Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

output json format in json timeline for standard output #1252

Merged
merged 4 commits into from
Jan 23, 2024
Merged

output json format in json timeline for standard output #1252

merged 4 commits into from
Jan 23, 2024

Conversation

hitenkoku
Copy link
Collaborator

What Changed

  • Modified to Output JSON format in json-timeline command for standard output.

I would appreciate it if you could review when you have time.

@hitenkoku hitenkoku added the enhancement New feature or request label Jan 19, 2024
@hitenkoku hitenkoku self-assigned this Jan 19, 2024
@hitenkoku hitenkoku linked an issue Jan 19, 2024 that may be closed by this pull request
Output JSON format in json-timeline for standard output #1197
Closed
@codecov Codecov
Copy link

codecov bot commented Jan 19, 2024
edited
Loading

Codecov Report

Attention: 5 lines in your changes are missing coverage. Please review.

Comparison is base (88990e4) 82.44% compared to head (571d740) 82.42%.

Files Patch % Lines
src/afterfact.rs 58.33% 5 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1252      +/-   ##
==========================================
- Coverage   82.44%   82.42%   -0.02%     
==========================================
  Files          27       27              
  Lines       24694    24701       +7     
==========================================
+ Hits        20359    20361       +2     
- Misses       4335     4340       +5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@hitenkoku
Copy link
Collaborator Author

Evidence

  • v2.12.0
❯ .\hayabusa-2.12.0-win-x64.exe json-timeline -d ..\hayabusa-sample-evtx\ -w -q -m critical
...
Total event log files: 581
Total file size: 136.9 MB

Loading detection rules. Please wait.

Excluded rules: 3805
Noisy rules: 12 (Disabled)

Deprecated rules: 12 (5.36%) (Disabled)
Experimental rules: 53 (23.66%)
Stable rules: 36 (16.07%)
Test rules: 135 (60.27%)
Unsupported rules: 2 (0.89%) (Disabled)

Hayabusa rules: 1
Sigma rules: 223
Total enabled detection rules: 224

Output profile: standard

Scanning in progress. Please wait.

[00:00:01] 581 / 581   [========================================] 100%

Scanning finished. Please wait while the results are being saved.


Timestamp ‖ Computer ‖ Channel ‖ EventID ‖ Level ‖ RecordID ‖ RuleTitle ‖ Details ‖ ExtraFieldInfo
2016-08-19 05:03:18.175 +09:00 ‖ IE10Win7 ‖ Sys ‖ 7045 ‖ crit ‖ 6252 ‖ Meterpreter or Cobalt Strike Getsystem Service Installation - System ‖ Svc: %ServiceName% ¦ Path: %ImagePath% ¦ Acct: %AccountName% ¦ StartType: %StartType% ‖
2016-08-19 05:40:21.230 +09:00 ‖ IE10Win7 ‖ Sys ‖ 7045 ‖ crit ‖ 6287 ‖ CobaltStrike Service Installations - System ‖ Svc: %ServiceName% ¦ Path: %ImagePath% ¦ Acct: %AccountName% ¦ StartType: %StartType% ‖
2016-09-20 05:36:09.147 +09:00 ‖ IE10Win7 ‖ Sys ‖ 7045 ‖ crit ‖ 8159 ‖ CobaltStrike Service Installations - System ‖ Svc: %ServiceName% ¦ Path: %ImagePath% ¦ Acct: %AccountName% ¦ StartType: %StartType% ‖
2016-09-20 05:38:04.034 +09:00 ‖ IE10Win7 ‖ Sys ‖ 7045 ‖ crit ‖ 8161 ‖ CobaltStrike Service Installations - System ‖ Svc: %ServiceName% ¦ Path: %ImagePath% ¦ Acct: %AccountName% ¦ StartType: %StartType% ‖
2016-09-20 05:59:41.659 +09:00 ‖ IE10Win7 ‖ Sys ‖ 7045 ‖ crit ‖ 8164 ‖ CobaltStrike Service Installations - System ‖ Svc: %ServiceName% ¦ Path: %ImagePath% ¦ Acct: %AccountName% ¦ StartType: %StartType% ‖
...

  • this PR

    • without output option
❯ ./1197.exe json-timeline -d ..\hayabusa-sample-evtx\ -w -q -m critical
...
Total event log files: 581
Total file size: 136.9 MB

Loading detection rules. Please wait.

Excluded rules: 3805
Noisy rules: 12 (Disabled)

Deprecated rules: 12 (5.36%) (Disabled)
Experimental rules: 53 (23.66%)
Stable rules: 36 (16.07%)
Test rules: 135 (60.27%)
Unsupported rules: 2 (0.89%) (Disabled)

Hayabusa rules: 1
Sigma rules: 223
Total enabled detection rules: 224

Output profile: standard
...
{
    "Timestamp": "2021-12-13 21:55:45.250 +09:00",
    "Computer": "rootdc1.offsec.lan",
    "Channel": "Sys",
    "EventID": 7045,
    "Level": "crit",
    "RecordID": 1467331,
    "RuleTitle": "smbexec.py Service Installation",
    "Details": {
        "Acct": "LocalSystem",
        "Path": "%COMSPEC% /Q /c echo cd ^> \\\\127.0.0.1\\C$\\__output 2^>^&1 > %TEMP%\\execute.bat & %COMSPEC% /Q /c %TEMP%\\execute.bat & del %TEMP%\\execute.bat",
        "StartType": "demand start",
        "Svc": "BTOBTO"
    },
    "ExtraFieldInfo": {
        "ServiceType": "user mode service"
    }
}
....
  • with output option
❯ ./1197.exe json-timeline -d ..\hayabusa-sample-evtx\ -o 1197.json -w -q
...
Total event log files: 581
Total file size: 136.9 MB

Loading detection rules. Please wait.

Excluded rules: 31
Noisy rules: 12 (Disabled)

Deprecated rules: 170 (4.48%) (Disabled)
Experimental rules: 2081 (54.81%)
Stable rules: 233 (6.14%)
Test rules: 1483 (39.06%)
Unsupported rules: 45 (1.19%) (Disabled)

Hayabusa rules: 159
Sigma rules: 3638
Total enabled detection rules: 3797

Output profile: standard

Scanning in progress. Please wait.

[00:00:08] 581 / 581   [========================================] 100%

Scanning finished. Please wait while the results are being saved.

...
Saved file: 1197.json (38.7 MB)

Elapsed time: 00:00:11.951

Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues
Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues
Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls

@hitenkoku hitenkoku changed the title 1197 output json format in json timeline for standard output output json format in json timeline for standard output Jan 19, 2024
fukusuket
fukusuket approved these changes Jan 19, 2024
View reviewed changes
Copy link
Collaborator

@fukusuket fukusuket left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked the minimal/verbose/super-verbose options! LTGM!!🚀

@YamatoSecurity YamatoSecurity added this to the v2.13.0 milestone Jan 23, 2024
YamatoSecurity
YamatoSecurity approved these changes Jan 23, 2024
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hitenkoku Looks great! Thank you so much!

@hitenkoku hitenkoku merged commit 0a1f8f4 into main Jan 23, 2024
7 checks passed
@hitenkoku hitenkoku deleted the 1197-output-json-format-in-json-timeline-for-standard-output branch January 23, 2024 05:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

@fukusuket fukusuket fukusuket approved these changes

Assignees

@hitenkoku hitenkoku

Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.13.0
Development

Successfully merging this pull request may close these issues.

Output JSON format in json-timeline for standard output
3 participants
@hitenkoku @fukusuket @YamatoSecurity