Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Double quote CSV fields #965

Closed
YamatoSecurity opened this issue Mar 17, 2023 · 1 comment · Fixed by #967
Closed

Double quote CSV fields #965

YamatoSecurity opened this issue Mar 17, 2023 · 1 comment · Fixed by #967
Assignees
@hitenkoku
Labels
enhancement New feature or request
Milestone
v2.3.1

Comments

@YamatoSecurity
Copy link
Collaborator

@hitenkoku
Is it possible to enclose fields in CSV output in double quotes?
For example, instead of:
2020-05-02 02:55:26.493 +00:00,UZUMAKI-PC.hinokabe.local,Sysmon,10,low,138294,Proc Access,SrcProc: C:\windows\system32\svchost.exe ¦ TgtProc: C:\windows\System32\svchost.exe ¦ SrcUser: n/a ¦ TgtUser: n/a ¦ Access: 0x1000 ¦ SrcPID: 900 ¦ SrcPGUID: {6bbf237a-cafb-5eac-1000-000000000400} ¦ TgtPID: 2092 ¦ TgtPGUID: {6bbf237a-cb97-5eac-6202-000000000400}
I want to output:
"2020-05-02 02:55:26.493 +00:00","UZUMAKI-PC.hinokabe.local","Sysmon","10","low","138294","Proc Access","SrcProc: C:\windows\system32\svchost.exe ¦ TgtProc: C:\windows\System32\svchost.exe ¦ SrcUser: n/a ¦ TgtUser: n/a ¦ Access: 0x1000 ¦ SrcPID: 900 ¦ SrcPGUID: {6bbf237a-cafb-5eac-1000-000000000400} ¦ TgtPID: 2092 ¦ TgtPGUID: {6bbf237a-cb97-5eac-6202-000000000400}"

The reason is the Details and especially AllFieldInfo field are too long so I want to convert ¦ to return character but because the strings do not have double quotes, the new characters put the fields on the next row.
Something like this: cat results.csv | awk '{gsub(/ ¦ /,"\r\n"); print;}' > multi-line-results.csv

If results.csv uses double quotes, we can import with multiple lines like this:
Screen Shot 2023-03-17 at 5 53 37 PM

This makes things easier to analyze on normal screens.
@YamatoSecurity YamatoSecurity added the enhancement New feature or request label Mar 17, 2023
@hitenkoku hitenkoku self-assigned this Mar 17, 2023
@hitenkoku hitenkoku added this to the v2.3.1 milestone Mar 17, 2023
@hitenkoku
Copy link
Collaborator

hitenkoku commented Mar 17, 2023
edited
Loading

@YamatoSecurity
Thank you very much. Let me check a few things.

  1. is there no need for an option to make the output like this?

  2. what if I have data like this

Payload: ixr "http://evil.example.com"

I am assuming that with this modification, it would look something like this.

"Payload: ixr ""http://evil.example.com""""

hitenkoku added a commit that referenced this issue Mar 17, 2023
@hitenkoku
feat(afterfact): modified double quote csv fields in csv-timeline sub…
fdc63bd 
…command output #965
hitenkoku added a commit that referenced this issue Mar 17, 2023
@hitenkoku
docs(CHANGELOG): updated changelog #965
31b8e81
hitenkoku added a commit that referenced this issue Mar 17, 2023
@hitenkoku
feat(afterfact):removed double quote from header #965
147e054
@hitenkoku hitenkoku mentioned this issue Mar 17, 2023
Merged
@hitenkoku hitenkoku linked a pull request Mar 17, 2023 that will close this issue
Added double quote in csv fields #967
Merged
hitenkoku added a commit that referenced this issue Mar 17, 2023
@hitenkoku
test(afterfact): adapted test which add of double quote in csv output #…
c604715 
…965
hitenkoku added a commit that referenced this issue Mar 18, 2023
@hitenkoku
feat(afterfact): modified QuoteStyle from Never to NonNumberic #965
f128751
hitenkoku added a commit that referenced this issue Mar 18, 2023
@hitenkoku
test(afterfact): fixed test expect #965
09a2a62
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hitenkoku hitenkoku

Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.3.1
Development

Successfully merging a pull request may close this issue.

Added double quote in csv fields Yamato-Security/hayabusa
2 participants
@hitenkoku @YamatoSecurity