Alert Triage Tool – Security Event Aggregation

This Python project simulates a junior security analyst workflow by processing security alerts, prioritizing them, and producing both a console summary and a CSV report. It is designed for testing, learning, and demonstrating basic incident triage skills.

A sample alerts CSV (sample_alerts.csv) is included for immediate testing and demonstration.

Features

Reads a CSV of security alerts with fields:

Timestamp

Alert type

Severity

Source IP

Destination IP

Description

Aggregates and counts alerts by severity and type

Identifies high-priority alerts (Critical and High)

Outputs:

Console summary for quick review

CSV report (alert_summary.csv) for documentation or follow-up

Sample Alerts CSV

The included sample_alerts.csv contains fake IP addresses and usernames:

IP addresses in documentation ranges (e.g., 203.0.113., 198.51.100., 10...*)

Usernames such as FakeUser222, NotReal777, MadeUp1829

Mix of severities: Critical, High, Medium

Timestamps simulate real alert timing

This allows you to test the tool safely without using real data.

Installation

Clone the repository:

git clone https://github.com/cpljames269/alert-triage-tool.git cd alert-triage-tool

Ensure Python 3 is installed

No external dependencies required (standard library only)

Usage

Place sample_alerts.csv in the same directory as alert_triage.py.

Run the script:

python alert_triage.py

Expected output:

Console summary of alerts by severity and type

High-priority alerts highlighted

Generated alert_summary.csv with aggregated metrics

Example Console Output === Alert Triage Summary ===

Alerts by Severity: Critical: 2 High: 4 Medium: 4

Alerts by Type: Failed Login: 4 Malware Detection: 2 Port Scan: 2 Unauthorized Access: 1 Phishing Email: 1

High-Priority Alerts (6): 2025-12-15 08:12:01 | Failed Login | 203.0.113.45 -> 10.0.0.12 | Failed SSH login attempt ... Report written to alert_summary.csv