drop evtx csv from multiple sources · detect events claiming to originate from unexpected computer names · identify log injection using spoofed source computer names · surface events inconsistent with the machine that generated them · runs locally
evtx csv
drop evtx csv (multi-file)
or click
netbios format · ip-as-computer · minority hostname · cross-channel mismatch · 4624/4688/4698 spoofing
drop evtx csv from one or more log sources