Skip the SIEM: BlueTriage Delivers Instant Incident Reports from Raw Logs
BlueTriage has appeared on GitHub—a lightweight tool designed for rapid analysis of Windows logs. It ingests security events in JSON format, normalizes them into a unified schema, runs them through a set of simple rules, and produces both an alert file and an HTML report for initial incident triage.
In essence, BlueTriage aims to address a familiar pain point in incident response: the moment when logs have already been exported, yet still need to be quickly rendered intelligible and stripped for “red flags” without resorting to heavyweight SIEM pipelines or lengthy configuration. In its current MVP form, the author has implemented a clear workflow—ingest → normalization → detection → export—allowing an entire event set to be processed with a single command and reviewed in a readable format.
Out of the box, the tool includes several rules covering common Windows Security Log scenarios: failed logon attempts (4625), user account creation (4720), additions to privileged groups (4728/4732), and scheduled task creation (4698). Each rule is tagged with a severity level and mapped to MITRE ATT&CK techniques—such as T1110 for password spraying and T1053.005 for scheduled task abuse—making it easier to align alerts with established attack models.
At present, execution is tailored to Windows systems and a Python virtual environment. Setup involves cloning the repository, running a command to scan a JSON file containing events, and a separate command to generate the HTML report. According to the repository description, the project is written in Python, with Jinja used for report templating.
Looking ahead, the author plans to add support for EVTX files—allowing the tool to ingest native Windows event log exports directly—transition to YAML-based rules in a “Sigma-lite” style, introduce scoring and severity-based sorting (from High to Low), and generate Markdown reports suitable for ticketing systems.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
