Open-Source Cybersecurity Tools: SIEM & Log Management
← Back to Open-Source Cybersecurity Tools Hub | Full Open Source Catalog | Main Atlas
This category contains 54 documented tools. It focuses on capabilities used for centralized event collection, correlation logic, detection tuning, and structured triage. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.
Category Evaluation Checklist
- Coverage depth against your highest-priority threats and compliance obligations.
- Operational overhead for deployment, tuning, and long-term maintenance.
- Signal quality versus analyst workload and false-positive pressure.
- Integration fit with SIEM, ticketing, identity, cloud, and engineering workflows.
- Governance readiness including auditability, ownership clarity, and change control.
Jump by Name
A | B | C | E | F | H | J | K | L | O | P | S | U | W | Z
Letter A
This letter section contains 3 tools.
Android SmartTVs Vulnerability Discovery via Log-Guided Fuzzing, 2021
- Website: https://www.usenix.org/conference/usenixsecurity21/presentation/aafer
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Fuzzing
What it does: Android SmartTVs Vulnerability Discovery via Log-Guided Fuzzing, 2021 is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > USENIX Security.
AppCompatProcessor
- Website: https://github.com/mbevilacqua/appcompatprocessor
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Incident Response
What it does: AppCompatProcessor is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: AppCompatProcessor has been designed to extract additional value from enterprise-wide AppCompat / AmCache data beyond the classic stacking and grepping techniques.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Log Analysis Tools.
APT Hunter
- Website: https://github.com/ahmedkhlief/APT-Hunter
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Incident Response
What it does: APT Hunter is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: APT-Hunter is Threat Hunting tool for windows event logs.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Log Analysis Tools.
Letter B
This letter section contains 1 tools.
Bifrozt
- Website: http://sourceforge.net/projects/bifrozt/
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security
What it does: Bifrozt is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Bifrozt is a NAT device with a DHCP server that is usually deployed with one NIC connected directly to the Internet and one NIC connected to the internal network. What differentiates Bifrozt from other standard NAT devices is its ability to work as a transparent SSHv2 proxy between an attacker and your honeypot. If you deployed an SSH server on Bifrozt’s internal network it would log all the interaction to a TTY file in plain text that could be viewed later and capture a copy of any files that were downloaded. You would not have to install any additional software, compile any kernel modules or use a specific version or type of operating system on the internal SSH server for this to work. It will limit outbound traffic to a set number of ports and will start to drop outbound packets on these ports when certain limits are exceeded.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Honey Pot / Honey Net.
Letter C
This letter section contains 2 tools.
Chainsaw
- Website: https://github.com/countercept/chainsaw
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Incident Response
What it does: Chainsaw is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows event logs.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Log Analysis Tools.
CitrixHoneypot
- Website: https://github.com/MalwareTech/CitrixHoneypot
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Honeypots
What it does: CitrixHoneypot is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Detect and log CVE-2019-19781 scan and exploitation attempts.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.
Letter E
This letter section contains 2 tools.
Event Log Explorer
- Website: https://eventlogxp.com/
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Incident Response
What it does: Event Log Explorer is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Tool developed to quickly analyze log files and other data.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Log Analysis Tools.
Event Log Observer
- Website: https://lizard-labs.com/event_log_observer.aspx
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Incident Response
What it does: Event Log Observer is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: View, analyze and monitor events recorded in Microsoft Windows event logs with this GUI tool.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Log Analysis Tools.
Letter F
This letter section contains 2 tools.
Fail2Ban
- Website: http://www.fail2ban.org/wiki/index.php/Main_Page
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security
What it does: Fail2Ban is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Scans log files and takes action on IPs that show malicious behavior.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > IDS / IPS / Host IDS / Host IPS.
FIR
- Website: https://github.com/certsocietegenerale/FIR
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security, Awesome Incident Response, Awesome Cybersecurity Blue Team
What it does: FIR is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs and SOCs alike.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Incident Response tools > IR management consoles.
