LogMentor: A SOC Log Analysis and Training Tool
Course Instructor
Daniel Cliburn
Abstract
Security Operations Center (SOC) analysts are responsible for identifying suspicious activity within large volumes of system and network logs. This process is often time-consuming and prone to human error. LogMentor, a SOC Log Analyzer project, focuses on designing and implementing a lightweight log analysis tool that automates portions of the investigation process and supports entry-level analysts in detecting potential security threats.
LogMentor is implemented as a command-line Python application and follows a structured pipeline consisting of log ingestion, event normalization, rule-based detection, and report generation. It supports common log sources, including Windows Security logs and Linux logs, and standardizes key fields such as timestamps, host identifiers, and event types to enable consistent analysis across different log formats. Detection is performed using predefined rules based on known attack behaviors, producing structured alerts that include supporting evidence for analysis.
LogMentor aims to reduce the time required to identify suspicious patterns while providing explainable results that are useful for both training and educational purposes. The project establishes a foundation for more advanced security monitoring systems and introduces core SOC workflows to aspiring cybersecurity professionals.
LogMentor: A SOC Log Analysis and Training Tool
Security Operations Center (SOC) analysts are responsible for identifying suspicious activity within large volumes of system and network logs. This process is often time-consuming and prone to human error. LogMentor, a SOC Log Analyzer project, focuses on designing and implementing a lightweight log analysis tool that automates portions of the investigation process and supports entry-level analysts in detecting potential security threats.
LogMentor is implemented as a command-line Python application and follows a structured pipeline consisting of log ingestion, event normalization, rule-based detection, and report generation. It supports common log sources, including Windows Security logs and Linux logs, and standardizes key fields such as timestamps, host identifiers, and event types to enable consistent analysis across different log formats. Detection is performed using predefined rules based on known attack behaviors, producing structured alerts that include supporting evidence for analysis.
LogMentor aims to reduce the time required to identify suspicious patterns while providing explainable results that are useful for both training and educational purposes. The project establishes a foundation for more advanced security monitoring systems and introduces core SOC workflows to aspiring cybersecurity professionals.
