Search Windows Event Logs (EVTX)

Searches through parsed Windows Event Log data using text queries, filters, and time ranges. Enables rapid investigation of specific events, patterns, and anomalies in EVTX analysis results.

Search Windows Event Logs (EVTX)

Searches through parsed Windows Event Log data using text queries, filters, and time ranges. Enables rapid investigation of specific events, patterns, and anomalies in EVTX analysis results.

API Endpoint

POST /analysis/winevtx/search

HTTP Headers

  • Content-Type: application/json
  • X-Cursed-Api-Token: API token for authentication
  • X-Cursed-Api-Enc-Key: Encryption key for authenticated users (required if using encrypted job results)

Request Method

POST

Parameters

Request Body (JSON):

ParameterTypeRequiredDescription
job_idUUIDYesJob ID from a completed EVTX parse operation
searchstringYesSearch query text to match against event data
filterarrayNoArray of filter criteria objects
pageintegerNoPage number for pagination (1-10, default: 1)
showintegerNoNumber of results per page (1-100, default: 10)
start_timeintegerNoStart timestamp filter (Unix milliseconds)
end_timeintegerNoEnd timestamp filter (Unix milliseconds)
browse_eventsbooleanYesWhether to browse raw event data or filter the complete job insights

Filter Criteria Schema

{
  "field": "string",
  "operator": "string",
  "value": "string"
}

Supported Filter Operators

OperatorDescription
equalsExact match
not_equalsNot equal to
containsContains substring
does_not_containDoes not contain substring
starts_withStarts with substring
ends_withEnds with substring

Request Body Schema

{
  "job_id": "string (UUID)",
  "search": "string",
  "filter": [
    {
      "field": "string",
      "operator": "string",
      "value": "string"
    }
  ],
  "page": 1,
  "show": 10,
  "start_time": 1705395000000,
  "end_time": 1705481400000,
  "browse_events": true
}

Response Format

If the browse_events flag is set to true you should expect the below Success Response format. If it's set to false a time-filtered and updated version of the WinEVTX job status response will be displayed. Please refer to the Job Status documentation for further reference on it.

Success Response (200 OK):

{
  "insights": [
    {
      "IndexTable": {
        "title": "Event Table",
        "data": [
            [
                [
                    "5379",
                    "233973",
                    "2024-12-12 14:17:13",
                    "Microsoft-Windows-Security-Auditing",
                    "WIN7EVAL",
                    "Credential Manager credentials were read."
                ],
                {
                    "ClientProcessId": "19288",
                    "CountOfCredentialsReturned": "1",
                    "ProcessCreationTime": "2024-12-12T10:42:42.007003Z",
                    "ReadOperation": "%%8100",
                    "ReturnCode": "0",
                    "SubjectDomainName": "WORKGROUP",
                    "SubjectUserName": "User",,
                    "TargetName": "MicrosoftAccount:[email protected]",
                    "Type": "0"
                }
            ],
        ],
        "columns": [
            "Event ID",
            "Record ID",
            "Timestamp",
            "Provider",
            "Computer",
            "Message",
            "Event Data"
        ],
        "category": "General"
      }
    }
  ]
}

Error Response (400 Bad Request):

{
  "error": "Job not found"
}

{
  "error": "Job not completed"
}

{
  "error": "Invalid time range"
}

Error Response (401 Unauthorized):

{
  "error": "Unauthorized"
}

Error Response (403 Forbidden):

{
  "error": "Encryption key required"
}

Error Codes

HTTP StatusDescription
200Success - Search results retrieved
400Bad Request - Invalid job ID or search parameters
401Unauthorized - Missing authentication
403Forbidden - Encryption key required for private job
404Not Found - Job not found
500Internal Server Error - Server processing error

Example cURL Commands

Basic Event Search

curl -X POST https://api.cursedtools.com/analysis/winevtx/search \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "job_id": "d829053e-2d24-4f93-bfd0-14e36e160930",
    "search": "powershell",
    "page": 1,
    "show": 25,
    "browse_events": true
  }'

Search with Filters and Time Range

curl -X POST https://api.cursedtools.com/analysis/winevtx/search \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "job_id": "d829053e-2d24-4f93-bfd0-14e36e160930",
    "search": "rundll",
    "filter": [
      {
        "field": "EventID",
        "operator": "equals",
        "value": "1"
      },
      {
        "field": "CommandLine",
        "operator": "contains",
        "value": "-EncodedCommand"
      }
    ],
    "start_time": 1705395000000,
    "end_time": 1705481400000,
    "page": 1,
    "show": 50,
    "browse_events": true
  }'

Search Capabilities

Text Search

  • Full-text search across all event fields
  • Case-insensitive matching
  • Partial string matching

Filterable Fields

Common fields available for filtering:

  • eventId - Windows Event ID
  • recordId - Record ID
  • timestamp - UTC String formatted timestamp
  • provider - ETW Log Provider name
  • computer - Computer name
  • details.{} - Event Data subfield search (e.g. details.ParentProcessId)

Time Range Filtering

  • Unix timestamp in milliseconds
  • Efficient querying of large time ranges

Browse Modes

Browse Events (true)

  • Searches raw event data
  • Detailed field-level search
  • Individual event records
  • Forensic-level detail

Browse Summary (false)

  • Searches processed summary data during a time window
  • Aggregated insights
  • High-level patterns
  • Slightly slower than browsing events due to analysis reconstruction

Response Structure

The response contains insights array with ProcessorResult objects:

cURL Example - Keyword search

# Search for specific IoCs
curl -X POST https://api.cursedtools.com/analysis/winevtx/search \
  -d '{
    "job_id": "job-uuid",
    "search": "malicious-domain.com",
    "browse_events": true
  }'

cURL Example - PowerShell obfuscation hunt

# Hunt for PowerShell attacks
curl -X POST https://api.cursedtools.com/analysis/winevtx/search \
  -d '{
    "job_id": "job-uuid",
    "search": "powershell",
    "filter": [
      {
        "field": "CommandLine",
        "operator": "contains",
        "value": "-EncodedCommand"
      }
    ],
    "browse_events": true
  }'

Performance Tips

Efficient Searching

  • Use specific search terms to reduce result sets
  • Apply filters to narrow down results
  • Use time ranges for focused analysis
  • Set appropriate page sizes for your needs

Large Dataset Handling

  • Start with summary searches (browse_events: false)
  • Use pagination for large result sets
  • Apply filters before text searching
  • Use time ranges to limit scope

Notes

  • Job must be completed before searching
  • Authentication is required for private jobs
  • Encryption key needed for encrypted job results
  • Search supports both raw events and summary data
  • Results are paginated for performance
  • Time ranges use Unix timestamps in milliseconds
  • Text search is case-insensitive and supports partial matches
  • Filters can be combined for precise queries
  • Browse mode affects search performance and detail level
  • Results contain structured data optimized for analysis tools
  • Multiple insight types may be returned in a single response

Parse Windows Event Logs (EVTX)

Parses Windows Event Log (.evtx) files and extracts structured forensic data for analysis. Optionally runs Sigma rules against the extracted events for threat detection.

Yara Data Analysis

Runs Yara-X rules against user-provided test data in real-time. Supports both custom rules and community rules for malware detection and file analysis rule validation.