Letter H
This letter section contains 4 tools.
Hayabusa
- Website: https://github.com/Yamato-Security/hayabusa
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Incident Response, Awesome Forensics
What it does: Hayabusa is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Log Analysis Tools.
Highlighter
- Website: https://www.fireeye.com/services/freeware/highlighter.html
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Incident Response
What it does: Highlighter is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Free Tool available from Fire/Mandiant that will depict log/text file that can highlight areas on the graphic, that corresponded to a key word or phrase. Good for time lining an infection and what was done post compromise.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Timeline Tools.
httpry
- Website: http://dumpsterventures.com/jason/httpry/
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security
What it does: httpry is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: httpry is a specialized packet sniffer designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but to capture, parse, and log the traffic for later analysis. It can be run in real-time displaying the traffic as it is parsed, or as a daemon process that logs to an output file. It is written to be as lightweight and flexible as possible, so that it can be easily adaptable to different applications.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Monitoring / Logging.
HUDINX
- Website: https://github.com/Cryptix720/HUDINX
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Honeypots
What it does: HUDINX is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Tiny interaction SSH honeypot engineered in Python to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.
Letter J
This letter section contains 1 tools.
justniffer
- Website: http://justniffer.sourceforge.net/
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security
What it does: justniffer is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Justniffer is a network protocol analyzer that captures network traffic and produces logs in a customized way, can emulate Apache web server log files, track response times and extract all "intercepted" files from the HTTP traffic.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Monitoring / Logging.
Letter K
This letter section contains 3 tools.
Kaspersky CyberTrace
- Website: https://support.kaspersky.com/13850
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Incident Response
What it does: Kaspersky CyberTrace is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions. Users can immediately leverage threat intelligence for security monitoring and incident report (IR) activities in the workflow of their existing security operations.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Log Analysis Tools.
Kippo
- Website: https://github.com/desaster/kippo
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security, Awesome Honeypots
What it does: Kippo is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Honey Pot / Honey Net.
Kippo2MySQL
- Website: https://bruteforcelab.com/kippo2mysql
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Honeypots
What it does: Kippo2MySQL is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Extracts some very basic stats from Kippo’s text-based log files and inserts them in a MySQL database.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.
Letter L
This letter section contains 10 tools.
LastActivityView
- Website: https://www.nirsoft.net/utils/computer_activity_view.html
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Forensics
What it does: LastActivityView is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: LastActivityView by Nirsoftis a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Windows Artifacts.
Log Parser Lizard
- Website: https://lizard-labs.com/log_parser_lizard.aspx
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Incident Response
What it does: Log Parser Lizard is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Execute SQL queries against structured log data: server logs, Windows Events, file system, Active Directory, log4net logs, comma/tab separated text, XML or JSON files. Also provides a GUI to Microsoft LogParser 2.2 with powerful UI elements: syntax editor, data grid, chart, pivot table, dashboard, query manager and more.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Log Analysis Tools.
LogAnon
- Website: http://code.google.com/archive/p/loganon/
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Honeypots
What it does: LogAnon is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Log anonymization library that helps having anonymous logs consistent between logs and network captures.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.
Logdissect
- Website: https://github.com/dogoncouch/logdissect
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security, Awesome Incident Response
What it does: Logdissect is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: CLI utility and Python API for analyzing log files and other data.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Log Analysis Tools.
LogESP
- Website: https://github.com/dogoncouch/LogESP
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security
What it does: LogESP is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Open Source SIEM (Security Information and Event Management system).
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Security Information & Event Management.
LogonTracer
- Website: https://github.com/JPCERTCC/LogonTracer
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Incident Response, Awesome Cybersecurity Blue Team, Awesome Forensics
What it does: LogonTracer is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Tool to investigate malicious Windows logon by visualizing and analyzing Windows event log.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Log Analysis Tools.
