secops-gthub/Eventlog_Visualizer

```markdown # 多源 EDR 可视化工具 (Sysmon、Defender 与安全日志) 一款高保真安全分析工具，可将 Windows 事件日志重构为分层式 EDR 风格进程树。本版本具备增强型通用解析引擎、专用 SHA256 提取功能，以及性能优化的 HTML 渲染引擎。 🚀 核心功能 ``` Universal Property Mapping: Uses advanced XML-based parsing to correctly extract "Named" properties (like TargetUserName, IpAddress, and CommandLine) from Security and Sysmon logs that typically appear blank in standard viewers. SHA256 Hash Visibility (New): Automatically isolates the SHA256 hash from Sysmon events. Long hashes are truncated in the view for cleanliness but are viewable via Tooltip hover. GUI Cell Copying (New): Select any cell (Hash, Timestamp, ID) and press Ctrl+C to copy the data directly to your clipboard for use in threat intelligence lookups. Performance-Optimized HTML Export: Utilizes StringBuilder logic and background UI management to generate massive investigation reports instantly without application hanging. Full Date Range Filtering: Dedicated DatePickers allow for filtering merged datasets—essential for investigations involving manual imports of older forensic .evtx files. Multi-Source Ingestion: Sysmon: Process behavior (ID 1), network telemetry (ID 3), and DNS queries (ID 22). Windows Defender: Malware detection and remediation history. Windows Security: Decoded Logons (4624), Process Auditing (4688), Group Enumeration (4798), and Credential Reads (5379). Cumulative Loading: Append multiple log files to a single session to track lateral movement across different machines and timeframes. Persistent Investigation: Filter logic is non-destructive. If a search yields no results, clearing the filters and clicking Apply restores your full original log set. ``` 📋 系统要求 ``` OS: Windows 10/11 or Windows Server 2016+. PowerShell: Version 7.x. Permissions: Administrator privileges are required to access live local log streams. ``` 🛠️ 工作原理 1. 源选择 启动后，您可以选择从本地机器拉取最近 24 小时的实时日志，或继续前往仪表板手动导入取证文件。 2. 仪表板 - 添加日志：将新的 .evtx 文件合并到当前时间线中。 - 清除日志：重置当前调查并清除会话内存。 - 通用筛选器：按用户、事件 ID、SHA256 哈希、日期范围或活动关键词进行过滤。 - 状态栏：提供日志数量与处理状态的实时反馈。 3. 报告 - 打开 HTML：生成临时 CSS 样式报告并在默认浏览器中打开。 - 保存 HTML：导出一个独立的便携式报告用于取证。引擎已优化，可防止在大型导出时界面冻结。 📥 安装指南 ``` Download Sysmon_Visualizer.ps1. Open PowerShell as Administrator. Run the script: .\Sysmon_Visualizer.ps1 ``` ```

标签：AI合规, EDR可视化, GUI数据复制, IPv6, Libemu, PowerShell, SEO: EDR工具, SEO: Windows事件日志分析, SEO: 多源日志可视化, SHA256哈希提取, Sysmon, Windows Defender, Windows Security, Windows安全分析, XML解析, 事件日志重构, 取证时间线, 多模态安全, 多源日志摄取, 大数据日志处理, 威胁情报查找, 性能优化HTML导出, 持久化调查, 数据可视化, 日志分析工具, 日志可视化, 日志文件解析, 日期范围过滤, 进程树可视化, 通用属性映射