last week i was poking through event logs from a home lab vm i suspected had been scanned hard. dropped the evtx into event viewer. it took 90 seconds to load, then crashed the moment i tried to filter by event id 4624. splunk is overkill for one machine. wazuh wants infra i didn't want to set up just to look at one file. pysigma converts sigma rules to backend queries, but i didn't have a backend. so i wrote threatlens. it's a cli. point it at a log file or directory, get alerts mapped to mitre att&ck. threatlens scan logs/ --min-severity high Enter fullscreen mode Exit fullscreen mode that's the whole interface for the common case. what i actually wanted three things, roughly in priority order. works on a single laptop with no infra. no daemon. no agent. no message queue. only runtime dep is pyyaml. reads the formats i actually have. evtx (windows native), json/ndjson (modern stuff), syslog (linux), cef (network gear). speaks sigma. the community has thousands of detection rules already written.…