Skip to content

aqsakhan/win_cmd_triage

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 
cmdline_triage.py
cmdline_triage.py
 
 
sample_input.csv
sample_input.csv
 
 
sample_output.csv
sample_output.csv
 
 

Repository files navigation

Windows Command-Line Triage Tool

A lightweight Python tool that enriches Windows command-line logs with security context to support SOC triage and incident investigations.

The tool focuses on explainability, adding analyst-friendly insights such as command category, MITRE ATT&CK mapping, risk level, and suggested next steps.

Features

  • Rule-based analysis of Windows command-line activity
  • MITRE ATT&CK technique mapping
  • Risk-based prioritization (Low / Medium / High)
  • Analyst-focused investigation guidance
  • CSV input and output (SIEM-friendly)
  • No external dependencies

Usage

python cmdline_triage.py input.csv output.csv

Input Format

The input CSV must contain the following columns:

Timestamp, Host, User, CommandLine

Output

The output CSV preserves the original fields and adds:

  • Category
  • Explanation
  • MITRE_Technique
  • Risk_Level
  • Analyst_Next_Step

Notes

  • This tool is intended for SOC triage and analysis, not detection.
  • Rules are evaluated top-down, and the first matching rule is applied.

About

SOC triage tool to enrich Windows command-line logs with MITRE mapping and analyst context

Topics

python windows incident-response cybersecurity threat-hunting soc mitre-attck

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages