Zircolite v2.9.7 releases: fast SIGMA-based detection tool for EVTX or JSON Logs
Zircolite is a standalone tool written in Python 3. It allows to use SIGMA rules on MS Windows EVTX (EVTX and JSON format)
- Zircolite can be used directly on the investigated endpoint (use releases) or in your forensic/detection lab
- Zircolite is fast and can parse large datasets in just seconds (check benchmarks)
- Zircolite can handle EVTX files and JSON files as long as they are in JSONL/NDJSON format
Zircolite is more a workflow than a real detection engine. To put it simply, it leverages the ability of the sigma converter to output rules in SQLite format. Zircolite simply applies SQLite-converted rules to EVTX stored in an in-memory SQLite DB.
Benchmarks (Updated 22nd May 2021)
On an Intel Core-i9 8c/16t – 64 GB RAM – with 765 sigma rules :
|EVTX : 34 GB – 16 files||–||9 Min|
|EVTX : 7.8 GB – 4 files||–||162 sec|
|EVTX : 1.7 GB – 1 file||99 sec||–|
|EVTX : 40 MB – 263 files||3 sec||1 sec|
|MORDOR Datasets – APT29 Day 1 (196 081 events)||62 sec||–|
|MORDOR Datasets – APT29 Day 2 (587 286 events)||4 min||–|
|MORDOR Datasets – APT3 Scenario 1 (101 904 events)||70 sec||–|
|MORDOR Datasets – APT3 Scenario 2 (121 659 events)||27 sec||–|
ℹ️ These results can be largely improved with fine-tuned rulesets and filtering.
- Updated EVTX_dump binaries (0.8) with MacOS Apple Silicon Support
- Added missing ‘informational’ rule level in the Mini-Gui
⚠️ Some AVs may not like the packaged binaries.
⚠️ The set of tests for windows binaries is far from exhaustive, please create an issue if you encounter difficulties.