Can Chainsaw read JSON log format?

[Number-39]

I have a Wazuh Server with multiple endpoints, and I cannot install Chainsaw on each endpoint. So, I want to install Chainsaw on the machine running the Wazuh Server only. In that case, I will collect the logs of all the endpoints, and the Wazuh Server will forward these logs Chainsaw in JSON format because that's the log format output for Wazuh. The documentation says that Chainsaw can output the results in JSON format. However, my question is, can Chainsaw read JSON as an input format?

[alexkornitzer]

Yep, Chainsaw can work on JSON but it would need a different mapping file if you wish to run it on sigma rules, etc. This is because it needs to know how to map the fields as the json fields are probably different to those in the raw evtx. Additionally chainsaw's native rules are all evtx only at the moment, for the same reason.

[Number-39]

Yep, Chainsaw can work on JSON but it would need a different mapping file if you wish to run it on sigma rules, etc. This is because it needs to know how to map the fields as the json fields are probably different to those in the raw evtx. Additionally chainsaw's native rules are all evtx only at the moment, for the same reason.

I have a log file with JSON extension and I want to hunt through it using Sigma rules. What different mapping file should I use?

[alexkornitzer]

I can't really answer that without seeing what JSON fields you have, but effectively something like this:

---
name: Chainsaw's groupless Sigma mappings for Event Logs
kind: json
rules: sigma

...

groups:
  - name: Sigma
    timestamp: Event.System.TimeCreated
    filter:
      Provider: "*"
    fields:
      - from: Provider  # Sigma Field
        to: Event.System.Provider # JSON field using `.` for handling nesting.