search

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU General Public License v3.0
2.17k stars 189 forks source link

Timestamps not present when uploaded to elastic #1091

Open grizzlycode opened 1 year ago

grizzlycode commented 1 year ago

Describe the bug A clear and concise description of what the bug is.

Timestamps are not showing up when imported into Elasticsearch.

Step to Reproduce Steps to reproduce the behavior:

I tried with two different versions of the elasticsearch stack and they had different results. Also note the directions to import are slightly different in Kibana 8.8.8 as the GUI has changed for "Override Settings" section.

Elasticsearch stack 7.17.7 (SOF-ELK)

I followed the guide on this Github to import a Haybusa CSV file into Elasticearch. It imports the data however, the "Timestamp" field is not present in the results. The timestamp field missing breaks functionality and usefulness of imported data.

Elasticsearch stack 8.8.8

The data imports however, it is not visible in Discover or Dashboard.

Expected behavior A clear and concise description of what you expected to happen.

CSV imported with timestamps. Able to view data in Discover and associated Dashboards with timestamps.

YamatoSecurity commented 1 year ago

@grizzlycode Thanks for letting us know. I'll try to update the Elastic import documents.