Windows Event Log Analyzer wants to be the Swiss Army knife of Windows event logs. At the moment, WELA’s best feature is that it can make an easy-to-understand timeline of logins to help with fast forensics and incident reaction. WELA’s logon timeline generator will combine only the useful information from multiple logon log entries (4624, 4634, 4647, 4672, 4776) into a single event, reduce the amount of data by ignoring about 90% of the noise, and turn any hard to read data (like hex status codes) into a format that people can understand.
Tested on Windows PowerShell version 5.1, but it may also work with older versions. It won’t work with Powershell Core because it doesn’t have any built-in way to read Windows event logs.
Note: “The last time WELA will follow the SIGMA rule is in July 2021.Please use Hayabusa if you want to use the most up-to-date SIGMA rules for evtx detection.”
At the moment, please use a Windows Powershell 5.1. You will need local Administrator access for live analysis.
Analysis Source (Specify one):
-LiveAnalysis : Creates a timeline based on the live host's log
-LogFile <path-to-logfile> : Creates a timelime from an offline .evtx file
-LogDirectory <path-to-logfiles> (Warning: not fully implemented.) : Analyze offline .evtx files
-RemoteLiveAnalysis : Creates a timeline based on the remote host's log
Analysis Type (Specify one):
-AnalyzeNTLM_UsageBasic : Returns basic NTLM usage based on the NTLM Operational log
-AnalyzeNTLM_UsageDetailed : Returns detailed NTLM usage based on the NTLM Operational log
-SecurityEventID_Statistics : Output event ID statistics
-EasyToReadSecurityLogonTimeline : Output essy to read event ID statics
-SecurityLogonTimeline : Output a condensed timeline of user logons based on the Security log
-SecurityAuthenticationSummary : Output a summary of authentication events for each logon type based on the Security log
Analysis Options:
-StartTimeline "<YYYY-MM-DD HH:MM:SS>" : Specify the start of the timeline
-EndTimeline "<YYYY-MM-DD HH:MM:SS>" : Specify the end of the timeline
-LogonTimeline Analysis Options:
-IsDC : Specify if the logs are from a DC
Output Types (Default: Standard Output):
-SaveOutput <outputfile-path> : Output results to a text file
-OutputCSV : Outputs to CSV
-OutputGUI : Outputs to the Out-GridView GUI
General Output Options:
-USDateFormat : Output the dates in MM-DD-YYYY format (Default: YYYY-MM-DD)
-EuropeDateFormat : Output the dates in DD-MM-YYYY format (Default: YYYY-MM-DD)
-UTC : Output in UTC time (default is the local timezone)
-Japanese : Output in Japanese
-LogonTimeline Output Options:
-HideTimezone : Hides the timezone
-ShowLogonID : Show logon IDs
Other:
-ShowContributors : Show the contributors
-QuietLogo : Do not display the WELA logo./WELA.ps1 -LogFile .\Security.evtx -SecurityEventID_StatisticsCreate a timeline via offline analysis outputted to a GUI in UTC time:
.\WELA.ps1 -LogFile .\Security.evtx -SecurityLogonTimeline -OutputGUI -UTCAnalyze NTLM Operational logs for NTLM usage before disabling it:
.\WELA.ps1 -LogFile .\DC1-NTLM-Operational.evtx -AnalyzeNTLM_UsageBasicSecurity logon statistics on a live machine:
.\WELA.ps1 -LiveAnalysis -SecurityAuthenticationSummaryWe would love any form of contributing. Pull requests are the best but feature requests, notifying us of bugs, etc… are also very welcome.
When people ask how UDP works, the simplest answer is this: UDP sends data quickly…
Endpoint Detection and Response (EDR) solutions have become a cornerstone of modern cybersecurity, designed to…
A large-scale malware campaign leveraging AI-assisted development techniques has been uncovered, revealing how attackers are…
How Does a Firewall Work Step by Step? What Is a Firewall and How Does…
People trying to securely connect to work are being tricked into doing the exact opposite.…
A newly disclosed Android vulnerability is making noise for a good reason. Researchers showed that…