Very rudimentary PoC to search Windows's EVTX files like a SIEM.
First convert the EVTX dump to JSON
./evtx_dump -o json Security.evtx > JsonLog.txtPre-process to convert it to pure JSON file
sed -E 's/Record [[:digit:]]+//g' JsonLog.txt > ProcJsonLog.txtStart quering like a SIEM
./exfinder.sh 'EventID=4688 Command=powershell.exe | project Host, User, Command'
./exfinder.sh 'EventID=4688 Command= -ma lsass'- project has a definite hardcoded order and does not depend upon the order in the query.