Windows Event Log Analyzer

Advanced Windows Event Log (EVTX) analysis and forensic investigation module for cybersecurity professionals and system administrators.

Module Overview

The Windows Event Log Analyzer module transforms raw EVTX files into actionable security insights through advanced parsing, correlation, and analysis capabilities. It also offers a more modern browsing, searching and filtering experience of EVTX events, as in most cases we all just needed something closer to "grep" than the Windows Event Viewer or any other software that requires the installation of a 2GB .NET package that mostly supports software from 2005.

While traditional log analysis tools leave you struggling with massive datasets and cryptic event formats, this module provides a different experience. It offers intelligent filtering, notable event timeline reconstruction, process inference graphs and automated threat detection across all the most common logs featured in numerous cheatsheets across the Internet.

Whether you're investigating security incidents, hunting for threats, or conducting digital forensics, this module accelerates your analysis from hours to minutes by automatically identifying suspicious patterns, correlating related events, and presenting findings in an intuitive, investigation-ready format. It will NOT solve the full case for you, but it will give you a good head start and point you in the right direction so you can work through it faster.

Use Cases

Security Incident Response

  • Rapid Incident Timeline: Automatically reconstructs a timeline of the most important events from multiple log sources based on a collection of best practice detections across the entire attack chain
  • Understand Process Relationships: Review atomic process events as chains of activity through the inference graph reconstructed from the logs
  • Compromise Assessment: Identify indicators of compromise, lateral movement, and data exfiltration patterns faster
  • Attack Attribution: Correlate events across systems to understand attacker methods and persistence mechanisms

Threat Hunting and Detection

  • Behavioral Analysis: Detect anomalous user and system behavior patterns more easily and faster
  • Persistence Hunting: Identify various persistence mechanisms including registry modifications, scheduled tasks, and service installations
  • Privilege Escalation Detection: Track privilege changes, token manipulation, and unauthorized administrative activities
  • Lateral Movement Tracking: Correlate network logons, file access, and process execution across multiple systems

Usage Guidelines

File Upload and Processing

  • Supported Formats: EVTX files from Windows Vista through Windows 11 and Server 2019-2022
  • File Size Limits: Individual files up to 250MB may be uploaded, batch processing up to 100 files simultaneously up to 1GB tan be submitted for analysis
  • Multi-File Correlation: Analyse multiple files, correlate their findings and see them and browse them under one glass panel

Analysis Configuration

  • Time Range Selection: Filter analysis to specific time periods for focused investigation
  • Event Category Filtering: Focus on specific event types with predefined filters. Search loosely to filter views and highlight noteworthy information
  • Severity Prioritization: Automatically prioritize high-severity events and potential security indicators

Data Processing Best Practices

  • Log Source Identification: Clearly identify the source system and collection method for proper context
  • Time Zone Handling: Everything UTC
  • Event Correlation: Enable cross-log correlation for comprehensive analysis across multiple systems
  • Collaborative Features: Share analysis results and collaborate with team members in real-time

Advanced Features

  • Process Graph Analysis: Visualize process-related event relationships and attack paths using the inferred network graph representations
  • Timeline Analysis: Visualize key sequences of events that have been identified as most noteworthy
  • API Access: Programmatic access for automated analysis and integration with custom tools

Export and Integration (SOON)

  • Multiple Output Formats: Export results in JSON, CSV, XML, and PDF formats for various use cases
  • SIEM Integration: Direct integration with popular SIEM platforms for automated event enrichment

Token Pricing Breakdown

Standard Analysis

  • Basic EVTX Analysis: 4 tokens per 1000 records - Complete parsing and event extraction, analysis, timeline extraction and inference graph creation
  • Enhanced Analysis: 10 tokens per 1000 records - Run over 4000 Sigma community rules directly on the event log and get a more refined perspective of what transpired

Why These Costs: EVTX analysis requires significant computational resources for parsing, correlation, and advanced analytics, especially when Sigma Community Rules are also run. The token costs reflect the complexity of processing large datasets, and providing actionable intelligence that would require countless hours, or days, of manual analysis.

Performance Expectations

Processing Times

  • Benchmark using Windows max default sized log (20 MB, ~63,000 events): up to 10 seconds with Sigma Community Rulesets and sub 5 seconds without

Benchmarks with other products

Hayabusa

Chainsaw

Windows Event Viewer

Windows Event ID Lookup

Comprehensive Windows Event ID reference and lookup service for cybersecurity investigations, detection engineering, incident response and system administration.

Native Executable Lookup

Comprehensive Windows native executable and binary analysis service for malware detection and threat hunting.