Arvanta Cyber
Request access

Open Investigator · Windows logon triage

Triage suspicious Windows logons without giving AI admin rights.

Windows host alerts often start with an account, a login time, a server name, or a vague suspicion that a service account was abused. The first pass should preserve evidence and narrow the question before anyone changes production state.

Read-only toolsEvidence-backed reportFirst-pass triage
View source on GitHubRelated guideOverview
Open Investigator product mark
AI-driven server investigator: incident clues, host evidence, AI follow-up, timeline, and investigation report.

Why it matters

Use this article when a Windows login alert needs a local, evidence-backed first pass before account, service, or containment actions.

Start from an account or login anomaly without assuming compromise.The goal is useful technical material first, with a clear path to the open-source project when readers want to try it.
Correlate logon, account, process, network, service, persistence, recent-file, and PowerShell evidence.The goal is useful technical material first, with a clear path to the open-source project when readers want to try it.
Keep remediation and containment outside the AI investigator.The goal is useful technical material first, with a clear path to the open-source project when readers want to try it.

Start with the account clue

Use Open Investigator when the first signal is a suspicious user, service account, host, timestamp, process, or broad Windows anomaly. The useful first question is where the account appeared and what changed nearby, not whether the model can declare compromise immediately.

Collect bounded Windows evidence

A Windows first pass should review authentication context, local accounts and groups, process trees, listening ports, outbound connections, services, startup and persistence locations, recent files, and PowerShell or command history when available. Open Investigator keeps those observations attached to evidence records.

Look for relationship, not just presence

One suspicious logon is rarely enough. Stronger findings come from relationships: a logon followed by a new service, a PowerShell sequence, an unusual process parent, new outbound traffic, or recent changes under sensitive paths.

Use AI for follow-up questions

The AI can decide which bounded collector to ask next after seeing the current evidence. That helps move from an account clue to a reviewable narrative while avoiding arbitrary shell and mutation actions.

Preserve gaps and uncertainty

If logs are rotated, event history is thin, PowerShell logging is incomplete, or endpoint telemetry is missing, the report should say so. A gap is a real output because it tells the human responder what still needs confirmation.

Keep action approval human

Open Investigator does not disable accounts, kill processes, restart services, edit registry keys, change firewall rules, or isolate hosts. Those decisions belong to human-approved response playbooks after evidence review.

Try it

git clone https://github.com/SEc-123/open-investigator.git
cd open-investigator
cargo build --release
./target/release/oi scan -s 7d

Open Investigator writes case artifacts such as evidence.jsonl, commands.log, report.json, and report.md so another responder can review the investigation path.

Read the source, run the CLI, and send collector or report feedback.

Open GitHub repositoryoi@arvantacyber.com