chainsaw2timesketch.sh

chainsaw2timesketch.sh

#!/usr/bin/env bash
# chainsaw2timesketch.sh
# author: zane gittins
# updated: 11/1/2022
# tested on chainsaw version: v2.2.0

# Get all evtx files in the current directory.
for file in *.evtx; do

    # Ensure that file exists.
    [ -f "$file" ] || break

    # Write data
    echo "Parsing $file"
    filename="${file%%.*}".jsonl
    echo "Writing to $filename"

    # Now, run chainsaw, and format with JQ.
    chainsaw search $file --json -e '.*' | jq .[] | jq -c '. += { message: .Event.System.Channel }
| . += { datetime_temp: .Event.System.TimeCreated_attributes.SystemTime }
| . += { timestamp_desc: .Event.System.EventRecordID }
| walk(if type == "object" then with_entries(.value //= "") else . end)
| . += .Event.EventData
| . += .Event.System
| del(.Event.System)
| del(.Event.EventData)' | jq -c --arg ref "2021-01-01T02:00:00+02:00" '
  def c(str): str | (split(":")[0] + ":" + split(":")[1] + ":" + split(":")[2][0:2] + "Z") | fromdate | todateiso8601; 
  . += { datetime: c(.datetime_temp) }' > $filename
done