search

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU Affero General Public License v3.0
2.34k stars 203 forks source link

New `expand-list` command #1513

Open YamatoSecurity opened 5 days ago

YamatoSecurity commented 5 days ago

In order to help users understand what expand config files they need to create, we should include a command that lists up the placeholders.

Usage:
  hayabusa.exe expand-list <INPUT> [OPTIONS]

Input:
  -r, --rules <DIR>  Directory of rules (default: ./rules)

General Options:
  -h, --help                           Show the help menu

Display Settings:
  -K, --no-color  Disable color output
  -q, --quiet     Quiet mode: do not display the launch banner

Stdout:

5 unique expand placeholders found:

Admins_Workstations
DC-MACHINE-NAME
Workstations
internal_domains
domain_controller_hostnames

This command just recursively checks the .yml files in ./rules or the specified rules directory, extracts out Admins_Workstations, etc.. from IpAddress|expand: '%Admins_Workstations%' and does sort -u

@fukusuket Could I ask you to do this one?

fukusuket commented 5 days ago

Yes, I would love to implement it!💪