Most log analysis workflows assume you have a full SIEM stack running. Splunk, Elastic, Sentinel — they're powerful, but they're also heavy. When I needed to triage Windows security logs during a lab exercise, I didn't want to spin up infrastructure. I wanted to point a tool at a folder of logs and get answers.
That's why I built ThreatLens — a Python CLI that parses EVTX, JSON, Syslog, and CEF logs offline, runs detection rules (including native Sigma support), correlates multi-stage attacks, and outputs structured alerts mapped to MITRE ATT&CK. No agents, no cloud, no dependencies beyond PyYAML.
What It Actually Does
ThreatLens automates the first pass of triage. You feed it log files and it catches:
- Brute-force attacks and password spray patterns
- Lateral movement (single account hopping across hosts)
- Privilege escalation (SeDebugPrivilege, SeTcbPrivilege assigned to non-system accounts)
- Suspicious process execution (LOLBins, encoded PowerShell, certutil download cradles)
- Defense evasion (log clearing, Defender disabled, audit policy changes)
- Persistence mechanisms (new services, scheduled tasks, registry Run keys)
- Credential access (LSASS dumps, SAM hive access, DCSync)
- Multi-stage attack chain correlation that links activity across the entire kill chain
Every alert maps to a specific MITRE ATT&CK technique with an actionable recommendation.
The Feature I'm Most Proud Of: Attack Chain Correlation
Individual alerts are useful, but real attacks are sequences. ThreatLens has a correlation engine that links events across kill chain phases — if it sees credential access followed by privilege escalation followed by lateral movement followed by execution from the same source, it flags the entire chain as a single CRITICAL alert.
Here's the logic in simplified form: the engine groups alerts by time windows, tracks source entities across detection modules, and looks for progressions through the MITRE ATT&CK lifecycle. When it finds a chain, it bundles all the evidence into one high-confidence alert instead of flooding you with disconnected findings.
This is the kind of analysis that normally requires a SIEM correlation rule or a dedicated XDR platform. Having it in a standalone CLI means you can run it during incident response, in a lab, or in a CI/CD pipeline.
Sigma Rule Support
One of my goals was interoperability with the existing detection community. ThreatLens loads Sigma rules natively — selections, filters, field modifiers (|contains, |startswith, |endswith, |re, |all), compound conditions with correct operator precedence, and logsource pre-filtering.
git clone https://github.com/SigmaHQ/sigma.git
threatlens scan logs/ --sigma-rules sigma/rules/windows/
This means you get access to thousands of community-maintained detection rules without writing anything custom.
CI/CD Integration
ThreatLens returns structured exit codes: 0 for clean, 2 for alerts above your threshold. Drop it into a pipeline:
threatlens scan logs/ --fail-on high --summary-only --no-color
Use it to gate deployments or trigger incident workflows based on log findings.
Getting Started
pip install threatlens
threatlens scan your_logs/
Or clone it and run against the included sample data:
git clone https://github.com/TiltedLunar123/ThreatLens.git
cd ThreatLens
pip install -e .
threatlens scan sample_data/sample_security_log.json --verbose
The sample dataset includes a focused attack simulation (26 events) and a mixed enterprise log (52 events with benign noise plus embedded attacks). ThreatLens hit 100% detection with zero false positives on the benign traffic.
What's Next
I'm actively working on this project and planning to add more detection modules, improve the Sigma compatibility layer, and build out the plugin system so teams can drop in environment-specific detectors.
If you work in security operations, do incident response, or just want a fast way to analyze Windows logs without infrastructure — give it a try and let me know what you think.
GitHub: https://github.com/TiltedLunar123/ThreatLens
If this was useful, follow me for more security tooling and detection engineering content.
Top comments (0)