Logpasta
- Website: https://logpasta.com/
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome OSINT
What it does: Logpasta is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Simple, secure log paste service. Command line mode based.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Pastebins.
LogSlash
- Website: https://github.com/FoxIO-LLC/LogSlash
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Threat Detection
What it does: LogSlash is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: A standard for reducing log volume without sacrificing analytical capability.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.
LongTail Log Analysis @ Marist College
- Website: http://longtail.it.marist.edu/honey/
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Honeypots
What it does: LongTail Log Analysis @ Marist College is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Analyzed SSH honeypot logs.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.
Lorg
- Website: https://github.com/jensvoid/lorg
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Incident Response
What it does: Lorg is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Tool for advanced HTTPD logfile security analysis and forensics.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Log Analysis Tools.
Letter O
This letter section contains 3 tools.
OpenFPC
- Website: http://www.openfpc.org
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security
What it does: OpenFPC is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: OpenFPC is a set of tools that combine to provide a lightweight full-packet network traffic recorder & buffering system. It's design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log management tools.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Full Packet Capture / Forensic.
OSSEC
- Website: https://ossec.github.io/
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security, Awesome OSINT
What it does: OSSEC is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Comprehensive Open Source HIDS. Not for the faint of heart. Takes a bit to get your head around how it works. Performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. Plenty of reasonable documentation. Sweet spot is medium to large deployments.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > IDS / IPS / Host IDS / Host IPS.
OSSIM
- Website: https://www.alienvault.com/open-threat-exchange/projects
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security, Awesome Cybersecurity Blue Team
What it does: OSSIM is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Single-server open source SIEM platform featuring asset discovery, asset inventorying, behavioral monitoring, and event correlation, driven by AlienVault Open Threat Exchange (OTX).
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Security Information and Event Management (SIEM).
Letter P
This letter section contains 3 tools.
passivedns
- Website: https://github.com/gamelinux/passivedns
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security, Awesome Penetration Testing
What it does: passivedns is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: A tool to collect DNS records passively to aid Incident handling, Network Security Monitoring (NSM) and general digital forensics. PassiveDNS sniffs traffic from an interface or reads a pcap-file and outputs the DNS-server answers to a log file. PassiveDNS can cache/aggregate duplicate DNS answers in-memory, limiting the amount of data in the logfile without loosing the essens in the DNS answer.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.
Prelude
- Website: https://www.prelude-siem.org/
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security, Awesome Cybersecurity Blue Team
What it does: Prelude is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Prelude is a Universal "Security Information & Event Management" (SIEM) system. Prelude collects, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license giving rise to such events; Prelude is "agentless".
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Security Information and Event Management (SIEM).
Public Security Log Sharing Site
- Website: http://log-sharing.dreamhosters.com
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Threat Detection
What it does: Public Security Log Sharing Site is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Dataset.
Letter S
This letter section contains 15 tools.
sagan
- Website: http://sagan.quadrantsec.com/
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security
What it does: sagan is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Sagan uses a 'Snort like' engine and rules to analyze logs (syslog/event log/snmptrap/netflow/etc).
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Monitoring / Logging.
Security Onion
- Website: http://blog.securityonion.net/
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security
What it does: Security Onion is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Zeek, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > IDS / IPS / Host IDS / Host IPS.
Security Onion
- Website: https://securityonionsolutions.com/
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Security Onion is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Free and open source GNU/Linux distribution for intrusion detection, enterprise security monitoring, and log management.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Operating System distributions.
SIEM
- Website: https://www.gartner.com/en/information-technology/glossary/security-information-and-event-management-siem
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome SOC
What it does: SIEM is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: **:.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for a SOC/CSIRT.
Sigma
- Website: https://github.com/SigmaHQ/sigma
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Incident Response, Awesome Threat Detection
What it does: Sigma is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Generic signature format for SIEM systems already containing an extensive ruleset.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Log Analysis Tools.
