Author here. I built this because Chainsaw made Sigma-based triage standard for Windows IR but nothing equivalent existed for Linux. ChopChopGo applies Sigma detection rules to syslog, auditd, and journald logs and flags hits with MITRE ATT&CK tags.

v1.1.0 just dropped with auditd event correlation (groups related log lines by event ID before rule evaluation), a tokenizer, and YAML-based field mapping so Sigma rules work across different log schemas without forking the rules. Go, single binary, no runtime dependencies. CSV/JSON output for pipeline integration.

Wrote up a detailed post on the architecture and design decisions: https://www.m00nl1g7.net/blog/building-a-forensic-triage-too... Happy to answer any questions about the implementation.