Skip to main content

Windows Security Analysis Engine — transforms structured Windows Event Logs into attack timelines and human-readable security narratives.

Project description

🛡️ WinSec Timeline

Windows Security Analysis Engine — Transforms structured Windows Event Logs into attack timelines and clear, human-readable security narratives.

PyPI Python License: MIT


🚀 Features

  • Attack Timeline Generation — Chronologically ordered, high-signal event sequences
  • Process Tree Visualization — Clear parent-child relationship mapping with suspicious chain highlighting
  • Behavioral Pattern Detection — Identifies Office macro attacks, encoded commands, lateral movement, persistence mechanisms
  • Automated Verdict & Confidence Scoring — Machine-readable verdicts with explainable confidence percentages
  • Multiple Output Formats — Plain text, JSON, and stunning HTML reports
  • CLI & Library Modes — Use as a standalone tool or integrate into your Python pipeline
  • Production-Grade — Deterministic, consistent output suitable for automated security pipelines

📦 Installation

pip install winsec-timeline

For development:

pip install winsec-timeline[dev]

⚡ Quick Start

Python API

from winsec_timeline import SecurityAnalyzer

analyzer = SecurityAnalyzer()

data = {
    "timeline": [
        {
            "timestamp": "2024-03-15T09:15:23Z",
            "event": "Process Created",
            "process": "WINWORD.EXE",
            "parent": "explorer.exe",
            "details": "User opened Word document"
        },
        {
            "timestamp": "2024-03-15T09:15:45Z",
            "event": "Process Created",
            "process": "powershell.exe",
            "parent": "WINWORD.EXE",
            "details": "PowerShell spawned with encoded command"
        }
    ],
    "process_tree": {
        "root": "explorer.exe",
        "children": [
            {
                "name": "WINWORD.EXE",
                "children": [
                    {"name": "powershell.exe", "children": []}
                ]
            }
        ]
    },
    "flags": [
        "office_spawned_powershell",
        "encoded_command"
    ]
}

report = analyzer.analyze(data)
print(report.to_text())

CLI

# Analyze from JSON file
winsec-timeline analyze input.json

# Output as JSON
winsec-timeline analyze input.json --format json

# Generate HTML report
winsec-timeline analyze input.json --format html --output report.html

📊 Output Structure

Every analysis produces:

Section Description
Timeline Chronologically ordered high-signal events
Process Tree Parent-child execution chains
Key Observations Behavioral patterns & suspicious indicators
Summary 3–5 line executive summary
Verdict Likely Malicious / Suspicious / Benign
Confidence 0–100% score based on indicator severity

🔍 Detection Capabilities

Pattern Description
Office → Shell Office apps spawning cmd/powershell
Encoded Commands Base64/obfuscated command execution
Network Activity External connections post-execution
Persistence Scheduled tasks, services, registry
Process Injection Suspicious parent-child chains
Rapid Staging Multi-stage execution within short timeframes

📄 License

MIT License — see LICENSE for details.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

winsec_timeline-1.0.0.tar.gz (36.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

winsec_timeline-1.0.0-py3-none-any.whl (38.1 kB view details)

Uploaded Python 3

File details

Details for the file winsec_timeline-1.0.0.tar.gz.

File metadata

  • Download URL: winsec_timeline-1.0.0.tar.gz
  • Upload date:
  • Size: 36.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.13

File hashes

Hashes for winsec_timeline-1.0.0.tar.gz
Algorithm Hash digest
SHA256 312d8aac417403e705ca9c0e3a3ab728c20019f55fbdb2d11d0570e79b4a0e09
MD5 4ff7ab641aa38d2b032be39ceb5154af
BLAKE2b-256 1fbe6b6e09c1699080b503c1e127ebbef0c2b1dc8167e88ea6ead4afc28a01d0

See more details on using hashes here.

File details

Details for the file winsec_timeline-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for winsec_timeline-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 51568d294ef581c4f38e1c81a913eba46cd5a8b956ec044e909fb17c828511de
MD5 5844f21e5d8388153dc1e9610692f21f
BLAKE2b-256 f24df584cdea30132edbf81dbbdb05b646118a8921cddac17e9058486b07b9e3

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page