ELAT (Event Log Analysis Tool) Logo

ELAT (Event Log Analysis Tool)

0
Free
Visit Website

I ripped off the idea for EventShot from the tool regshot (takes snapshots of the registry), and applied that same thought to the event logs. The EventShot script simply takes a snapshot of the event log(s) you select, then takes a second snapshot after you're done with your analysis, diffs the two files and parses the output. EventScan can either scan the live system event logs against the EventLogIndicators directory of yara sigs or you can place event log files in the SCAN dir and search it with your yara sigs. Both the tools and the yara sigs together create a way for the analyst to fully scope and detect malware via the windows event logs. I recommend using the windows executable code versions of EventScan and EventShot, which are found in both the EventScan dir and the EventShot dir. Both need to be run as admin. EventShot - root directory contains a file called whitelist.txt. Already has a few processes that I added from performing my own malware analysis. You can add noisy processes to this file using python regex (i.e. Windows\system32\svchost.exe or you could just specify svchost.exe). It then searches the data= line.

FEATURES

ALTERNATIVES

Standalone SIGMA-based detection tool for EVTX, Auditd, Sysmon for Linux, XML or JSONL/NDJSON Logs.

Free

GrokEVT is a tool for reading Windows event log files and converting them to a human-readable format.

Free

Open source security data lake for AWS with real-time log normalization and Detection-as-Code capabilities.

Free

Logdissect is a CLI utility and Python library for analyzing log files and other data.

Free

A tool collection for filtering and visualizing logon events, designed for experienced DFIR specialists in threat hunting and incident response.

Free

HoneyView is a tool for analyzing honeyd logfiles graphically and textually.

Free

A tool for advanced HTTPD logfile security analysis and forensics, implementing various techniques to detect attacks against web applications.

Free

An Event Hub to gather, process, and monitor system events and link them to an inventory.

Free