-
Notifications
You must be signed in to change notification settings - Fork 200
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fixed MitreTactics, MitreTags, OtherTags do not output in json timeline output #1062
fixed MitreTactics, MitreTags, OtherTags do not output in json timeline output #1062
Conversation
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## main #1062 +/- ##
==========================================
+ Coverage 74.00% 75.70% +1.70%
==========================================
Files 24 24
Lines 18186 18636 +450
==========================================
+ Hits 13459 14109 +650
+ Misses 4727 4527 -200
☔ View full report in Codecov by Sentry. |
EvidenceCase1 (hayabusa-sample-evtx)
refs: #1061 "Step to Reproduce"
checked #1061 reproduce data in 1061.json
|
Test2(all-evtx.tgz(6.1GB))
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I confirmed that Tags are output in json-timeline :)
I think it's expected behavior, but the result of "EventID": 4104
has the following difference.
json-timeline -d hayabusa-sample-evtx -o out.json
This PR
{
"Timestamp": "2021-04-22 19:04:37.081 +09:00",
"Computer": "win10-02.offsec.lan",
"Channel": "PwSh",
"EventID": 4104,
"Level": "info",
"RecordID": 135,
"RuleTitle": "PwSh Scriptblock",
"Details": {
"ScriptBlock": "Write-Host 'Final | 1';"
}
}
main
{
"Timestamp": "2021-04-22 19:04:37.081 +09:00",
"Computer": "win10-02.offsec.lan",
"Channel": "PwSh",
"EventID": 4104,
"Level": "info",
"RecordID": 135,
"RuleTitle": "PwSh Scriptblock",
"Details": {
"ScriptBlock": "Write-Host 'Final",
"result": "1';"
}
}
Is the above diff the expected behavior?(If it's OK, it's LGTM!🚀)
@fukusuket Thank you for your super fast review.
I think that indication is correct for main branch result. I will fix it. |
@fukusuket |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the quick fix!
I have verified that the default profile result has no diffs with the v2.5.1 :) LGTM!!🚀
@fukusuket Thank you for your kindness review! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hitenkoku Thank you so much!
%ExtraFieldInfo%
is also being outputted now as well.
LGTM
What Changed
I would appreciate it if you could review when you have time