A new tool called Chainsaw was released on August 14, 2021. It helps blue teams find potential threats in Windows event logs. It was originally made for environments without an endpoint detection and response (EDR) solution was not available during a compromise.
Windows event logs store system activity such as application activity and logins. Such information is vital to defenders and investigators in incident response scenarios. Manually combing through the raw logs is time consuming due to the potentially large volume of information.
Chainsaw is written in the Rust programming language. It parses the event logs to find suspicious strings or entries of interest indicating a possible threat. The Sigma signature format to allow analysts or outside contributors to describe log events in patterns which may be useful for finding potential malicious activity.