Parse Windows Event Logs (EVTX)

Parses Windows Event Log (.evtx) files and extracts structured forensic data for analysis. Optionally runs Sigma rules against the extracted events for threat detection.

Parse Windows Event Logs (EVTX)

Parses Windows Event Log (.evtx) files and extracts structured forensic data for analysis. Optionally runs Sigma rules against the extracted events for threat detection.

API Endpoint

POST /analysis/winevtx/parse

HTTP Headers

Content-Type: application/json
X-Cursed-Api-Token: API token for authentication
X-Cursed-Api-Enc-Key: Encryption key for authenticated users (required if using encrypted files)

Parameters

Request Body (JSON):

Parameter	Type	Required	Description
`file_ids`	array	Yes	Array of file UUIDs to parse (100 files maximum limit and up to 1 GB total)
`run_sigma_rules`	boolean	Yes	Whether to run Sigma rules against extracted events

Request Body Schema

{
  "file_ids": ["string (UUID)", "string (UUID)", ...],
  "run_sigma_rules": true
}

Response Format

Success Response (200 OK):

{
  "id": "987e6543-e89b-12d3-a456-426614174000",
  "job_name": "Stellar Phoenix Parser",
  "message": "Job queued",
  "category": "winevtx"
}

Error Response (400 Bad Request):

{
  "error": "No file IDs provided"
}

{
  "error": "Too many file IDs provided"
}

{
  "error": "Max EVTX analysis size limit exceeded (1GB)"
}

{
  "error": "Failed to download file"
}

Error Response (401 Unauthorized):

{
  "error": "Unauthorized"
}

Error Codes

HTTP Status	Description
200	Success - Analysis job queued
400	Bad Request - Invalid parameters or file limit exceeded
401	Unauthorized - Missing authentication for private files
413	Payload Too Large - Files exceed 1GB total size limit
500	Internal Server Error - Server processing error

Example cURL Commands

Parse EVTX with Sigma Rules

curl -X POST https://api.cursedtools.com/analysis/winevtx/parse \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "file_ids": [
      "94ba8675-7cfd-44a2-b85f-a3fa1bda69de",
      "a72a10f9-b8b3-4ba5-bd15-9418a37a3202"
    ],
    "run_sigma_rules": true
  }'

Parse EVTX without Sigma Rules

curl -X POST https://api.cursedtools.com/analysis/winevtx/parse \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "file_ids": ["94ba8675-7cfd-44a2-b85f-a3fa1bda69de"],
    "run_sigma_rules": false
  }'

Example Response

{
  "id": "d829053e-2d24-4f93-bfd0-14e36e160930",
  "job_name": "Arcane Wizard Parser",
  "message": "Job queued",
  "category": "winevtx"
}

Job Results

Once parsing is complete, the job will contain structured analysis results that can be retrieved using the Job Status API. Results may include:

Analysis Types

Result Type	Description
Overview	Key general insights for the processed file, including Sigma matches if included
Process Inference Graph	A heuristically extracted and optimised graph of process ID relationships within event logs
Key Event Timeline	Chronological event sequence of the most notable observed events within the event logs that were submitted
Process Analysis	Process creation, termination, and execution data insights with common anomaly detection
Network Analysis	Network event insights, domain, URL and IP address connections and lateral movement attempts
Authentication	Authentication, authorization, privileged account monitoring, remote access and other common traits as insights
Persistence	Insights about the most common types of persistence mechanisms that are used in-the-wild

Sigma Rule Benefits

When run_sigma_rules is enabled:

Automatic threat detection using community rules
Malware behavior identification
Suspicious activity highlighting
IoA matching against known threats
Attack technique mapping (MITRE ATT&CK)

Processing Notes

File Requirements

Files must be valid Windows Event Log (.evtx) format
Maximum 100 files per request
Total size limit of 1GB across all files
Files are processed asynchronously

Performance Considerations

Large EVTX file batches may take several minutes to process
Sigma rule analysis adds additional processing time
Job priority determined by user subscription level
Multiple files are processed in parallel when possible

Example Use Cases

cURL Example

# Parse security logs from compromised system
curl -X POST https://api.cursedtools.com/analysis/winevtx/parse \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "file_ids": ["security-log-uuid"],
    "run_sigma_rules": true
  }'

Notes

Maximum of 100 files can be analyzed in a single request
Total file size limit is 1GB across all files
Job results can be retrieved using the job status endpoint
Authentication is required for private/encrypted files
Sigma rules are maintained and updated regularly
Job names are auto-generated using creative memorable combinations
Priority is determined by user subscription level
Unauthenticated users can analyze public files only
The analysis creates a background job that processes files asynchronously
Results include searchable summary data for efficient querying

File Name Lookup

Searches for information about native Windows executable files and DLLs. Provides details about file name, path, description, product name, company name and runtime window title if they've been indexed across a variety of Windows OS versions, service packs and editions.

Search Windows Event Logs (EVTX)

Searches through parsed Windows Event Log data using text queries, filters, and time ranges. Enables rapid investigation of specific events, patterns, and anomalies in EVTX analysis results.