As a cybersecurity enthusiast, I’m always exploring ways to streamline digital forensics and incident response workflows. Recently, I developed a tool to make scanning Windows Event Logs (EVTX files) easier and more efficient. Introducing Chainsaw Event Log Scanner — a Python-based utility that leverages the powerful Chainsaw Sigma rules engine to hunt through logs and generate actionable reports.
https://github.com/dfirvault/Chainsaw-scanner-menu
Why I Built This Tool
Analyzing EVTX files manually can be tedious and error-prone, especially when dealing with large datasets. While Chainsaw provides a powerful CLI for Sigma rule-based scanning, it can be cumbersome for non-experts to use. I wanted a simple, guided tool that would:
Allow folder selection through a GUI.
Automatically detect EVTX files in subfolders.
Generate organized, timestamped reports.
Keep everything lightweight and portable.
Features at a Glance
Folder & Image Scanning: Scan entire folders or mounted images containing EVTX files.
Subfolder Detection: Automatically find logs in nested directories.
Sigma Rule Integration: Apply Sigma rules with predefined mappings for event log analysis.
Custom Case Names: Name cases for easy identification and report tracking.
CSV & Log Output: Export results in CSV format, with logs for auditing.
Windows GUI: Simple file and folder selection dialogs for ease of use.
How It Works
Select Chainsaw Executable: The first time you run the tool, it asks you to point to your Chainsaw executable. It remembers this path for future scans.
Choose EVTX Folder: Select the folder or mounted image you want to scan. If there are no EVTX files in the selected folder, the tool offers to search subfolders.
Pick Report Folder: Choose where to save CSV reports and logs.
Name Your Case: Assign a case name for easy reference.
Run Scan: Chainsaw scans the logs with Sigma rules, generates CSV reports, and saves them to your chosen folder. Reports automatically open in Explorer for quick review.
Getting Started
Clone or download the repository from GitHub.
Ensure you have Python 3.9+ installed and the required modules (
pywin32).Place the Chainsaw executable and Sigma rules/mappings in the same directory as the script.
Run the standalone .exe
The tool is designed to be lightweight, portable, and easy to integrate into your forensic workflow.
Closing Thoughts
Automating routine log analysis frees up time to focus on real investigative work. Chainsaw Event Log Scanner bridges the gap between powerful CLI tools and an easy-to-use interface, making EVTX scanning faster, safer, and more reliable.
I plan to continue improving this tool with features like multi-folder batch scanning and enhanced reporting. Stay tuned for updates, and feel free to explore the source code on GitHub!