I’m pleased to be back sharing outstanding tools for security practitioners with you after an extended time out to finish my Ph.D.
Here now, in our 145th installment of toolsmith, we discuss Zircolite, a standalone and fast SIGMA-based detection tool for EVTX or JSON, a fine tool brought to us courtesy of @waggabat. Zircolite’s GitHub repo tells you absolutely everything you need to know, and the documentation is more than adequate, so I’ll repeat only this:
- Zircolite is a standalone tool written in Python 3 allowing to use SIGMA rules on Windows event logs
- Zircolite can be used directly on the investigated endpoint or in your favorite forensic/detection lab
- Zircolite is fast and can parse large datasets in just seconds
- Zircolite can handle EVTX files and JSON files as long as they are in JSONL/NDJSON format
- Zircolite can be used directly in Python or you can use the binaries provided in releases