New CLI Tool ThreatLens Revolutionizes Log Triage After Event Viewer Failure

Breaking News: Security Researcher Releases ThreatLens for Rapid Log Analysis

A cybersecurity professional has developed a new command-line tool called ThreatLens after experiencing critical failures with Microsoft's Event Viewer when attempting to analyze a 400MB Windows event log file. The tool promises to streamline log triage without requiring complex infrastructure.

Last week, the researcher—who asked to remain anonymous—was investigating a home lab virtual machine they suspected had been heavily scanned. When loading the .evtx file into Event Viewer, the application took a staggering 90 seconds to open the log, then crashed immediately upon filtering for event ID 4624 (successful logon).

“Event Viewer couldn’t handle a moderately sized log file. Splunk is overkill for a single machine, and Wazuh requires infrastructure I didn’t want to set up. I needed something simple and fast,” the developer told our news team.

Background: The Log Analysis Gap

Traditional security information and event management (SIEM) solutions like Splunk or Wazuh are powerful but often too heavy for small-scale investigations. They require dedicated servers, agents, and complex configuration. Meanwhile, lightweight alternatives like pysigma convert Sigma detection rules into backend query languages but still depend on a database or search engine.

“I didn’t have a backend. I wanted something that could read raw log files, apply Sigma rules directly, and give me alerts—no daemon, no message queue,” the developer explained. This gap led to the creation of ThreatLens.

ThreatLens Key Features

The tool is a Python-based CLI that scans a single log file or an entire directory. It outputs alerts mapped to the MITRE ATT&CK framework. The most common use case requires just one command:

threatlens scan logs/ --min-severity high

Three design priorities guided development:

• Zero infrastructure: Runs on any laptop with Python and one dependency (PyYAML). No daemon, agent, or queue.
• Multi-format support: Reads EVTX (Windows native), JSON/NDJSON (modern apps), Syslog (Linux), and CEF (network gear).
• Sigma rule compatibility: Uses the community’s thousands of existing detection rules—no need to invent a new format.

Technical Hurdles Overcome

Initially, the researcher attempted to use python-evtx for parsing (which worked well) and then plyara for Sigma—only to discover plyara handles YARA, not Sigma. After switching to pysigma, they realized it converted Sigma to backend query strings, not in-memory matching. “I needed to match events against rules directly in Python, so I ended up writing my own Sigma loader—about 400 lines of code.”

The custom loader handles all common Sigma constructs: selection blocks, field modifiers (|contains, |startswith, |endswith, |re, |all), and complex conditions like selection and not filter or 1 of selection*. “Operator precedence was the hardest part. My first parser evaluated a or b and c left-to-right and got wrong answers. I rewrote it three times to match Sigma’s reference behavior,” the developer noted.

Proudest Achievement: Lightweight Elasticsearch Integration

One standout feature is the ability to push alerts to Elasticsearch without the official Python client. The official client is 40MB installed and pulls dozens of transitive dependencies. Instead, the researcher remembered the Bulk API is simply newline-delimited JSON over HTTP. Using only Python’s standard library (json and urllib.request), they built a push function that works with real ES clusters. This reduces install size and eliminates a category of supply chain risk.

def push_alerts(alerts, url, index, api_key=None):
    lines = []
    for a in alerts:
        lines.append(json.dumps({"index": {"_index": index}}))
        lines.append(json.dumps(a.to_dict()))
    body = ("\n".join(lines) + "\n").encode("utf-8")
    headers = {"Content-Type": "application/x-ndjson"}
    if api_key:
        headers["Authorization"] = f"ApiKey {api_key}"
    req = urllib.request.Request(
        f"{url.rstrip('/')}/_bulk",
        data=body,
        headers=headers,
        method="POST",
    )
    with urllib.request.urlopen(req) as resp:
        return json.loads(resp.read())

“Stdlib only—no extra baggage,” the developer emphasized.

Attack Chain Correlation

ThreatLens also supports attack chain correlation. Single alerts like “failed logon” are noise. But when multiple alerts form a sequence—such as a burst of failed logons followed by privilege escalation—the tool can link them into a coherent attack narrative. This helps analysts prioritize real threats over isolated events.

What This Means

The release of ThreatLens fills a critical gap for incident responders and threat hunters who need a lightweight, portable log analysis tool. It democratizes log triage: no longer does a security analyst require a full SIEM stack to investigate a single machine. The tool’s reliance on Sigma rules means it benefits from a vast library of community-maintained detection logic.

Industry experts see this as a sign of the growing trend toward minimalist security tooling. “Too often we over-engineer solutions. This CLI approach—using stdlib for Elasticsearch, home-grown Sigma parsing—shows that clever engineering can replace 40MB of dependencies,” said a cybersecurity analyst familiar with the project. “It’s a model for supply-chain conscious security.”

The tool is open source and available for download. The developer plans to add more output formats and improve correlation algorithms in future releases.

This article has internal links to sections: Background, Features, What This Means.