Windows event logs are one of the most valuable sources of forensic data in any SOC environment. They record everything: failed logins, new accounts, services being installed, firewalls being disabled. The problem is that digging through them manually is slow, error-prone, and honestly pretty miserable when you're staring at thousands of raw XML entries.

So I built something to fix that.

What is Pulse?

Pulse is a lightweight Windows event log analyzer I've been building as a hands-on learning project. It reads .evtx files in the native Windows event log format, automatically detects suspicious patterns, and generates a clean report you can actually read. No SIEM subscription required. No enterprise license. Just Python and a log file.

It currently ships with 14 detection rules covering the kinds of activity that show up in real incidents:

  • Brute force attempts and account lockouts
  • Privilege escalation and new account creation
  • Antivirus and firewall being disabled
  • Suspicious PowerShell execution
  • New services and scheduled tasks being registered
  • Two multi-event attack chains that correlate activity across time windows

Every rule is tagged with its MITRE ATT&CK technique, so findings map directly to the framework analysts actually use.

What the report looks like

This was the part I spent the most time on. A tool that surfaces real findings but buries them in ugly output isn't useful. Pulse generates four report formats: HTML, JSON, CSV, and plain text, depending on what you need.

The HTML report is the most polished. It opens in any browser and shows a security score at the top, a filterable detections table with color-coded severity badges, scan statistics, and a remediation tab that tells you exactly what to do about each finding, prioritized from CRITICAL down to LOW. No hunting around for documentation. The answer is right there in the report.

What building it taught me

I'm a cybersecurity student, not a seasoned developer. Going into this I could write basic Python scripts. Coming out of it, I understand how Windows logs are actually structured, what event IDs matter and why, how attack chains work across time, and how to write unit tests that catch regressions before they become problems.

The 75 unit tests were probably the most valuable part. Every detection rule has tests for both the positive case (does it fire when it should?) and the negative case (does it stay quiet when it shouldn't?). Writing those tests forced me to think like an attacker and a defender at the same time.

What's next

Pulse is still growing. On the near-term roadmap: pass-the-hash detection, baseline comparison against known-good log snapshots, and email delivery of finished reports. Longer term, I want to add a SQLite backend for tracking findings across scans over time and eventually a live monitoring mode.

If you work in a SOC, study cybersecurity, or just want to understand what's actually happening on a Windows machine, Pulse might be worth a look.

The full project is open source on GitHub: github.com/barrytd/Pulse