You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would be extremely useful for this tool to have a switch like --PSObject, that outputs the results to stdout as PowerShell object data. Currently, I have to save the results to a csv file then import it into PowerShell for additional manipulation using "Import-Csv "chainsawfile.csv". Though, this mild inconvenience isn't a show stopper, skipping the step of saving the results and being able to manipulate object data would be super awesome. A simple example is using PowerShell's Out-GridView to view the results natively and then applying filters or just searching. That, and having to clean up the files afterward wouldn't be necessary.
Example of request:
chainsaw.exe hunt $SavedEventLogs --rules .\sigma_rules\ --mapping .\mapping_files\sigma-mapping.yml --PSObject | Out-GrdiView -Title 'Chainsaw Results'
I'm wondering if it would make more sense to allow outputting the json to stdout then leave the user to handle as they need. For PowerShell you then pipe it to, say, ConvertFrom-Json to get the custom PSObject.
What I'm not certain about is if this method would want for the records to be in separate json entries. Looking at the json output file they are currently sent as an array of json records.
It would be extremely useful for this tool to have a switch like --PSObject, that outputs the results to stdout as PowerShell object data. Currently, I have to save the results to a csv file then import it into PowerShell for additional manipulation using "Import-Csv "chainsawfile.csv". Though, this mild inconvenience isn't a show stopper, skipping the step of saving the results and being able to manipulate object data would be super awesome. A simple example is using PowerShell's Out-GridView to view the results natively and then applying filters or just searching. That, and having to clean up the files afterward wouldn't be necessary.
Example of request:
chainsaw.exe hunt $SavedEventLogs --rules .\sigma_rules\ --mapping .\mapping_files\sigma-mapping.yml --PSObject | Out-GrdiView -Title 'Chainsaw Results'
Current Non-Preferred Method:
chainsaw.exe hunt $SavedEventLogs --rules .\sigma_rules\ --mapping .\mapping_files\sigma-mapping.yml --csv
Import-Csv ".\chainsaw_2021-09-05T11-52-35(external_rule)_-suspicious_process_creation.csv" | Out-GridView -Title "Chainsaw Results"
Remove-Item ".\chainsaw_2021-09-05T11-52-35(external_rule)-_suspicious_process_creation.csv"
The text was updated successfully, but these errors were encountered: