YamatoSecurity
commented
7 months ago We will look into adding this feature. For now, you might just have to write a script to remove the duplicates.
Open mischw opened 7 months ago
YamatoSecurity
commented
7 months ago We will look into adding this feature. For now, you might just have to write a script to remove the duplicates.
mischw
commented
6 months ago Thanks for considering adding this feature. In the mean time I am happy to write a script. Do you happen to know a tool or two which would be suitable for usage in script and at the same time is able to output a format which hayabusa is able to parse?
YamatoSecurity
commented
6 months ago @mischw To work around this, you can remove duplicates with the json-timeline command, output to JSONL and then use the stack-logons in Takajo to get the same information. (https://github.com/Yamato-Security/takajo?tab=readme-ov-file#stack-logons-command)
Right now, it only summarizes successful logons but will add an option to analyze failed logons as well.
YamatoSecurity
commented
6 months ago @mischw We updated the stack-logons command so if you compile takajo with the main branch, you can get failed logon info as well.
mischw
commented
6 months ago I gave it a try and it looks like a nice way to get the info I need. Thanks for letting me know!
I saw that the csv-timeline and json-timeline commands support deduplication using the flag
--remove-duplicate-detections. I think that is incredibly useful. Unfortunately the logon-summary does not have a equivalent flag it seems? The resulting output therefore shows many times more logon attempts when also using evtx from shadow copies for example.Either way I am happy with a solution that allows deduplicated logon-summary. But I thought maybe you hadn't considered adding it as a flag to logon-summary too :)