Skip to main content

Windows Security Analysis Engine — transforms structured Windows Event Logs into attack timelines and human-readable security narratives.

Project description

🛡️ WinSec Timeline

Windows Security Analysis Engine — Transforms structured Windows Event Logs into attack timelines and clear, human-readable security narratives.

PyPI Python License: MIT


🚀 Features

  • Attack Timeline Generation — Chronologically ordered, high-signal event sequences
  • Process Tree Visualization — Clear parent-child relationship mapping with suspicious chain highlighting
  • Behavioral Pattern Detection — Identifies Office macro attacks, encoded commands, lateral movement, persistence mechanisms
  • Automated Verdict & Confidence Scoring — Machine-readable verdicts with explainable confidence percentages
  • Multiple Output Formats — Plain text, JSON, and stunning HTML reports
  • CLI & Library Modes — Use as a standalone tool or integrate into your Python pipeline
  • Production-Grade — Deterministic, consistent output suitable for automated security pipelines

📦 Installation

pip install winsec-timeline

For development:

pip install winsec-timeline[dev]

⚡ Quick Start

Python API

from winsec_timeline import SecurityAnalyzer

analyzer = SecurityAnalyzer()

data = {
    "timeline": [
        {
            "timestamp": "2024-03-15T09:15:23Z",
            "event": "Process Created",
            "process": "WINWORD.EXE",
            "parent": "explorer.exe",
            "details": "User opened Word document"
        },
        {
            "timestamp": "2024-03-15T09:15:45Z",
            "event": "Process Created",
            "process": "powershell.exe",
            "parent": "WINWORD.EXE",
            "details": "PowerShell spawned with encoded command"
        }
    ],
    "process_tree": {
        "root": "explorer.exe",
        "children": [
            {
                "name": "WINWORD.EXE",
                "children": [
                    {"name": "powershell.exe", "children": []}
                ]
            }
        ]
    },
    "flags": [
        "office_spawned_powershell",
        "encoded_command"
    ]
}

report = analyzer.analyze(data)
print(report.to_text())

CLI

# Analyze from JSON file
winsec-timeline analyze input.json

# Output as JSON
winsec-timeline analyze input.json --format json

# Generate HTML report
winsec-timeline analyze input.json --format html --output report.html

📊 Output Structure

Every analysis produces:

Section Description
Timeline Chronologically ordered high-signal events
Process Tree Parent-child execution chains
Key Observations Behavioral patterns & suspicious indicators
Summary 3–5 line executive summary
Verdict Likely Malicious / Suspicious / Benign
Confidence 0–100% score based on indicator severity

🔍 Detection Capabilities

Pattern Description
Office → Shell Office apps spawning cmd/powershell
Encoded Commands Base64/obfuscated command execution
Network Activity External connections post-execution
Persistence Scheduled tasks, services, registry
Process Injection Suspicious parent-child chains
Rapid Staging Multi-stage execution within short timeframes

📄 License

MIT License — see LICENSE for details.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

winsec_timeline-1.0.1.tar.gz (36.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

winsec_timeline-1.0.1-py3-none-any.whl (38.1 kB view details)

Uploaded Python 3

File details

Details for the file winsec_timeline-1.0.1.tar.gz.

File metadata

  • Download URL: winsec_timeline-1.0.1.tar.gz
  • Upload date:
  • Size: 36.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.13

File hashes

Hashes for winsec_timeline-1.0.1.tar.gz
Algorithm Hash digest
SHA256 35e47461e22a6f83a7c5f33d2f6a85276309b66578df0e819bbbe2a22843c461
MD5 2200b7f06d37f889ded22be142011371
BLAKE2b-256 326dc4d99cb37f37ff85d460bbfc52cfcf0d88d67d18d32b74428b09c2bcad6c

See more details on using hashes here.

File details

Details for the file winsec_timeline-1.0.1-py3-none-any.whl.

File metadata

File hashes

Hashes for winsec_timeline-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 2e03310fd2a9f94a9965aa0b7dacfd2cf151dc0c0a179b0ba8c840d24147f578
MD5 bec34051d67285d5b334c3e9a5c52ff9
BLAKE2b-256 8bb8c0c6115f96a85bcbee2e5691d394a2b9c73cf157fa2a14db86bd3969c1c4

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page