Windows 11 • Local-only

Home Security Agent

Local-only host integrity + threat visibility for Windows 11.

Observes and explains. Does not block. Recommended alongside Windows Defender.

View on GitHub Read Manual / Quick Start
Local-only Sysmon-based Explainable findings Alerting (toast + Event Log)
Keep Defender ON

This is a visibility tool, not a blocker. Use alongside Windows Defender (AMSI + memory protections).

Visibility in 30 seconds
  • What executed
  • What changed
  • What persisted
  • What talked to the network

What it is / What it isn’t

Short, honest scope so expectations stay clean.

What it is

  • Personal EDR-lite on top of Sysmon
  • Correlation + scoring + explainable findings
  • Targeted allowlisting to reduce noise

What it isn’t

  • Not an antivirus replacement
  • Not memory/kernel detection
  • Not for enterprise SOC usage
Keep Windows Defender ON (AMSI + memory protections). This tool complements it.

Screenshots

Real UI, real signal. No marketing fluff.

Dashboard overview with priority table

Dashboard Overview

Priority queue, open High/Critical, and last alert status.

Finding detail showing Execute to Persist

Execute → Persist

Exact image, parent, and persistence target in one place.

Allowlist and ignore workflow

Allowlist + Ignore

Targeted rules and safe ignore workflow to keep signal clean.

How it works

Simple, local, and explainable.

Sysmon Windows Event Log Agent SQLite Dashboard + Alerts
  • Sysmon runs as an always-on Windows service.
  • Agent correlates: Drop→Execute, Execute→Persist, Script→Network.
  • Dashboard is on-demand (read-only).
  • Alerts are deduped and throttled to avoid spam.

Quick start

Copy/paste friendly.

Install

pip install -r requirements.txt

Run agent

python agent.py

Run dashboard

streamlit run dashboard.py

For always-on operation, run the Task Scheduler installer (see MANUAL.md).

View on GitHub Manual