EventHound is a fast Windows EVTX parser and analyzer for cybersecurity, compromise assessment, and incident response.
- CLI + optional web UI
- Exports JSONL/CSV/Parquet
- Profiles (Security/Sysmon/PowerShell/WMI/Defender)
- Windows VSS support
- Event maps (YAML) with remote sync
- Minimal DSL filter
- Detections: YAML rules, Sigma (basic), safelists, findings export/UI
python -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt- Basic parse to JSONL+CSV:
python main.py --input ./logs --output outputs/run --formats jsonl,csv --profile ir-default- Only key IDs (e.g., SANS highlighted):
python main.py --input ./logs --output outputs/key --only-event-id 4624
python main.py --input ./logs --output outputs/key --only-event-id 1@Microsoft-Windows-Sysmon/Operational- Time-bounded triage:
python main.py --input ./logs --output outputs/triage --since 2025-01-01T00:00:00Z --until 2025-01-31T23:59:59Z- Minimal noise profile:
python main.py --input ./logs --output outputs/min --profile ir-minimal- Forensic sweep (broad):
python main.py --input ./logs --output outputs/all --profile forensics-allAdd shadow copies (historic logs):
python main.py --input C:\\case\\evtx --output outputs/vss --vss --vss-drives C:Maps enrich and normalize event data.
- Local dir:
--maps-dir ./maps - Remote sync:
--maps-sync https://example.com/evtx-maps.yaml
python main.py --input ./logs --output outputs/filtered \
--dsl "channel==Security AND TargetUserName~=^admin"Operators: == != contains !contains ~= !~ length_gt length_lt.
- YAML rules:
--rules-dir ./rules - Sigma (basic):
--sigma-dir ./sigma - Safelists:
--safelists-dir ./safelists - Findings export:
--findings-output outputs/run
Example end-to-end:
python main.py --input ./logs --output outputs/run \
--rules-dir ./rules --sigma-dir ./sigma \
--safelists-dir ./safelists --findings-output outputs/run \
--formats jsonl,csv,parquet --profile ir-defaultOutputs:
- Events:
outputs/run.jsonl,outputs/run.csv,outputs/run.parquet - Findings:
outputs/run.findings.jsonl,outputs/run.findings.csv
Start with --serve (SQLite is auto-populated):
python main.py --input ./logs --output outputs/web --serve- Events tab: search/filters (
q,channel,event_id), sortable columns, pagination, event detail, charts (trend/top IDs/channels) - Findings tab: filters (
rule_id,severity,channel,event_id), search (qin description/tags), pagination - Dark mode toggle and saved theme
ir-default: balanced IR setir-minimal: high-signal subsetforensics-all: broad superset across many channels Set default via env:WIN_EVTX_PROFILE=forensics-all(overridden by--profile).
- Rules:
rules/basic.yaml(long cmdline, base64 in cmd, suspicious PowerShell, failed logon) - Safelists:
safelists/example.yaml(usernames, commandlines, disable noisy rule) - Sigma samples:
sigma/windows_powershell_suspicious.yml,sigma/windows_failed_logons.yml
Build single-file binaries with PyInstaller (macOS/Linux/Windows):
bash scripts/build_macos.sh # or build_linux.sh / scripts/build_windows.ps1- EvtxECmd & maps/VSS: SANS ISC, SANS EvtxECmd
- Microsoft Log Parser approach: SANS Blog
- DeepBlueCLI detections & safelists: DeepBlueCLI