Feature Request: Event Log ID / Sigma Summary

WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts

GNU General Public License v3.0

2.7k stars 242 forks source link

Feature Request: Event Log ID / Sigma Summary #160

Open ssnkhan opened 7 months ago

ssnkhan commented 7 months ago

Would be helpful if chainsaw could provide high level stats detailing the frequency of event code IDs observed in an Event Log, like Eric Zimmerman's evtxecmd tool. Potential usage would be chainsaw hunt --stats-only evtx_attack_samples.

Event ID        Count
300             1
400             666
403             404
600             4,939
800             197

Another option --stats-only-sigma would produce a similar frequency table, but with a count of Sigma hits.

Thanks for this amazing tool!

dbissell6 commented 7 months ago

I am creating a tool to plot this output, I was already planning on implementing this stats idea, i don't know if this helps anyone or not.

It also plots AWS logs and you can see how the stats output is looking for that.

https://github.com/dbissell6/Thundaga