search

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU Affero General Public License v3.0
2.32k stars 203 forks source link

feat: add `log-metrics` command feature #1484

Closed fukusuket closed 1 week ago

fukusuket commented 1 week ago

What Changed

Evidence

Integration-Test

fukusuket commented 1 week ago

I created prototype! The following features have not yet been implemented🤔

@YamatoSecurity I would appreciate your comments when you have time🙏(Sort order of output results, column order, ... etc)

Terminal Output

スクリーンショット 2024-11-12 12 31 51

CSV Output

スクリーンショット 2024-11-12 12 33 31 スクリーンショット 2024-11-12 12 33 26
fukusuket commented 1 week ago

The following three issues may be better separated as separate issues and will be addressed in a separate pull request.

YamatoSecurity commented 1 week ago

@fukusuket Thanks! Looking good. Just two things about the table besides what you mentioned.

  1. Can you rename "Event Count" to just "Events" because this column title is long it is making the column width wider than necessary.
  2. Can you separate the Computers, Channels and Providers by newline instead of commas when there are multiple results? (Make them multi-lined) I think this will be easier to read than separating by commas as well as might make the width narrower.
YamatoSecurity commented 1 week ago

When writing to CSV file, maybe we should separate by the broken pipe character like we do for Hayabusa results?

YamatoSecurity commented 1 week ago

One more bug I noticed is that the progress bar does not reach 100% for some reason.

Screenshot 2024-11-12 at 15 51 42
fukusuket commented 1 week ago

@YamatoSecurity Thank you for comment! I updated following points! Could you check it?🙏

Also, I implemented Timeformat/Filter!

fukusuket commented 1 week ago

I created https://github.com/Yamato-Security/hayabusa/pull/1484#issuecomment-2469739234 issue as separate one.

YamatoSecurity commented 1 week ago

@fukusuket Thanks! It seems that --timeline-offset is not working. Can you check this?

YamatoSecurity commented 1 week ago

Sorry, just a few small things.

  1. Can you change the ¦ separator to ¦ with spaces around it?
  2. Does the abbreviations first check the channel_abbreviations.txt file before generic_abbreviations.txt? I see MS-Win-PwrShell/Op but it should be PwSh/Op. Also, provider abbreviations should first check provider_abbreviations.txt and then after that use generic_abbreviations.txt.
  3. Could you add a -M, --multiline Output event field information in multiple rows under Output that uses newlines instead of ¦ like we do for csv-timeline?
fukusuket commented 1 week ago

@YamatoSecurity Thank you for checking! I fixed following four points! Could you check it?🙏

It seems that --timeline-offset is not working. Can you check this?

  1. Can you change the ¦ separator to ¦ with spaces around it?
  2. Does the abbreviations first check the channel_abbreviations.txt file before generic_abbreviations.txt? I see MS-Win-PwrShell/Op but it should be PwSh/Op. Also, provider abbreviations should first check provider_abbreviations.txt and then after that use generic_abbreviations.txt.
  3. Could you add a -M, --multiline Output event field information in multiple rows under Output that uses newlines instead of ¦ like we do for csv-timeline?