so here's the situation i kept running into while studying for security+ and messing with sample log sets. i'd have a single evtx export or a json dump from some lab, and i wanted to know "is there anything bad in here" without standing up elastic or splunk or wazuh just to look at one file.

every time the answer was the same. spin up infra, ingest, write a query, wait. for one file. it's a lot.

so i wrote threatlens. it's a python cli that reads a log file (or a folder) and tells you what looks suspicious, mapped to mitre att&ck. no server, no agent, no internet. you point it at a file and it scans.

threatlens scan sample_data/sample_security_log.json

Enter fullscreen mode