WELA (Windows Event Log Analyzer)
A service that analyzes and visualizes security data to investigate potential security issues.
WELA (Windows Event Log Analyzer) - Your Comprehensive Tool for Windows Event Logs
WELA (Windows Event Log Analyzer) is designed to be the Swiss Army knife for analyzing Windows event logs. Its primary feature is the creation of an easy-to-analyze logon timeline, which facilitates quick forensic investigations and incident response. The logon timeline generator in WELA consolidates relevant information from multiple logon log entries (4624, 4634, 4647, 4672, 4776) into single events. It effectively reduces data by filtering out approximately 90% of extraneous information and transforms difficult-to-read data, such as hexadecimal status codes, into a format that is easy for humans to understand. WELA has been tested on Windows PowerShell 5.1, but it may also function with earlier versions.
Unfortunately, This Will Not Work
Unfortunately, it will NOT work with PowerShell Core because there is no built-in functionality available to read Windows event logs.
Features of SIGMA Rule Compliance
The most recent SIGMA rule compliance in WELA was achieved in July 2021. To utilize the latest SIGMA rules for EVTX detection, please use Hayabusa.
- Written in PowerShell, making it easy to read and customize.
- Fast Forensics Logon Timeline Generator.
- Capable of detecting lateral movement, system usage, suspicious logons, vulnerable protocol usage, and more.
- Achieves over 90% noise reduction for logon events.
- Calculates Logon Elapsed Time.
