Export CSV generates no valid CSV

[evild3ad]

--exportcsv (zircolite_win10_nuitka_embedded.exe) generates no valid CSV format.

What is the delimiter?

Headers are not matching the content of the columns: descriptionrow_id --> space missing???

[wagga40]

Hi,

the default delimiter is ";", you can check this in the Jinja2 template used to generate the CSV : here. But you are right the is an typo in the template : the delimiter is missing...

If you are in a hurry you can correct the template and regen an embedded version with genEmbed (help here) and package it as a binary (help here).

If you are not in a hurry, I will correct it today.

Thanks again.

[evild3ad]

I'm not in hurry. I wrote a PowerShell script to automate and simplify the usage of Zircolite. I will beautify the CSV output via ImportExcel by Doug Finke.

Thanks a lot!

[wagga40]

Oh and by the way, if you want you can change the delimiter by editing the template. I generally avoid CSV format, but when I do, I'd prefer to use the ";" as delimiter despite the fact it is normally the comma.

[evild3ad]

";" as delimiter is fine.

[evild3ad]

Hmm...multiple columns have "Channel" as header...should be unique I think.

[wagga40]

Yeah it seems the template is messed up. Will work on it. Sorry.

[wagga40]

I don't have good news.

Since I clean the empty values here, it is nearly impossible with the Jinja2 templating system to have a well-formatted CSV because of the variable number of fields.

The template predate this change and was not even correct.

For now, to be able export in CSV, I will have to handle it with dedicated code and not templating.

[wagga40]

Ok I've added a "csv" mode which output directly in csv (without using templating) Since I still have a lot of tests to do before the next version to be ready, I will check If I do an intermediate version.

It is really nice to have feedback.

[evild3ad]

Thank you!

[wagga40]

I've added CSV support in a specific branch for testing : https://github.com/wagga40/Zircolite/tree/csv-support

Please note that this mode replace the default json output and change the format of events if you forward them to a collector (Splunk HEC or Custom HTTP Server).

I will post binaries as a pre-release.

[evild3ad]

I started testing the pre-release this morning.

• Column A and column DZ have the same header "title" that throughs an error. Excel ignores this.
• Please add MITRE Tactics
• Please add MITRE Techniques (when possible)

I will contact you via Twitter...I think we have to remove a lot of columns for the CSV output...to normalize the output. When needed the analyst can switch to JSON output...so I would always output CSV and JSON.

I cannot send you a message via Twitter...I think you have to follow me back or change your privacy settings temporarily. Let's switch to a more private channel...

[wagga40]

I cannot send you a message via Twitter...I think you have to follow me back or change your privacy settings temporarily. Let's switch to a more private channel...

Done.