2026 / Portfolio lab / academic-style project
Log Analysis & Threat Detection Tool
Practical security monitoring and SIEM-style detection concepts
Built a Python CLI for SSH authentication log analysis, suspicious login detection, JSON/CSV alert exports, SVG reporting, and optional Flask dashboard review.
Threat DetectionLog AnalysisSIEM ConceptsAlert TriageSecurity Monitoring
Problem
Junior SOC work depends on recognising suspicious activity, triaging alerts, and explaining why a log pattern matters.
Approach
Worked with log sources and detection concepts commonly used in SIEM environments. Practised alert review, triage, escalation, suspicious activity identification, and connecting technical observations to broader security risk themes.
Outcome
Demonstrates the ability to interpret logs, identify suspicious patterns, and communicate findings in a security operations context.
Tools / Frameworks
Log analysisDetection logicAlert triageSecurity monitoring
Evidence Produced
- Detection logic
- Alert triage notes
- Log review workflow
- Security monitoring summary
- GitHub repository
Detection Examples
Sample detection signals mapped to triage questions and escalation paths.
| Signal | Why it matters | Triage question | Possible escalation |
|---|---|---|---|
| Repeated failed login attempts | May indicate brute force, password spraying, or credential misuse attempts. | Are failures concentrated around one account, source, time window, or authentication method? | Escalate if failures are high volume, target privileged accounts, or precede a successful login. |
| Login activity outside expected hours | Can indicate compromised credentials or unusual user behaviour requiring context. | Is this user expected to work at this time, from this location, or via this device? | Escalate if combined with new device, impossible travel, privilege use, or sensitive access. |
| Multiple account failures from one source | A single source failing across many accounts can suggest password spraying or automated probing. | How many accounts were targeted, and does the source appear known, internal, or suspicious? | Escalate for source blocking review, account protection, and authentication log correlation. |
| Suspicious privilege-related event | Privilege changes can materially increase blast radius if unauthorised. | Was the change approved, expected, and performed by a legitimate administrator? | Escalate if privilege assignment is unusual, unexplained, or near other suspicious events. |
| Unusual access pattern | Access to unexpected systems, files, or services may indicate reconnaissance or misuse. | Is the activity consistent with the user's role, recent tickets, or normal baseline? | Escalate for endpoint, identity, and access review if the behaviour lacks business justification. |
Evidence / Artefacts
Coming soon
Detection logic
Detection rule examples not published yet.
Coming soonComing soon
Alert triage notes
Analyst triage notes not published yet.
Coming soonComing soon
Screenshots
Screenshots of log review workflow and sample detections.
Coming soonComing soon
Workflow diagram
Alert review and escalation workflow diagram not published yet.
Coming soonLimitations
This project uses sample or lab-generated logs and is not a replacement for a SIEM, EDR, or managed SOC workflow.
What I Learned
Mapped authentication log signals to triage questions, structured alert exports, and investigation notes.
Next Improvement
Add sample logs, documented detection logic, test cases, and screenshots showing the triage workflow.
Next Step