Windows Security Analysis Engine — transforms structured Windows Event Logs into attack timelines and human-readable security narratives.
Project description
🛡️ WinSec Timeline
Windows Security Analysis Engine — Transforms structured Windows Event Logs into attack timelines and clear, human-readable security narratives.
🚀 Features
- Attack Timeline Generation — Chronologically ordered, high-signal event sequences
- Process Tree Visualization — Clear parent-child relationship mapping with suspicious chain highlighting
- Behavioral Pattern Detection — Identifies Office macro attacks, encoded commands, lateral movement, persistence mechanisms
- Automated Verdict & Confidence Scoring — Machine-readable verdicts with explainable confidence percentages
- Multiple Output Formats — Plain text, JSON, and stunning HTML reports
- CLI & Library Modes — Use as a standalone tool or integrate into your Python pipeline
- Production-Grade — Deterministic, consistent output suitable for automated security pipelines
📦 Installation
pip install winsec-timeline
For development:
pip install winsec-timeline[dev]
⚡ Quick Start
Python API
from winsec_timeline import SecurityAnalyzer
analyzer = SecurityAnalyzer()
data = {
"timeline": [
{
"timestamp": "2024-03-15T09:15:23Z",
"event": "Process Created",
"process": "WINWORD.EXE",
"parent": "explorer.exe",
"details": "User opened Word document"
},
{
"timestamp": "2024-03-15T09:15:45Z",
"event": "Process Created",
"process": "powershell.exe",
"parent": "WINWORD.EXE",
"details": "PowerShell spawned with encoded command"
}
],
"process_tree": {
"root": "explorer.exe",
"children": [
{
"name": "WINWORD.EXE",
"children": [
{"name": "powershell.exe", "children": []}
]
}
]
},
"flags": [
"office_spawned_powershell",
"encoded_command"
]
}
report = analyzer.analyze(data)
print(report.to_text())
CLI
# Analyze from JSON file
winsec-timeline analyze input.json
# Output as JSON
winsec-timeline analyze input.json --format json
# Generate HTML report
winsec-timeline analyze input.json --format html --output report.html
📊 Output Structure
Every analysis produces:
| Section | Description |
|---|---|
| Timeline | Chronologically ordered high-signal events |
| Process Tree | Parent-child execution chains |
| Key Observations | Behavioral patterns & suspicious indicators |
| Summary | 3–5 line executive summary |
| Verdict | Likely Malicious / Suspicious / Benign |
| Confidence | 0–100% score based on indicator severity |
🔍 Detection Capabilities
| Pattern | Description |
|---|---|
| Office → Shell | Office apps spawning cmd/powershell |
| Encoded Commands | Base64/obfuscated command execution |
| Network Activity | External connections post-execution |
| Persistence | Scheduled tasks, services, registry |
| Process Injection | Suspicious parent-child chains |
| Rapid Staging | Multi-stage execution within short timeframes |
📄 License
MIT License — see LICENSE for details.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file winsec_timeline-1.0.0.tar.gz.
File metadata
- Download URL: winsec_timeline-1.0.0.tar.gz
- Upload date:
- Size: 36.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
312d8aac417403e705ca9c0e3a3ab728c20019f55fbdb2d11d0570e79b4a0e09
|
|
| MD5 |
4ff7ab641aa38d2b032be39ceb5154af
|
|
| BLAKE2b-256 |
1fbe6b6e09c1699080b503c1e127ebbef0c2b1dc8167e88ea6ead4afc28a01d0
|
File details
Details for the file winsec_timeline-1.0.0-py3-none-any.whl.
File metadata
- Download URL: winsec_timeline-1.0.0-py3-none-any.whl
- Upload date:
- Size: 38.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
51568d294ef581c4f38e1c81a913eba46cd5a8b956ec044e909fb17c828511de
|
|
| MD5 |
5844f21e5d8388153dc1e9610692f21f
|
|
| BLAKE2b-256 |
f24df584cdea30132edbf81dbbdb05b646118a8921cddac17e9058486b07b9e3
|