Open-Awesome
CategoriesAlternativesStacksSelf-HostedExplore
Open-Awesome

© 2026 Open-Awesome. Curated for the developer elite.

TermsPrivacyAboutGitHubRSS
  1. Home
  2. Incident Response
  3. Zircolite

Zircolite

NOASSERTIONPythonv3.7.6

A standalone Python tool for applying SIGMA detection rules to EVTX, Auditd, Sysmon for Linux, and other log formats.

GitHubGitHub
827 stars114 forks0 contributors

What is Zircolite?

Zircolite is a standalone Python tool that applies SIGMA detection rules to various log formats, including Windows EVTX, Linux Auditd, and Sysmon for Linux logs. It enables security professionals to perform threat hunting and log analysis by converting SIGMA rules into queries that run against log data, identifying potential security incidents.

Target Audience

Security analysts, incident responders, threat hunters, and blue team members who need to analyze logs for malicious activity using the SIGMA rule standard.

Value Proposition

Developers choose Zircolite for its portability, native SIGMA support, and ability to handle multiple log formats without external dependencies. Its automatic log detection, field transformation capabilities, and rich output make it a versatile tool for on-the-fly or batch log analysis.

Overview

A standalone SIGMA-based detection tool for EVTX, Auditd and Sysmon for Linux logs

Use Cases

Best For

  • Applying SIGMA rules to Windows EVTX logs for threat detection
  • Analyzing Linux Auditd or Sysmon for Linux logs with SIGMA rules
  • Performing ad-hoc log analysis on compressed or archived log files
  • Enriching log data with custom field transformations (e.g., decoding Base64 commands)
  • Exporting detection results to SIEM formats like Splunk or Elasticsearch
  • Conducting portable, offline security investigations without a full SIEM

Not Ideal For

  • Real-time security monitoring systems requiring continuous log ingestion and live alerting.
  • Environments where Python is not installed or heavily restricted, such as air-gapped networks without development tools.
  • Teams needing a fully graphical, web-based interface for collaborative, multi-user threat hunting.
  • Large-scale log analysis with petabytes of data that necessitates distributed processing frameworks like Spark or Elasticsearch clusters.

Pros & Cons

Pros

Automatic Format Detection

Uses magic bytes, content analysis, and regex fallback to identify log formats and timestamp fields automatically, minimizing manual configuration as described in the Key Features section.

Native Sigma Integration

Directly processes Sigma YAML rules with the pySigma backend, avoiding proprietary conversions and enabling use of standard detection rules without extra steps, as highlighted in the Native Sigma Support.

Advanced Field Transformations

Supports custom Python transforms like Base64 decoding and hex-to-ASCII conversion for enriching log data, allowing analysts to decode obfuscated commands or extract IOCs, detailed in the Field Transforms examples.

Flexible Export Options

Exports results to multiple formats including JSON, CSV, Splunk, and Elasticsearch using Jinja templates, providing seamless integration with various SIEMs and analysis tools.

Cons

Installation Complexity

On some systems like Mac or ARM, the evtx library requires Rust and Cargo to be installed, adding setup overhead beyond standard Python dependencies, as noted in the Requirements section.

Noisy Default Rulesets

The provided rulesets are acknowledged to be noisy and slow, forcing users to build and maintain custom rulesets for effective detection, which requires additional effort and expertise.

Offline Batch Processing

Primarily designed for batch analysis of log files, lacking built-in support for real-time log streaming or continuous monitoring, limiting use in dynamic environments.

Frequently Asked Questions

Quick Stats

Stars827
Forks114
Contributors0
Open Issues0
Last commit1 month ago
CreatedSince 2021

Tags

#sigma-rules#security#python3#python#log-analysis#detection#forensics#incident-response#evtx#sysmon#threat-detection

Built With

S
SQLite
J
Jinja2
R
Rich
P
Python
D
Docker
o
orjson

Included in

Incident Response8.9k
Auto-fetched 3 hours ago

Related Projects

SigmaSigma

Main Sigma Rule Repository

Stars10,681
Forks2,672
Last commit20 hours ago
ChainsawChainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts

Stars3,578
Forks298
Last commit1 month ago
HayabusaHayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

Stars3,235
Forks278
Last commit2 days ago
LogonTracerLogonTracer

Investigate malicious Windows logon by visualizing and analyzing Windows event log

Stars3,192
Forks489
Last commit2 months ago
Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a projectStar on GitHub