Windows OS CTI-LITE SIEM

This CTI matching on exported Windows logs. This page cannot directly read Windows Event Logs. Export events (EVTX → XML) using wevtutil and import the XML, or import JSON.

@aminbiography No logs loaded Feeds: 0

1) Load logs

Supported: Windows Event Log XML (from wevtutil qe ... /f:xml) or a JSON array of events.
Tip: export XML with wevtutil
Example exports:
wevtutil qe Security /c:2000 /rd:true /f:xml > security.xml
wevtutil qe Microsoft-Windows-Sysmon/Operational /c:2000 /rd:true /f:xml > sysmon.xml

2) Load CTI feeds (offline lists)

Provide newline-separated values for each type (IPs, domains, URLs, hashes). These are matched exactly after normalization.
This page avoids CTI API calls to prevent key leakage and CORS issues. Add a local proxy later if needed.

3) Run extraction + CTI matching

Extract IOCs from event text, match against the loaded feeds, and generate findings.
Parsed events
0
Extracted IOCs
0
CTI matches
0
Unique matched IOCs
0
Idle
Severity IOC Type Channel Event ID Time Evidence (snippet)
No findings yet.
Suggested next step (still single-page): add allowlisting (CDNs, Microsoft domains), local persistence via IndexedDB, and an event detail drawer.