Interactive demo

BlueSentinel in your browser

Paste auth.log lines below — or pick a preset. The parser, MITRE ATT&CK enricher, Sigma rules engine, and attack-graph reconstructor all run client-side in TypeScript. No server call. No API key. Real output.

20 failed SSH attempts → successful login → sudo abuse → discovery → lateral movement → firewall disable → log tampering → data destruction. The engine should reconstruct this as one chain with a high score.

12 lines parsed12 detections1 attack chains reconstructed

Detections

  • high

    Sigma rule matched: SSH brute-force — many failed passwords from one host

    Apr 20 09:05:00 prod-01 sshd[4221]: Failed password for root from 203.0.113.5 port 44251 ssh2

    T1110.001
  • high

    Sigma rule matched: SSH brute-force — many failed passwords from one host

    Apr 20 09:05:02 prod-01 sshd[4222]: Failed password for root from 203.0.113.5 port 44252 ssh2

    T1110.001
  • high

    Sigma rule matched: SSH brute-force — many failed passwords from one host

    Apr 20 09:05:04 prod-01 sshd[4223]: Failed password for root from 203.0.113.5 port 44253 ssh2

    T1110.001
  • high

    Sigma rule matched: SSH brute-force — many failed passwords from one host

    Apr 20 09:05:06 prod-01 sshd[4224]: Failed password for root from 203.0.113.5 port 44254 ssh2

    T1110.001
  • high

    Sigma rule matched: SSH brute-force — many failed passwords from one host

    Apr 20 09:05:08 prod-01 sshd[4225]: Failed password for root from 203.0.113.5 port 44255 ssh2

    T1110.001
  • high

    Sigma rule matched: Unauthorised sudo attempt

    Apr 20 09:06:30 prod-01 sudo[5001]: authentication failure for root

    T1548.003T1068
  • info

    Sigma rule matched: Host firewall disabled

    Apr 20 09:09:00 prod-01 root: iptables -F

    T1562.004
  • critical

    Sigma rule matched: Auth log tampering

    Apr 20 09:10:00 prod-01 root: rm /var/log/auth.log

    T1070.002
  • medium

    MITRE ATT&CK regex: T1078.003, T1021.004

    Apr 20 09:06:00 prod-01 sshd[4226]: Accepted password for root from 203.0.113.5 port 44256 ssh2

    T1078.003T1021.004
  • low

    MITRE ATT&CK regex: T1087

    Apr 20 09:07:00 prod-01 bash[5010]: cat /etc/passwd

    T1087
  • medium

    MITRE ATT&CK regex: T1021.004

    Apr 20 09:08:00 prod-01 sshd[5100]: Accepted publickey for root from 203.0.113.5 port 44300 ssh2

    T1021.004
  • critical

    MITRE ATT&CK regex: T1485

    Apr 20 09:11:00 prod-01 root: rm -rf /data/warehouse/*

    T1485

Reconstructed attack chains

chain-2026-04-20-09-05--012

overall 0.78

12 events over 6m — tactics: credential-access → initial-access → lateral-movement → privilege-escalation → discovery → defense-evasion → impact — user=root · host=prod-01 · sourceIp=203.0.113.5 · processName=sshd,sudo,bash — overall 0.78

Kill-chain

0.45

Severity

1.00

Entity

1.00

Time

0.97

Tactics (kill-chain order)

credential-accessinitial-accesslateral-movementprivilege-escalationdiscoverydefense-evasionimpact
Mermaid flowchart source
flowchart LR
    N0["09:05:00 — Failed password for root from 203.0.113."]
    style N0 fill:#f97316,color:#fff
    N1["09:05:02 — Failed password for root from 203.0.113."]
    style N1 fill:#f97316,color:#fff
    N2["09:05:04 — Failed password for root from 203.0.113."]
    style N2 fill:#f97316,color:#fff
    N3["09:05:06 — Failed password for root from 203.0.113."]
    style N3 fill:#f97316,color:#fff
    N4["09:05:08 — Failed password for root from 203.0.113."]
    style N4 fill:#f97316,color:#fff
    N5["09:06:00 — Accepted password for root from 203.0.11"]
    style N5 fill:#eab308,color:#fff
    N6["09:06:30 — authentication failure for root"]
    style N6 fill:#f97316,color:#fff
    N7["09:07:00 — cat /etc/passwd"]
    style N7 fill:#22c55e,color:#fff
    N8["09:08:00 — Accepted publickey for root from 203.0.1"]
    style N8 fill:#eab308,color:#fff
    N9["09:09:00 — iptables -F"]
    style N9 fill:#94a3b8,color:#fff
    N10["09:10:00 — rm /var/log/auth.log"]
    style N10 fill:#ef4444,color:#fff
    N11["09:11:00 — rm -rf /data/warehouse/*"]
    style N11 fill:#ef4444,color:#fff
    N0 -->|T1110.001 (credential-access)| N1
    N1 -->|T1110.001 (credential-access)| N2
    N2 -->|T1110.001 (credential-access)| N3
    N3 -->|T1110.001 (credential-access)| N4
    N4 -->|T1078.003 (initial-access)| N5
    N5 -->|T1548.003 (privilege-escalation)| N6
    N6 -->|T1087 (discovery)| N7
    N7 -->|T1021.004 (lateral-movement)| N8
    N8 -->|T1562.004 (defense-evasion)| N9
    N9 -->|T1070.002 (defense-evasion)| N10
    N10 -->|T1485 (impact)| N11

How this works

Same algorithm that ships in the Python backend (src/bluesentinel/), ported to TypeScript for the browser. Pipeline:

  1. Parse — RFC 3164 syslog format, extract host, process, user, source IP.
  2. Enrich— tag events with MITRE ATT&CK technique IDs using 11 regex-based rules.
  3. Sigma rules — 5 shipped detection rules (SSH brute force, sudo abuse, new account, log tampering, firewall disable).
  4. Attack graph — connect detections that share entities within 4 hours; score each connected cluster by kill-chain progression (40%), severity (25%), entity consistency (20%), time compactness (15%).

GitHub repo → · Python backend ships additional detectors (Drain3 template mining, DeepLog LSTM, LogBERT transformer embeddings) and evaluation against the LogHub datasets.