DEV Community

Cover image for How to Triage Windows Event Log Brute Force Attacks in 5 Minutes (Free Browser Tool)
gaurav kundu
gaurav kundu

Posted on

How to Triage Windows Event Log Brute Force Attacks in 5 Minutes (Free Browser Tool)

#security #cybersecurity #tutorial #ai

It's 2 AM. An EDR alert fires.

"Multiple failed logon attempts followed by successful logon. Account: jsmith. Source workstation: ATTACKER-PC. Time window: 47 seconds."

You open the Windows Event Viewer. You export 187 events. You stare at the screen. Was this a real brute force? Was it the user fat-fingering their password three times before getting it right? Was it a password spray that finally hit?

The difference matters. Get it wrong and you either over-escalate (annoy the user, page IR for nothing) or under-react (miss the lateral movement that's already underway in events you haven't looked at yet).

This is the kind of triage every SOC analyst does dozens of times a month. Most of us still do it manually. Or with a clunky Excel pivot. Or by writing a Splunk query we'll never reuse.

I built a free, browser-only tool to make this 5 minutes instead of 30.

What it actually does

Windows Event Log Analyser takes raw Windows event log data — Event Viewer paste, security log text, plain text dump — and within seconds gives you a structured verdict with MITRE ATT&CK mapping.

In testing with a realistic brute-force-followed-by-lateral-movement scenario, the analyser produced 4 findings in under 2 seconds:

  • CRITICAL — Brute Force — Credential Compromise Confirmed — flags clusters of 4625 (failed logon) followed by 4624 (successful logon) from the same source within the brute-force window. → T1110 — Brute Force
  • CRITICAL — Lateral Movement Chain — correlates remote logon (4624 Type 3) with privileged session creation (4672) on the same host. → T1021 — Remote Services
  • CRITICAL — Security Log Cleared — flags 1102 events: log clearing is almost always malicious. → T1070.001 — Clear Windows Event Logs
  • HIGH — New Service Installed — flags 7045 service installation events, prompting binary-path inspection. → T1543.003 — Windows Service

All of it runs in your browser. Your event log data never leaves your machine. No upload, no signup, no account.

Windows Event Log Analyser verdict screen showing Brute Force and Lateral Movement findings

Try it with the example scenario

The fastest way to see how it works:

  1. Open socworkflows.com/wel
  2. Paste a realistic chain: 5 failed logons (Event ID 4625) → 1 successful logon (4624) → service install (7045) → privileged session (4672) → log clearing (1102)
  3. Click Run Analysis
  4. Get structured findings in ~2 seconds: High Risk verdict, 4 findings, MITRE technique mapping, full event timeline

The output includes a "Copy as Incident Note" button that produces a ticket-ready markdown summary, plus prompts pre-built for ChatGPT or Claude if you want to push deeper analysis to an LLM.

Full findings panel showing all 4 detections with MITRE techniques

What it does NOT do (because I should be honest)

This isn't a replacement for your SIEM. It does NOT:

  • Process millions of events at scale (it's designed for 50-500 events — the kind you'd manually export from Event Viewer for a single investigation)
  • Connect to your environment in real-time
  • Persist data across sessions (close the tab, the analysis is gone)
  • Replace correlation with EDR telemetry, network logs, and identity context

It's a triage aid, not a SIEM. The use case is the moment when you're staring at exported event logs and need structure fast.

Why browser-only (the privacy moat)

Most online tools for event log analysis upload your data to a server. For SOC analysts, that's often a non-starter:

  • Compliance teams hate it (GDPR, HIPAA, internal policy)
  • Even non-sensitive logs may contain hostnames, usernames, IPs that shouldn't leave the environment
  • Some orgs have policies forbidding paste of any internal data into third-party web tools

This tool runs the entire analysis in your browser using JavaScript. The "Network" tab in your devtools will show you: zero outbound requests with your event log content. Verify it yourself.

This isn't a feature I added. It's the product thesis. SOC tools should not make your data their data.

How the analyser works (the 30-second version)

  1. Paste raw event log data (Event Viewer export, security log text, console copy)
  2. Parse — extracts Event ID, Source, Account Name, Computer, Time, Process Information, Source IP
  3. Pattern match against known brute force, lateral movement, persistence, and defense evasion signatures
  4. Score by severity and confidence
  5. Output structured findings with MITRE mapping + recommended actions

A few hundred lines of JavaScript. No AI magic. Just pattern matching applied consistently — which is exactly what tired SOC analysts at 2 AM can't reliably do by hand.

When to use it vs your SIEM

Scenario Use the SIEM Use this tool
Real-time monitoring
Ad-hoc investigation of 50-500 events Sometimes (queries are slow)
Quick verdict on an exported log block Overkill
Long-term retention and search
Browser-only / privacy-sensitive triage
MITRE-mapped, incident-note-ready output in 30 seconds Doable but takes time

This tool is for the moment between alert and verdict — not for the infrastructure that produced the alert.

What's next

Try it once on a real exported log block. If it saves you 20 minutes, that's the entire pitch.

If you're building or running a SOC, I'd love to hear what other specific triage workflows still waste your time. The next analyser I build will be based on what people tell me. Drop a comment with the log type or alert type that's currently making your 2 AM worse.

All 7 SOC.Workflows analysers are free, browser-only, and require no signup. Built by a SOC analyst, for SOC analysts.


Top comments (0)