A hands-on deep dive into log analysis, threat detection, and MITRE ATT&CK mapping using pure Python
Every cyberattack leaves a trail. Whether it’s a brute force attempt against an SSH server, a SQL injection probe against a web application, or a port scan mapping your network — the evidence is always there, buried in log files.
The problem is that log files are enormous. A busy web server can generate millions of log entries per day. Finding the needle in that haystack manually is impossible — which is exactly why Security Information and Event Management (SIEM) tools like Splunk, Microsoft Sentinel, and IBM QRadar exist.
But here’s the thing: most cybersecurity professionals use these tools without truly understanding the detection logic underneath. I wanted to change that for myself — so I built a log analyzer from scratch using nothing but Python.
What Are Log Files?
Before we get into the code, let’s understand what we’re working with.
Apache Access Logs record every HTTP request to a web server. Each line looks like this:
192.168.1.100 — — [01/Mar/2026:10:23:45 +0000] “GET /admin HTTP/1.1” 404 512
This tells us: the IP address that made the request, the timestamp, what they requested (/admin), the HTTP method (GET), and the response code (404 = not found).
Windows Authentication Logs (Security Event Log) record every login attempt on a Windows system. Event ID 4625 means a failed login. If you see hundreds of Event ID 4625 from the same IP in a short time period — that’s a brute force attack.
The Three Attacks We Detect
- Brute Force — MITRE ATT&CK T1110
Brute force attacks involve repeatedly trying username/password combinations until one works. The detection logic is simple: if the same IP address fails to authenticate more than 5 times within a short window, flag it.
if failed_attempts[ip] > BRUTE_FORCE_THRESHOLD:
findings.append({
‘type’: ‘Brute Force’,
‘technique’: ‘T1110’,
‘severity’: ‘CRITICAL’,
‘ip’: ip,
‘count’: failed_attempts[ip]
})
This is exactly how enterprise SIEMs work — correlation rules that trigger when a threshold is exceeded.
- SQL Injection — MITRE ATT&CK T1190
SQL injection attacks try to manipulate database queries through web form inputs or URL parameters. Common signatures include keywords like UNION SELECT, DROP TABLE, OR 1=1, and — (SQL comment).
Become a Medium member
SQL_PATTERNS = [
r”union\s+select”, r”drop\s+table”,
r”or\s+1\s*=\s*1", r” — \s*$”,
r”exec\s*(“, r”xp_cmdshell”
]
We scan the request URL in each log line for these patterns using Python’s re (regular expressions) module.
- Port Scanning — MITRE ATT&CK T1046
A port scan is when an attacker probes a target to discover which ports are open — gathering intelligence before launching an actual attack. The signature is many requests to different endpoints from the same IP in rapid succession, often resulting in many 404 responses.
MITRE ATT&CK Mapping
What makes this tool more than just a log parser is the ATT&CK mapping. Every detected threat is tagged with its MITRE technique ID:
Detection | ATT&CK ID | Tactic
Brute Force | T1110 | Credential Access
SQL Injection | T1190 | Initial Access
Port Scan | T1046 | Discovery
Dir Traversal | T1083 | Discovery
This context matters enormously in a SOC environment. Knowing that an alert maps to T1110 (Credential Access) tells an analyst that an attacker is trying to gain access — very different from T1046 (Discovery), which suggests they’re still in the reconnaissance phase.
The Output
The tool outputs a color-coded terminal report:
[CRITICAL] Brute Force Attack Detected
IP: 192.168.1.100 | Attempts: 47 | Technique: T1110
Recommendation: Block IP, enable account lockout policy
[HIGH] SQL Injection Attempt
IP: 10.0.0.55 | Payload: UNION SELECT * FROM users | Technique: T1190
Recommendation: Enable WAF, review input validation
And a JSON export that can be ingested directly into a SIEM platform.
What I Learned
Building this tool taught me something that no certification course did: detection is about context, not just signatures.
A single failed login is normal. Fifty failed logins from the same IP in 30 seconds is an attack. The difference is context — and building the logic to establish that context from raw log data is a fundamental skill every SOC analyst needs.
Try It Yourself
Full source code on GitHub:
github.com/SankethSubhas/log-analyzer-threat-detector
Requirements: Python 3 only. No pip install needed.
git clone https://github.com/SankethSubhas/log-analyzer-threat-detector
cd log-analyzer-threat-detector
python3 log_analyzer.py — file sample_auth.log
Sanketh Subhas is a Cybersecurity Analyst with 3.5+ years of experience in SOC operations, GRC, and threat detection.
Portfolio: sankethsubhas.pages.dev | GitHub: github.com/SankethSubhas
Cybersecurity
Python
Blue Team
Mitre Attack
Top comments (0)