SpectX has launched support for analyzing Windows Events (.evtx files) to investigate incidents and find suspicious activity in Windows machines. Whether it is user activity, admin events, specific event IDs you’re looking for, SpectX allows you to instantly read, parse and query original .evtx files in their current location. SpectX runs on Windows, Linux as well as OSX, so you don't necessarily need a Windows machine to analyze .evtx files, as long as you have access to the files.
To run fast queries on event logs, download and install SpectX. As Windows grants log access only for admins, you need to run SpectX in Windows as an administrator in order to process files in the local System32/winevt/Logs folder. If the logs are located elsewhere, you can run SpectX as a regular user. In short - either run SpectX as an administrator or copy the logs to a location accessible to a regular user.
To search and investigate your .evtx files on your local Windows machine, open Data Browser in SpectX and paste file:/C:/Windows/System32/winevt/Logs to the path field. Navigate to another directory if your events are located elsewhere. You’ll see a list of available .evtx files:Click on one of the files, for example, Security.evtx, and then on Prepare Query. Run the script to see the first 10 000 events. Delete the | limit command if you wish to query more data.
| filter(EventID = [eventid])
Run the time-distribution query and then click on the Graph button to visualize the frequency of events.
If your .evtx files are not in the same machine that runs SpectX:
a) Install SpectX Source Agent to the data source (it’s free) and create a new datastore in SpectX with the sa:// or sas:// protocol to access your remote .evtx files.
b) Copy the .evtx files to the same machine that runs SpectX.