Secure Python tool for SOC-style analysis of FICOBA access logs.
This project was developed in an educational cybersecurity context. The goal is to analyze FICOBA-style logs and detect suspicious behaviors after a possible credential compromise.
The tool detects:
- external or invalid IP addresses
- off-hours access
- MFA anomalies (
MFA_FAIL,MFA_BYPASS) - suspicious
MFA_FAIL -> MFA_BYPASSpattern - abnormal query volume per session
- data export activity
- burst activity in short time windows
- multiple IPs used by the same user
- concurrent sessions for the same user
[TIMESTAMP] USER | ROLE | IP | APP | ACTION | RESOURCE | QUERY_COUNT | STATUS | MFA | SESSION_ID
Example:
2026-01-31T22:14:25Z | m.bernard | agent_interministeriel | 185.193.44.21 | API_FICOBA | SEARCH | PERSONNE | 500 | SUCCESS | - | SID100207
Run the analyzer on a log file:
python ficoba_analyzer.py -l access_ficoba.logGenerate a text report:
python ficoba_analyzer.py -l access_ficoba.log -o report.txtGenerate a JSON report:
python ficoba_analyzer.py -l access_ficoba.log -j -o report.jsonThis tool includes:
- input validation
- safe parsing of malformed lines
- exception handling
- no unexpected crash on invalid log entries
- explicit exit codes
- robust report generation
Developed by Adel Salah Eddine KHALFAOUI
Module: Développement sécurisé
Promo: 2025-CSC2
EFREI Paris - 2025/2026