Zircolite: fast SIGMA-based detection tool for EVTX or JSON Logs
Zircolite is a standalone tool written in Python 3 that allows you to use SIGMA rules on:
- MS Windows EVTX (EVTX, XML, and JSONL formats)
- Auditd logs
- Sysmon for Linux
- EVTXtract
- CSV and XML logs
- JSON Array logs
Key Features
- Fast Processing: Zircolite is relatively fast and can parse large datasets in just seconds.
- SIGMA Backend: It is based on a SIGMA backend (SQLite) and does not use internal SIGMA-to-something conversion.
- Advanced Log Manipulation: It can manipulate input logs by splitting fields and applying transformations, allowing for more flexible and powerful log analysis.
- Flexible Export: Zircolite can export results to multiple formats using Jinja templates, including JSON, CSV, JSONL, Splunk, Elastic, Zinc, Timesketch, and more.
- Multiple Input Formats: Support for various log formats including EVTX, JSON Lines, JSON Arrays, CSV, XML, and more.
