ELAT (Event Log Analysis Tool) Logo

ELAT (Event Log Analysis Tool)

0
Free
Visit Website

I ripped off the idea for EventShot from the tool regshot (takes snapshots of the registry), and applied that same thought to the event logs. The EventShot script simply takes a snapshot of the event log(s) you select, then takes a second snapshot after you're done with your analysis, diffs the two files and parses the output. EventScan can either scan the live system event logs against the EventLogIndicators directory of yara sigs or you can place event log files in the SCAN dir and search it with your yara sigs. Both the tools and the yara sigs together create a way for the analyst to fully scope and detect malware via the windows event logs. I recommend using the windows executable code versions of EventScan and EventShot, which are found in both the EventScan dir and the EventShot dir. Both need to be run as admin. EventShot - root directory contains a file called whitelist.txt. Already has a few processes that I added from performing my own malware analysis. You can add noisy processes to this file using python regex (i.e. Windows\system32\svchost.exe or you could just specify svchost.exe). It then searches the data= line.

FEATURES

ALTERNATIVES

Search AWS CloudWatch logs on the command line with aws-sdk-for-go.

Free

Sysdig is a system visibility tool with native container support.

Free

An Event Hub to gather, process, and monitor system events and link them to an inventory.

Free

A tool that collects and displays user activity and system events on a Windows system.

Free

A toolset for collecting and processing netflow/ipfix and sflow data from netflow/sflow compatible devices.

Free

Security-Guard helps secure microservices and serverless containers by detecting and blocking exploits.

Free

A pure Python parser for Windows Event Log files with access to File and Chunk headers, record templates, and event entries.

Free

Browse a library of EQL analytics now natively integrated in Elasticsearch.

Free