After event viewer crashed on a 400mb evtx, i wrote my own log triage cli

last week i was poking through event logs from a home lab vm i suspected had been scanned hard. dropped the evtx into event viewer. it took 90 seconds to load, then crashed the moment i tried to filter by event id 4624. splunk is overkill for one machine. wazuh wants infra i didn't want to set up just to look at one file. pysigma converts sigma rules to backend queries, but i didn't have a backend. so i wrote threatlens. it's a cli. point it at a log file or directory, get alerts mapped to mitre