# docker_chainsaw

WithSecure Labs' [Chainsaw](https://github.com/WithSecureLabs/chainsaw) — fast
Sigma-based EVTX hunter — wrapped in a container.

## Build

```
docker build -t tabledevil/chainsaw .
```

The build always pulls the latest chainsaw release tarball + the current
SigmaHQ rule corpus, so every rebuild ships with up-to-date detections.

## Run

```
docker run --rm --network=none \
  -v /path/to/evtx:/data:ro \
  -v /path/for/output:/output \
  tabledevil/chainsaw
```

Output lands in `/output/chainsaw_<timestamp>/`:

- `hunt.txt` — chainsaw stdout summary (counts, table)
- `csv/`     — per-rule CSV detections

## Test

```
./test_smoke.sh                 # DeepBlueCLI subset (~21 EVTX, fast)
SUBSET=YamatoSecurity ./test_smoke.sh
KEEP_DATA=1 ./test_smoke.sh     # keep cloned sample-evtx for re-runs
```

The test script clones [Yamato-Security/hayabusa-sample-evtx](https://github.com/Yamato-Security/hayabusa-sample-evtx)
on demand into `test-data/` (gitignored).