Here you'll find a repository of community-contributed, publicly shareable windows event log message data stored in SQLite format. This data can be used with dumpevtx, which is the standalone CLI implementation of Velociraptor’s parse_evtx() VQL plugin.
In addition to extracting data from Windows evtx files, the tool can also extract the descriptive event messages (that would normally only be viewable in Windows Event Viewer on the source computer) from the associated .dll files and then use these to enrich the data to make it more human-friendly and useful to security analysts and investigators.
The dumpevtx tool stores such data in SQLite database files which can be re-used when parsing offline evtx files (when the message dlls are not available) or for looking up more descriptive information on specific event IDs.
To understand more about the problems that dumpevtx solves and how it does so, we invite you to read the following article:
You can also learn more over at the NSACyber WELM project: