ELAT (Event Log Analysis Tool) Logo

ELAT (Event Log Analysis Tool)

0
Free
Visit Website

I ripped off the idea for EventShot from the tool regshot (takes snapshots of the registry), and applied that same thought to the event logs. The EventShot script simply takes a snapshot of the event log(s) you select, then takes a second snapshot after you're done with your analysis, diffs the two files and parses the output. EventScan can either scan the live system event logs against the EventLogIndicators directory of yara sigs or you can place event log files in the SCAN dir and search it with your yara sigs. Both the tools and the yara sigs together create a way for the analyst to fully scope and detect malware via the windows event logs. I recommend using the windows executable code versions of EventScan and EventShot, which are found in both the EventScan dir and the EventShot dir. Both need to be run as admin. EventShot - root directory contains a file called whitelist.txt. Already has a few processes that I added from performing my own malware analysis. You can add noisy processes to this file using python regex (i.e. Windows\system32\svchost.exe or you could just specify svchost.exe). It then searches the data= line.

FEATURES

ALTERNATIVES

ElastAlert is a framework for alerting on anomalies in Elasticsearch data.

Free

A logging proxy tool created in response to the 'MongoDB Apocalypse', with Docker support.

Free

A tool for advanced HTTPD logfile security analysis and forensics, implementing various techniques to detect attacks against web applications.

Free

Elasticsearch is a versatile platform for centralized data storage, fast search, and scalable analytics.

Free

A method for log volume reduction without losing analytical capability.

Free

A security information and event management solution that collects, normalizes, and analyzes log data from across an organization's infrastructure to enhance threat detection and compliance reporting.

Commercial

HonnyPotter is a WordPress plugin that logs all failed login attempts, with a caution to use it at your own risk.

Free

Standalone SIGMA-based detection tool for EVTX, Auditd, Sysmon for Linux, XML or JSONL/NDJSON Logs.

Free

PINNED