Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PowerShell Object Data #13

Closed
high101bro opened this issue Sep 7, 2021 · 3 comments
Closed

PowerShell Object Data #13

high101bro opened this issue Sep 7, 2021 · 3 comments
Labels
question Further information is requested

Comments

@high101bro
Copy link

high101bro commented Sep 7, 2021
edited

It would be extremely useful for this tool to have a switch like --PSObject, that outputs the results to stdout as PowerShell object data. Currently, I have to save the results to a csv file then import it into PowerShell for additional manipulation using "Import-Csv "chainsawfile.csv". Though, this mild inconvenience isn't a show stopper, skipping the step of saving the results and being able to manipulate object data would be super awesome. A simple example is using PowerShell's Out-GridView to view the results natively and then applying filters or just searching. That, and having to clean up the files afterward wouldn't be necessary.

Example of request:
chainsaw.exe hunt $SavedEventLogs --rules .\sigma_rules\ --mapping .\mapping_files\sigma-mapping.yml --PSObject | Out-GrdiView -Title 'Chainsaw Results'

Current Non-Preferred Method:
chainsaw.exe hunt $SavedEventLogs --rules .\sigma_rules\ --mapping .\mapping_files\sigma-mapping.yml --csv
Import-Csv ".\chainsaw_2021-09-05T11-52-35(external_rule)_-suspicious_process_creation.csv" | Out-GridView -Title "Chainsaw Results"
Remove-Item ".\chainsaw_2021-09-05T11-52-35(external_rule)-_suspicious_process_creation.csv"
@ClintRajaniemi
Copy link

ClintRajaniemi commented Sep 10, 2021
edited

Whoops, nevermind, this is already asked about here: https://github.com/countercept/chainsaw/issues/8#issue-987895661

I'm wondering if it would make more sense to allow outputting the json to stdout then leave the user to handle as they need. For PowerShell you then pipe it to, say, ConvertFrom-Json to get the custom PSObject.

What I'm not certain about is if this method would want for the records to be in separate json entries. Looking at the json output file they are currently sent as an array of json records.

@alexkornitzer
Copy link
Contributor

I am in favour of using ConvertFrom-Json, which will be possible with the changes sitting in #23.

@alexkornitzer alexkornitzer added the question Further information is requested label Oct 19, 2021
@fscc-jamesd fscc-jamesd mentioned this issue Oct 22, 2021
Merged
5 tasks
@fscc-jamesd
Copy link
Contributor

This has been done in #23. A new build will be pushed out in the next couple of days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alexkornitzer @ClintRajaniemi @high101bro @fscc-jamesd