Eventsight
AI-powered Windows Event Log analyzer that learns from your feedback. Uses Claude AI with RAG to detect suspicious activity, improve accuracy over time, and share learnings across your team. CLI and MCP server interfaces.
Installation
npx eventsightAsk AI about Eventsight
Powered by Claude Β· Grounded in docs
I know everything about Eventsight. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
EventSight
AI-powered Windows Event Log analyzer that learns from analyst feedback.
Project Structure
This repository contains two related projects:
EventSight/
βββ Eventsight/ # Standalone CLI tool
β βββ data/learnings/ # Shared learnings database
βββ Eventsight-MCP/ # MCP server for Claude Code integration
βββ .mcp.json # MCP configuration
Why Two Projects?
| Eventsight | Eventsight-MCP | |
|---|---|---|
| Interface | Command-line (CLI) | MCP Server (Claude Code) |
| RAG Type | Standard RAG | Agentic RAG |
| Use Case | Direct analysis & reporting | Interactive analysis with Claude |
| Feedback | Manual commands | Natural language via Claude |
Shared Resources
Both projects share the same learnings database, meaning:
- Learnings created in either project benefit both
- Correlation rules are shared
- Analysis improvements compound over time
The shared data lives in Eventsight/data/learnings/:
learnings.db- Analyst learnings, correlation rules, and analysis historyevents.db- Stored events from analyses (indexed by Event ID, timestamp, provider)embeddings.npy- 384-dimensional vector embeddings for semantic searchevent_embeddings.npy- Event embeddings for semantic event search
Eventsight (CLI)
The standalone command-line tool for Windows Event Log analysis.
Features:
- Parse and analyze EVTX files
- Batch processing with streaming output
- Continuous monitoring mode with live HTML report (auto-refreshing dashboard)
- Standard RAG for fast, deterministic learning retrieval
- Interactive feedback mode
- HTML/Markdown report generation
Quick Start:
cd Eventsight
uv sync
uv run eventsight evaluate Security.evtx --event-ids 4624,4688
See Eventsight/README.md for full documentation.
Eventsight-MCP (Claude Code Integration)
MCP server that brings EventSight capabilities into Claude Code with Agentic RAG.
Features:
- All EventSight analysis capabilities via 16 MCP tools
- Agentic RAG for intelligent feedback processing
- Natural language interaction ("Finding #2 is our EDR, mark as benign")
- Semantic event search
- Export/import learnings for sharing between instances
Quick Start:
# From the Eventsight-MCP directory with Claude Code
cd Eventsight-MCP
# Then use tools like:
# - evaluate_evtx to analyze EVTX files
# - feedback to process analyst input using Agentic RAG
# - search_stored_events to find specific activity
# - export_learnings_package to share learnings
See Eventsight-MCP/README.md for full documentation.
RAG Approaches
Standard RAG (Eventsight)
Direct vector similarity search for learning retrieval:
- Query β Embedding β Similarity Search β Top-K Results
- Fast O(1) lookup by Event ID when available
- Deterministic, efficient for batch processing
Agentic RAG (Eventsight-MCP)
LLM-driven tool selection for intelligent processing:
- Query β LLM analyzes intent β Selects appropriate tools
- Can search events, create learnings, mark findings autonomously
- Better at understanding nuanced natural language feedback
- Creates higher-quality, generalizable learnings
License
MIT