: 45.33.32.156 — 847 attempts [CRITICAL] │
│ ⚠️ BREACH DETECTED: 192.168.100.55 failed then succeeded │
└──────────────────────────────────────────────────────────────┘
- SSH Brute Force Detection — flags IPs exceeding the configurable failed-login threshold
- Breach Detection — alerts when a previously-failed IP later achieves a successful login (T1078)
- Suspicious IP Analysis — identifies high-frequency IPs and known suspicious IP ranges
- Targeted Username Tracking — surfaces most-attacked accounts (root, admin, ubuntu)
- Interactive Charts — top 10 attacking IPs (bar) and most targeted usernames (doughnut) via Chart.js
- Threat Severity Scoring — CRITICAL / HIGH / MEDIUM / LOW per attacker IP based on attempt count
- Rule-based security recommendations generated from detected threat patterns — actionable remediation steps
- Multi-Format Log Support — parses
.log,.txt, and.csvfiles - CSV Export — exports brute force findings for incident documentation and ticketing
- Automatic File Cleanup — uploaded logs deleted from server after analysis
| Detection | MITRE ID | Tactic |
|---|---|---|
| SSH brute force detection | T1110.001 | Credential Access |
| Failed → successful login (breach) | T1078 | Initial Access |
| High-frequency IP analysis | T1110 | Credential Access |
| Suspicious IP range flagging | T1133 | Initial Access |
| Targeted username tracking | T1110.003 | Credential Access |
| Component | Technology |
|---|---|
| Backend | Python 3.x, Flask |
| Log Parsing | Python re, csv, collections |
| Charts | Chart.js 4.4 |
| Frontend | Vanilla JS, CSS3 (dark theme) |
| File Handling | Werkzeug secure_filename |
git clone https://github.com/siva404e/security-log-analyzer.git
cd security-log-analyzerpip install -r requirements.txtpython log_dashboard.pyOpen your browser at http://127.0.0.1:5001
- Upload Log File — click "📁 Browse Files" and select a
.log,.txt, or.csvfile - Analyze — click "🔬 ANALYZE LOG FILE"
- Review Results:
- Alert banner (CRITICAL / WARNING / SAFE status)
- Stat cards — total records, failed logins, brute force IPs, unique IPs
- Charts — top attacking IPs and targeted usernames
- Brute force table with threat severity per IP
- Suspicious IP table with reason tagging
- Security recommendations
A ready-to-use sample log file is included for quick demo:
# Upload this file through the dashboard UI:
samples/sample_auth.logNov 15 10:23:45 server sshd[1234]: Failed password for invalid user admin from 192.168.1.100 port 22 ssh2
Nov 15 10:23:50 server sshd[1234]: Accepted password for root from 192.168.1.50 port 22 ssh2
Supports columns: source_ip, foreign_ip, ip, username, user, timestamp
Edit log_dashboard.py to adjust detection thresholds:
BRUTE_FORCE_THRESHOLD = 5 # Failed attempts before IP is flagged
SUSPICIOUS_IP_THRESHOLD = 3 # Hit count to flag high-frequency IPs
SUSPICIOUS_IP_RANGES = [ # IP ranges auto-flagged as suspicious
"192.168.100.",
"10.0.0."
]| Level | Criteria | Recommended Action |
|---|---|---|
| CRITICAL | > 500 attempts | Immediate firewall block |
| HIGH | 100–500 attempts | Investigate and consider block |
| MEDIUM | 20–100 attempts | Monitor and log |
| LOW | < 20 attempts | Track for patterns |
Serves the main dashboard UI.
Accepts an uploaded log file and returns threat analysis.
Request: multipart/form-data with file field
Response:
{
"total_lines": 1000,
"total_failed": 150,
"brute_force_count": 5,
"unique_ips": 45,
"threshold": 5,
"brute_force": [
{ "ip": "45.33.32.156", "count": 250, "users": ["admin", "root"] }
],
"suspicious_ips": [],
"top_ips": [],
"top_users": [],
"breach_detected": false,
"recommendations": []
}Returns brute force findings as a downloadable CSV report.
security-log-analyzer/
├── log_dashboard.py # Flask app — routes, log parsing, analysis logic, UI
├── requirements.txt # Python dependencies
├── samples/
│ └── sample_auth.log # Sample SSH auth log for demo and testing
├── README.md
└── LICENSE
- Parses SSH auth log format only — Windows Event Logs and syslog require format extension
- No persistent storage — analysis results are not saved between sessions
- SUSPICIOUS_IP_RANGES are hardcoded — production use would integrate a threat intel feed
- Not a substitute for a full SIEM (Splunk, Elastic SIEM, Microsoft Sentinel)
- Windows Event Log (.evtx) parsing support
- AbuseIPDB / VirusTotal IP reputation enrichment
- SQLite persistence for historical analysis
- Real-time log streaming (tail -f equivalent)
- Email alerts for CRITICAL threats
- Docker containerization
Sivamuthu Selvadurai M
Cybersecurity enthusiast focused on SOC operations, log analysis, and blue team tooling.
GitHub: siva404e
MIT License — see LICENSE for details.