Introducing EIDVault: An EID Reference App Built by an Analyst, for Analysts
If you’ve ever found yourself three hours into an investigation, staring at Event ID (EID) 4624 Logon Type 10, trying to remember whether that’s the interactive one, the remote one, or the one you always have to Google (“GooGoo” as a colleague calls it) - this app is for you. It’s also, admittedly, for me.
EIDVault is an iOS app for digital forensic analysts and incident responders. It’s a quick-reference for Windows Event IDs, enriched with MITRE ATT&CK mappings, detection rules, relevant XML fields, and investigation pivots.
It’s live on the App Store now - download EIDVault for iPhone & iPad.
Why I built it
There’s no shortage of excellent Windows event reference material on the internet - Microsoft Learn, Ultimate Windows Security, a stack of bookmarked SANS whitepapers, etc. What I kept wanting was something a little faster, something that could possibly live on my phone so I could look up an EID while on a call, skim/correlate related events, or even export out specific relevant information for use later.
So I started drafting up ideas…before quickly realizing how much of a lift learning Swift and the intricacies of iOS app development would be from scratch. Then Apple decided they would add agentic coding to Xcode and, with that, eliminate all my excuses. So I built it (and I would encourage everyone interested to try the same.)
The goals to start were pretty simple:
- Fast lookup — type an EID, get an answer.
- Real context — not just “Generated when a logon session is created”, but what to correlate with, what’s noisy, what the key XML fields are, and how adversaries could abuse it.
- Offline-first — the dataset ships inside the app. No login, no hoops.
- Analyst-shaped — built around how I actually use EIDs during an investigation.
The dataset
Everything the app displays is backed by a structured JSON dataset that lives in a public GitHub repo:
🧾 github.com/zerber0s/windows-eid-data
I split the data out of the app intentionally. The app is the lens while the dataset is the source of truth. An added benefit of this structure is EIDs can be tweaked, or even added to pre-existing log channels, without needing an cooresponding iOS app update. And every analyst knows, the field of cybersecurity is always changing. So if you spot an error, want to suggest a new event, see something out of date, or just think my investigation pivots for 4688 are missing something obvious (they probably are), that’s the place to raise it. Issues and PRs are open.
The data is organized by log channel, one JSON file per channel - security.json, powershell.json, sysmon.json, kerberos.json, and so on. Every entry conforms to a published JSON schema, which keeps things predictable as the dataset grows.
Below you can see what a single entry looks like - click through the tabs to see how the same JSON feeds different views inside the app:
An account was successfully logged on
Generated when a logon session is created on a system. The event is recorded on the machine being accessed and includes the account name, logon type, source network address, and authentication package used.
Each field has a purpose. details is the factual “what/when” - no directives, no “look for suspicious values.” That stuff lives in notesGuidance.investigationPivots, so the app can render the two cleanly and separately: here’s what the event is, and here’s what to do with it during an investigation.
What the app actually does
Inside EIDVault you’ll find:
Search & Browse
Browse by log channel or search across every EID, tag, and ATT&CK tactic.
Scenarios
An on-device AI tab powered by Apple Foundation Models. Describe what you're seeing and on-device intelligence surfaces relevant EIDs. No network calls, no prompts leaving the device.
MITRE Mapping
Every applicable EID is tagged with ATT&CK techniques and tactics, including direct links to MITRE's knowledge base.
Detection Rules
Inline Sigma, KQL, and Splunk rules where they exist - copy & paste as a starting point, then tune.
Key Fields
The XML fields that matter for each event, with their xpaths, so you know what to grep for in raw EVTX.
Related Events
Every entry cross-references the other EIDs you'd want to pull into a timeline.
Markdown Exports
Built-in functionality to export out all EID data, or even just specific fields, to Markdown-formatted output. Useful for sharing or later use.
Fully Offline
The dataset is bundled. Works on a plane, in a SCIF-adjacent coffee shop (if that somehow applies to you), or wherever you answer pages from.
The Scenarios tab is probably the piece I’m most excited about. Running Apple’s on-device intelligence models means I get a meaningful “suggest EIDs for this situation” experience without sending a single byte of investigation context to a third party. That felt like a hard requirement for a DFIR tool - and a fun constraint to design around. Obviously, those results will always need to be validated, but it can be a great starting point or even just a useful discovery tool if you’re bored.
Why the data repo is public (and the app isn’t)
The app source lives in a private repo - it’s my first shipped iOS app and I’d like room to iterate without anyone watching me rename various “View” Swift files or reassigning a log channel a different SF symbol six+ times. But the dataset is the part that benefits from more eyes, and the part that will keep improving long after the UI settles down. Making that public felt obvious.
If you:
- find an event described incorrectly
- think an investigation pivot is wrong or missing
- want to propose a new channel (looking at you, AD FS nerds)
…open an issue. I’ll eventually read all of them.
Relevant Links
If you do give it a try, I’d love to hear what’s working, what’s missing, and what my overcaffinated brain got wrong. This is v1.0 and there’s a lot of room to grow. Also, the best direction usually comes from the people not coding all of this until 2am.
Happy hunting.
ZB