// tool reference · Monitoring & Detection
Log Analyzer Free + Pro
Paste logs to detect brute-force, privilege escalation and malware indicators with MITRE mapping.
What it does
Paste raw logs and get correlated findings: brute force, privilege escalation, port scanning and malware indicators, each mapped to MITRE ATT&CK. This is the platform's most-used tool and the one with the strongest privacy guarantee — your logs are analysed and discarded.
When to use it
- An alert fired and you have the raw lines but not the story.
- You want ATT&CK technique IDs for an incident write-up.
- You are learning what an attack actually looks like in logs.
Inputs
Field names are the actual form parameters, verified against source.
| Field | Type | Required | Notes |
|---|---|---|---|
| logtext | textarea | required | Raw log lines. Any common format — auth.log, syslog, web access logs, Windows events. |
| kind | select | optional | Log type hint. Improves parsing when the format is ambiguous. |
What you get back
Findings with severity, evidence lines, MITRE technique ID, and remediation. Pro adds IOC enrichment on source IPs.
Worked example
Input
Jan 15 10:22:01 srv sshd[1234]: Failed password for root from 203.0.113.45 port 22 ssh2 Jan 15 10:22:03 srv sshd[1235]: Failed password for root from 203.0.113.45 port 22 ssh2 Jan 15 10:22:05 srv sshd[1236]: Failed password for admin from 203.0.113.45 port 22 ssh2 Jan 15 10:22:07 srv sshd[1237]: Failed password for admin from 203.0.113.45 port 22 ssh2 Jan 15 10:22:09 srv sshd[1238]: Accepted password for admin from 203.0.113.45 port 22 ssh2
Output (abridged)
HIGH Brute-force followed by SUCCESS — 203.0.113.45
T1110 Brute Force → T1078 Valid Accounts
4 failures then an accepted password for 'admin' within 8s.
This is a likely compromise, not a failed attempt.
→ Isolate the host. Rotate 'admin' credentials NOW.
→ Audit what the session did after 10:22:09.
→ Restrict SSH source, enforce keys, deploy fail2ban.
How it works
Deterministic correlation engine — pattern detection, thresholding, and IP/actor grouping. Severity scales with attempt count and source spread, so three failures do not read like three hundred.
Limits
Read live from the platform configuration.
| Free | — runs · — lines |
| Pro | — runs · — lines |
| Counted against | your account when signed in; a hashed IP otherwise |
Privacy
Your logs are NEVER persisted. Analysis is ephemeral: lines are parsed in memory, findings returned, and the input discarded. Nothing is written to the database or to disk.
Standards
MITRE ATT&CKNIST CSF (DE.AE)