search

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU General Public License v3.0
2.17k stars 189 forks source link

Consistent output for Timeline Explorer #1333

Closed Droid-HK47 closed 4 months ago

Droid-HK47 commented 4 months ago

Hello everyone,

As far as I have seen, the CSV output of the tool can be modified (csv-timeline "-p, --profile ") Specify output profile. Would it be possible to have a simple parameter to keep always the same columns for the outputs across the version of Hayabusa ? Or fixed fault set of columns allowing Eric Zimmerman to support the Hayabusa CSV output format for Timeline Explorer ? (See https://github.com/EricZimmerman/Issues/issues/215)

It would allow the tool to support session of handled Hayabusa CSV output.

Or just to know if the default format is gonna change in the future.

Cheers,

hitenkoku commented 4 months ago

Thanks for your comment.

I disagree about having parameters, as keeping the output columns the same across all versions of Hayabusa would likely require modifications to past versions as well.

I think the default format (standard profile) is unlikely to change.

Is it your understanding that TimelineExplorer requires all column names to match?

As noted in https://github.com/Yamato-Security/hayabusa?tab=readme-ov-file#timeline-output, the user can change the column names and contents of the output. Please check.

@YamatoSecurity What do you think about this issue?

YamatoSecurity commented 4 months ago

@Droid-HK47 Thank you for the issue. We would like to have Timeline Explorer support but we are still going to keep the various built-in profiles because how much analysts want to output will differ depending on circumstances. While I cannot guarantee that fields will not change in the future, we currently do not have any plans to change them. I suppose the standard profile would be the first one to support but it would be nice if Timeline Explorer could also support minimal, verbose, and super-verbose as those are also commonly used.

YamatoSecurity commented 4 months ago

In the worst case that we did change default field names, you can always easily edit them back in the text config file.

Droid-HK47 commented 4 months ago

Thank you for your quick answer !

I was thinking about a parameter (or even a profile) creating an output that will always be more supported by TLE (fixed columns predefined on the TLE side) without changing anything to the usual behavior of Hayabusa since the profile feature is something really good.

Maybe supporting only minimal, verbose, super-verbose and standard would not be too much a hassle, I will share with their project and give you feedback

YamatoSecurity commented 4 months ago

@Droid-HK47 Thanks for facilitating this! I confirmed that it is working well with TLE so I will close this issue.