Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: metrics, logon-summary and csv-timline show different total event records #1105

Closed
YamatoSecurity opened this issue Jun 22, 2023 · 2 comments · Fixed by #1106
Closed

Bug: metrics, logon-summary and csv-timline show different total event records #1105

YamatoSecurity opened this issue Jun 22, 2023 · 2 comments · Fixed by #1106
Assignees
@hitenkoku
Labels
bug Something isn't working
Milestone
v2.7.0

Comments

@YamatoSecurity
Copy link
Collaborator

When running the metrics, logon-summary and csv-timeline commands, the total event records count will be different.
Test:
./hayabusa-2.6.0-mac-intel metrics -d ../hayabusa-sample-evtx -o test.csv -C

./hayabusa-2.6.0-mac-intel logon-summary -d ../hayabusa-sample-evtx -o test.csv -C

./hayabusa-2.6.0-mac-intel csv-timeline -d ../hayabusa-sample-evtx -o test.csv -C

Results:
logon-summary: 94950
metrics: 47475
csv-timeline: 47,476

Also, there are no commas displayed with logon-summary and metrics so it is difficult to read the number when the event record count is in the millions. (ie. 234723049) So I would like to add commas like in csv-timeline (-> 234,723,049)

@hitenkoku Could you look at this whenever you have time? (I think you are the most knowledgable about this)
@YamatoSecurity YamatoSecurity added the bug Something isn't working label Jun 22, 2023
@YamatoSecurity YamatoSecurity added this to the v2.7.0 milestone Jun 22, 2023
@hitenkoku hitenkoku self-assigned this Jun 22, 2023
@hitenkoku
Copy link
Collaborator

hitenkoku commented Jun 23, 2023
edited
Loading

`
@YamatoSecurity

The cause of the problem has been identified.
The logon-summary is double the number of records in metrics because it was double counted with the metrics tally.

The difference between metrics and csv-timeline is that the record count in metrics was counting the number of records after channel name and EID filtering.
The number in csv-timeline is the original record count.

Filtered record is following, filtered by Event>System>Channel is not found.

{"Event": Object {"SubscriptionBookmarkEvent": Object {"SubscriptionId": Null}, "System": Object {"Computer": String("dhcp01.offsec.lan"), "EventID": String("111"), "Provider_attributes": Object {"Name": String("Microsoft-Windows-EventForwarder")}, "TimeCreated_attributes": Object {"SystemTime": String("2021-04-27T15:03:16.983Z")}}}, "Event_attributes": Object {"xmlns": String("http://schemas.microsoft.com/win/2004/08/events/event")}}

hitenkoku added a commit that referenced this issue Jun 23, 2023
@hitenkoku
UI(timelines): changed total event records number format in metrics a…
4cd33c6 
…nd logon-summary #1105
hitenkoku added a commit that referenced this issue Jun 23, 2023
@hitenkoku
fix(timelines): fixed wron total record count in logon-summary #1105
a36c4cc
hitenkoku added a commit that referenced this issue Jun 23, 2023
@hitenkoku
fix(main/metrics): fixed total record count in metrics and logon-summ…
68ca586 
…ary #1105
hitenkoku added a commit that referenced this issue Jun 23, 2023
@hitenkoku
fix(timelines): modified not to output standard output when the outpu…
1c9d00a 
…t option is set in logon-summary command #1105
hitenkoku added a commit that referenced this issue Jun 23, 2023
@hitenkoku
docs(added #1105):
44a65a8
@hitenkoku hitenkoku linked a pull request Jun 23, 2023 that will close this issue
fixed metrics and logon-summary records and csv-timline show different total event records #1106
Merged
hitenkoku added a commit that referenced this issue Jun 23, 2023
@hitenkoku
test(adjusted test due to a change in the setting method of stats.local
049e39d 
#1105):
@hitenkoku
Copy link
Collaborator

hitenkoku commented Jun 23, 2023
edited
Loading

@YamatoSecurity There are two ways to fix it: 1. for 2. it affects the % of metrics and logon-summary display; and 2. for 3. it affects the % of logon-summary display. If you want to avoid affecting the % notation, need to separate the display variables from the aggregate variables. (In #1106, This adjusted)

  1. count the number of records in csv-timeline as the number of records after filtering for Channel and EID, instead of the total number of records
  2. the number of records in logon-summary and metrics should be the same as the overall number of records used in csv-timeline (this is currently done in the implementation at fixed metrics and logon-summary records and csv-timline show different total event records #1106) currently implemented at )

hitenkoku added a commit that referenced this issue Jun 23, 2023
@hitenkoku
fix(main/metrics/timelines): separate variables for total and aggrega…
e4ec957 
…ted records in metrics and logon-summary #1105
hitenkoku added a commit that referenced this issue Jun 23, 2023
@hitenkoku
fix(timelines): fixed wrong total record count in logon-summary #1105
492973a
hitenkoku added a commit that referenced this issue Jun 23, 2023
@hitenkoku
fix(main/metrics): fixed total record count in metrics and logon-summ…
bbe5b82 
…ary #1105
hitenkoku added a commit that referenced this issue Jun 23, 2023
@hitenkoku
docs(CHANGELOG): added #1105
02cbdfd
hitenkoku added a commit that referenced this issue Jun 23, 2023
@hitenkoku
test(adjusted test due to a change in the setting method of stats.local
53bb207 
#1105):

fix(main/metrics/timelines): separate variables for total and aggregated records in metrics and logon-summary #1105
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hitenkoku hitenkoku

Labels
bug Something isn't working
Projects
None yet
Milestone
v2.7.0
2 participants
@hitenkoku @YamatoSecurity