WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Support for more F-Secure alerts / log providers

einarssonm opened this issue · comments

Request to add support for more event log providers related to F-Secure alerts. The built-in support for F-Secure alerts consumes events from the "F-Secure Ultralight SDK" provider. My limited research shows that alerts are also found in the "F-Secure File scanning" and "FSecure-FSecure-F-Secure DeepGuard" providers. These alerts aren't detected by Chainsaw.

image

image

(Let me know if there is any good documentation about event ID:s and log providers used by F-Secure.)

Further research shows that the "F-Secure Ultralight SDK" provider and the FSecureUltralightSDK.evtx file seem to be present since F-Secure v14. For earlier F-Secure versions you have to rely on the Application log and the F-Secure log providers mentioned above. F-Secure versions before v14 are now End of Life, but are sometimes found during investigations.

With v2.0.0-alpha.2 builtin rules have been extracted out of Chainsaw into rules. So if you have a list of Providers I can add them to the rule or if you have time would you be able to add them an raise a PR? (https://github.com/countercept/chainsaw/blob/next/rules/antivirus/f-secure.yml#L42) It should be noted though that if the field extraction is different, then I would add them as new rules.

As the features required are now exposed that there has been no response or progress with this issue I am going to resolve it out. It can be reopened if required.