Additional feature to SAFEGUARD

When running SAFEGUARD on site it would be great to have a section that performs quick analysis on collected artifacts: If we identify processes running from TEMP folder quick I can grab a sample for instance. Also in the same analysis directory it would it awesome if separate event IDs typically associated with IOCs were parsed out. Such as 7045 service installed, Terminal Services Remote 1189 etc…. The PS commands might be: Get-Process | Select-Object -Property Path, Name, Id | Where-Object -Property path -Like “*TEMP*” Get-WinEvent -LogName System | Where-Object -Property Id -EQ 7045 (change for each event ID) | Format-List -Property TimeCreated,Message I know ALERT does analysis of Running processes but I think having those quick IOCs in SAFEGUARD is quicker than running ALERT and reviewing all running processes. – Dave (anders1212)