Sigma
- Website: https://github.com/Neo23x0/sigma
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Sigma is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Generic signature format for SIEM systems, offering an open signature format that allows you to describe relevant log events in a straightforward manner.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Threat intelligence.
Sigma2KQL
- Website: https://github.com/Khadinxc/Sigma2KQL
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security
What it does: Sigma2KQL is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: A repository of all SIGMA rules converted to KQL that runs on a weekly schedule to update the repository and align with the up to date version of the SIGMA rules repository.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Monitoring / Logging.
Sigma2SPL
- Website: https://github.com/Khadinxc/Sigma2SPL
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security
What it does: Sigma2SPL is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: A repository of all SIGMA rules converted to SPL that runs on a weekly schedule to update the repository and align with the up to date version of the SIGMA rules repository.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Monitoring / Logging.
SpoofSpotter
- Website: https://github.com/NetSPI/SpoofSpotter
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Cybersecurity Blue Team
What it does: SpoofSpotter is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Catch spoofed NetBIOS Name Service (NBNS) responses and alert to an email or log file.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Network Security Monitoring (NSM).
sshwatch
- Website: https://github.com/marshyski/sshwatch
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Security
What it does: sshwatch is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > IDS / IPS / Host IDS / Host IPS.
State of SIEM market 2025
- Website: https://go.crowdstrike.com/rs/281-OBQ-266/images/Whitepaper2025StateofSIEMMarketCribl.pdf?version=0
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome SOC
What it does: State of SIEM market 2025 is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).
StreamAlert
- Website: https://github.com/airbnb/streamalert
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Incident Response, Awesome Threat Detection
What it does: StreamAlert is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: A serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Detection, Alerting and Automation Platforms.
Synthetic Adversarial Log Objects (SALO)
- Website: https://github.com/splunk/salo
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Threat Detection
What it does: Synthetic Adversarial Log Objects (SALO) is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: A framework for the generation of log events without the need for infrastructure or actions to initiate the event that causes a log event.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.
Sysmon
- Website: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Threat Detection
What it does: Sysmon is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: A Windows system service and device driver that monitors and logs system activity to the Windows event log.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Endpoint Monitoring.
SysmonSearch
- Website: https://github.com/JPCERTCC/SysmonSearch
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Incident Response
What it does: SysmonSearch is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: SysmonSearch makes Windows event log analysis more effective and less time consuming by aggregation of event logs.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Log Analysis Tools.
Letter U
This letter section contains 2 tools.
Uncoder
- Website: https://uncoder.io
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Threat Detection
What it does: Uncoder is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: An online translator for SIEM saved searches, filters, queries, API requests, correlation and Sigma rules.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.
Untitled Goose Tool
- Website: https://github.com/cisagov/untitledgoosetool
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Untitled Goose Tool is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Assists incident response teams by exporting cloud artifacts from Azure/AzureAD/M365 environments in order to run a full investigation despite lacking in logs ingested by a SIEM.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Incident Response tools > Evidence collection.
Letter W
This letter section contains 2 tools.
WELA
- Website: https://github.com/Yamato-Security/WELA
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Incident Response
What it does: WELA is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Windows Event Log Analyzer aims to be the Swiss Army knife for Windows event logs.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Log Analysis Tools.
WMI Monitor
- Website: https://github.com/realparisi/WMI_Monitor
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Cybersecurity Blue Team
What it does: WMI Monitor is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: Log newly created WMI consumers and processes to the Windows Application event log.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Windows-based defenses.
Letter Z
This letter section contains 1 tools.
Zircolite
- Website: https://github.com/wagga40/Zircolite
- Model: Open Source
- Category: SIEM & Log Management
- Source Lists: Awesome Incident Response, Awesome SOC
What it does: Zircolite is used in siem & log management programs to support centralized event collection, correlation logic, detection tuning, and structured triage. Source summaries describe it as: A standalone and fast SIGMA-based detection tool for EVTX or JSON.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Log Analysis Tools.