Analyzing Windows Events

SpectX has launched support for analyzing Windows Events (.evtx files) to investigate incidents and find suspicious activity in Windows machines. Whether it is user activity, admin events, specific event IDs you’re looking for, SpectX allows you to instantly read, parse and query original .evtx files in their current location. SpectX runs on Windows, Linux as well as OSX,  so you don't necessarily need a Windows machine to analyze .evtx files, as long as you have access to the files.

Windows Event Log Location

To run fast queries on event logs, download and install SpectX. As Windows grants log access only for admins, you need to run SpectX in Windows as an administrator in order to process files in the local System32/winevt/Logs folder. If the logs are located elsewhere, you can run SpectX as a regular user. In short - either run SpectX as an administrator or copy the logs to a location accessible to a regular user.

To search and investigate your .evtx files on your local Windows machine, open Data Browser in SpectX and paste  file:/C:/Windows/System32/winevt/Logs to the path field. Navigate to another directory if your events are located elsewhere. You’ll see a list of available .evtx files:

Click on one of the files, for example, Security.evtx, and then on Prepare Query. Run the script to see the first 10 000 events. Delete the | limit command if you wish to query more data. 
Right-clicking on a resultset field > Add Code Snippet will give you query snippets for that particular data type. For example, right-click on an event ID to filter events based on their ID.  Or simply type this line at the end of the query:

| filter(EventID = [eventid])


Right-clicking on a timestamp will give you a list of time-scripts: 


Run the time-distribution query and then click on the Graph button to visualize the frequency of events.

Pointing SpectX to a Remote Machine

If your .evtx files are not in the same machine that runs SpectX:
a) Install SpectX Source Agent to the data source (it’s free) and create a new datastore in SpectX with the sa:// or sas:// protocol to access your remote .evtx files.  
b) Copy the .evtx files to the same machine that runs SpectX.

Sample Queries on Windows Security Logs

We’ve added a basic query pack for Windows Security events to our Github repository. To run these queries on our sample data or your own local Windows events, download .zip of the full query pack.  Next, open SpectX and right-click on the left resource tree > Upload to add the pack there.


Now that the query pack is there, open the windows_events folder and double-click on the _include.sx file. This is the base query specifying where your logs are and how to call the fields. All other queries point to this one. Take a closer look at lines 2, 4, and 5. By default, the query runs on SpectX sample data hosted in S3. To search your own logs instead:
1. Comment line 4
2. Uncomment line 5
3. Make sure the path on line 2 is correct. Change it if the .evtx files you'd like to analyze are in a different location.  
4. Save the _include.sx file for the changes to take effect


| evtx() in the free edition of SpectX

Processing .evtx files is a feature that remains available with the free personal license of SpectX until 1. July 2021. After that, we’ll continue with limited .evtx features in the free edition, leaving full functionality for Business and Enterprise licenses. 
Last but not least - join our Slack community if you get any questions analyzing Windows events.

Back to articles