Automation shouldn’t replace judgment; it should buy you time to use it.
Problem
DFIR analysts burn hours turning raw detections into readable narratives. EVTX hunts surface signals, but write-ups lag behind, delaying remediation and weakening portfolio proof. We need a repeatable way to go from logs → findings → human-ready report without sacrificing accuracy or analyst judgment.
Approach
Small pipeline: Chainsaw (Sigma EVTX hunting) → SwiftOnSecurity Sysmon config (clean telemetry) → PowerShell simulator (lab noise) → Python LLM summarizer (structured narrative + IOC table). Human stays in the loop for validation and context, not rote drafting.
How It Works
- Collect EVTX from a Windows lab with Sysmon (SwiftOnSecurity config).
- Hunt with Chainsaw using Sigma rules; export JSON.
- Parse detections (technique, evidence, timestamps, host/user).
- Feed concise, structured chunks to the Python LLM script.
- Generate a narrative organized by MITRE tactics, plus IOC and timeline sections.
- Analyst verifies, annotates caveats, and adds reproduction steps.
Output
One report per run: executive summary, technique table, evidence snippets, IOC list, minimal timeline, and How to Reproduce steps. Export to Markdown and PDF. Link back to case folder, rulesets, and scripts for transparency.
Guardrails
- Spot-check raw detections, confirm artifacts, and mark assumptions.
- Deterministic prompts (schemas), pin tool versions, and log run metadata.
- Document limitations (false positives, lab constraints).
- Credit: Chainsaw + SwiftOnSecurity; note local config tweaks.
Findings (sample scaffold)
| Tactic | Technique (ID) | Evidence | Why it matters | Follow-up |
|---|---|---|---|---|
| Discovery | T1057 Process Discovery | 4688 w/ PowerShell | Enumeration behavior observed | Correlate with user/session |
| Execution | T1059.001 PowerShell | EncodedCommand runs | Common initial access follow-on | Check ScriptBlock logs |
IOCs
Indicators of Compromise
- IP:
203.0.113.42 - Domain:
evil.example.test - Hash:
e3b0c44298fc1c149afbf4c8996fb924...
Reproduce It
# Chainsaw hunt example (adjust paths)
chainsaw hunt /path/to/evtx --rules /path/to/sigma/rules --mapping /path/to/sigma-event-logs-all.yml --json out/detections.json
v2.3.4 — Polish & Reporting Pass (2025-11-02)
- Promoted the “polish” pipeline (
v2.3.4) as the main ForenSynth AI flow. - Added donut + heatmap visuals in the HTML report:
- Donuts mapped to MITRE ATT&CK phases (Execution, Persistence, Discovery, Lateral, Defense Evasion, etc.).
- Heatmap by EventID with a small footnote explaining IDs (1 = process create, 13 = registry, 4104 = PowerShell ScriptBlock, etc.).
- Introduced a sampling governor for high-volume hunts:
- Flags like
--limit-detectionsand--sample-steplet me cap to ~1k representative detections while still preserving campaign structure. - Dramatically reduces runtime and cost for 2k–3k+ detection hunts.
- Flags like
- Improved Evidence Appendix:
- Exportable CSV via
--export-evidence-csv. - Cleaner “Entities & Scope” and MITRE-aligned phase counts so responders can skim scope at a glance.
- Exportable CSV via
- Tightened cost reporting:
- HTML report now surfaces real OpenAI usage totals (input/output tokens + cost) instead of rough estimates.
- This whole v2.3.4 cycle came from iterating on logs from a single HTB “Windows Event Logs & Finding Evil” module and vibe-coding the tool into existence with ChatGPT, on top of my DFIR + coding fundamentals.
Live sample report
- 👉 View the v2.3.4 ForenSynth AI sample report
- Source HTML is still kept in the code repo under:
examples/2025-11-2-polish-run/forensynth_report_2025-11-02.html
Acknowledgments
- Chainsaw (Sigma), SwiftOnSecurity Sysmon config, and open-source DFIR community.