Eventlog Compendium is the one-stop shop utility designed to simplify Windows security event log analysis, audit policy generation, and configuration building. It brings together multiple tools into a single interface — tailored for blue teamers, detection engineers, and IT administrators.
Get full control over Windows Advanced Audit Policies:
-
Advanced Audit Policy Documentation
Browse detailed explanations for each audit category and sub-category. -
Advanced Audit Policy Generator
Generate custom-tailored audit policy recommendations based on system type, server roles, features, detection frameworks, complexity, log volume and MITRE ATT&CK mappings! or leverage one of the many built-in ones. -
Audit Policy to Event ID Mapping
Understand which event IDs are generated by which audit settings. -
MITRE ATT&CK to Event ID Mapping Explorer
Visualize how MITRE techniques and tactics map to Windows audit events.
Effortlessly build modular Sysmon configurations:
- Sysmon Configuration Builder
Pick specific event IDs and configuration snippets from sysmon-modular, preview and assemble your custom config.
A suite of helpers for interpreting and exploring Windows event logs:
-
Event ID Lookup
Quickly search for details about any Windows event ID. -
ETW Providers Visualizer
Browse available ETW providers and their event fields per Windows version/build leveraging the EVTX-ETW-Resources project. -
EVTX Baseline Search
Search expected/benign events based on data from Nextron’sevtx-baseline. -
Event Field Decoder
Decode values like Logon Types, Access Masks, Privileges, SIDs, and more. -
Built-in SACL Explorer
View which objects have default audit settings on Windows systems.
-
Clone the repository
git clone https://github.com/nasbench/eventlog_compendium.git cd eventlog_compendium -
Install dependencies
pip install -r requirements.txt
-
Run the app
streamlit run Eventlog_Compendium.py
Apache License. See LICENSE file for details.