#!/bin/bash
# chainsaw on-demand EVTX hunter. Same /data input + /output output pattern
# as docker_hayabusa.
set -e

if [ ! -d /data ]; then
  echo "[!] No folder mounted to /data"
  echo "[>] docker run -it --rm --network=none -v /path/to/evtx:/data:ro -v /path/for/report:/output tabledevil/chainsaw"
  exit 1
fi

# Pick a writable output target.
if [ ! -f /output/notmounted ] && [ -w /output ]; then
  output="/output"
elif [ -w /data ]; then
  output="/data"
else
  echo "[!] No writable output folder available"
  exit 1
fi

ts="$(date +%s)"
out_base="${output}/chainsaw_${ts}"
mkdir -p "${out_base}"

echo "[>] Hunt with built-in chainsaw rules + Sigma core rules"
# Chainsaw v2.x makes --csv, --json and --jsonl mutually exclusive — pick CSV
# (one file per rule, easy to grep). For JSON later, run with --json.
chainsaw hunt /data \
  --sigma /opt/sigma/rules \
  --mapping /opt/chainsaw/mappings/sigma-event-logs-all.yml \
  --rule /opt/chainsaw/rules \
  --csv \
  --output "${out_base}/csv" \
  --skip-errors \
  2>&1 | tee "${out_base}/hunt.txt"

echo "[>] Output: ${out_base}/"
ls -lh "${out_base}" 2>/dev/null