Zircolite is a standalone tool written in Python 3. It allows to use SIGMA rules on MS Windows EVTX (EVTX and JSONL format), Auditd logs and Sysmon for Linux logs.
- Zircolite can be used directly on the investigated endpoint (use releases) or in your forensic/detection lab
- Zircolite is fast and can parse large datasets in just seconds (check benchmarks)
Zircolite can be used directly in Python or you can use the binaries provided in releases (Microsoft Windows and Linux only). Documentation is here. Zircolite
so.cl
Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer