Helps to quickly spot interesting security-related activity in Windows Event Viewer files
evtx-hunter
evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.
It can process a high number of events quickly, making it suitable for use during investigations and hunting activities across a high number of collected events.
evtx-hunter is a Python tool that generates a web report of interesting activity observed
in EVTX files. The tool comes with a few predefined rules to help you get going. This includes
rules to spot for example:
- The first time a certain DNS domain is queried;
- The first time a certain process is launched;
- New service installations;
- User account lockouts;
- …
New use cases can easily be added to support your use case:
-
rules/first_occurence.json: monitor the first time something happens that