Corresponding timeline option for directory input

CHANGELOG-Japanese.md

@@ -7,6 +7,7 @@
 - `stack-computers`コマンド: `Computer`(デフォルト)または`SrcComp`フィールドのスタック分析をしながら、アラート情報も提供する。(#125) (@fukusuket)
 - `stack-ip-addresses`コマンド: `SrcIP`(デフォルト)または`TgtIP`フィールドのスタック分析をしながら、アラート情報も提供する。(#129) (@fukusuket)
 - `stack-users`コマンド: `TgtUser`(デフォルト)または`SrcUser`フィールドのスタック分析をしながら、アラート情報も提供する。(#130) (@fukusuket)
+- スキャン時に複数の`.jsonl`ファイルが入っているディレクトリを指定できるようになった。 #133 (@hitenkoku)
 
 **改善:**
 

CHANGELOG.md

@@ -7,6 +7,7 @@
 - `stack-computers` command: stack the `Computer` (default) or `SrcComp` fields as well as provide alert information. (#125) (@fukusuket)
 - `stack-ip-addresses` command: stack the `SrcIP` (default) or `TgtIP` fields as well as provide alert information. (#129) (@fukusuket)
 - `stack-users` command: stack the `TgtUser` (default) or `SrcUser` fields as well as provide alert information. (#130) (@fukusuket)
+- You can now specify a directory of `.jsonl` files to scan. #133 (@hitenkoku)
 
 **Enhancements:**
 

README.md

@@ -106,7 +106,7 @@ Takajō means ["Falconer"](https://en.wikipedia.org/wiki/Falconry) in Japanese a
  - [`ttp-visualize` command examples](#ttp-visualize-command-examples)
  - [`ttp-visualize` screenshot](#ttp-visualize-screenshot)
  - [`ttp-visualize-sigma` command](#ttp-visualize-sigma-command)
- - [`ttp-visualize-simga` command examples](#ttp-visualize-sigma-command-examples)
+ - [`ttp-visualize-sigma` command examples](#ttp-visualize-sigma-command-examples)
  - [VirusTotal Commands](#virustotal-commands-1)
  - [`vt-domain-lookup` command](#vt-domain-lookup-command)
  - [`vt-domain-lookup` command examples](#vt-domain-lookup-command-examples)
@@ -212,7 +212,7 @@ Extracts and reassemles PowerShell EID 4104 script block logs.
 
 Required options:
 
-- `-t, --timeline <JSONL-FILE>`: Hayabusa JSONL timeline
+- `-t, --timeline <JSONL-FILE>`: Hayabusa JSONL timeline file or directory
 
 Options:
 
@@ -252,7 +252,7 @@ Currently it will only check queried domains in Sysmon EID 22 logs but will be u
 Required options:
 
 - `-o, --output <TXT-FILE>`: save results to a text file.
-- `-t, --timeline <JSONL-FILE>`: Hayabusa JSONL timeline.
+- `-t, --timeline <JSONL-FILE>`: Hayabusa JSONL timeline file or directory.
 
 Options:
 
@@ -326,7 +326,7 @@ It will extract the `TgtIP` fields for target IP addresses and `SrcIP` fields fo
 Required options:
 
 - `-o, --output <TXT-FILE>`: save results to a text file.
-- `-t, --timeline <JSONL-FILE>`: Hayabusa JSONL timeline.
+- `-t, --timeline <JSONL-FILE>`: Hayabusa JSONL timeline file or directory.
 
 Options:
 
@@ -496,7 +496,7 @@ Split up a large JSONL timeline into smaller ones based on the computer name.
 
 Required options:
 
-- `-t, --timeline <JSONL-FILE>`: Hayabusa JSONL timeline.
+- `-t, --timeline <JSONL-FILE>`: Hayabusa JSONL timeline file or directory.
 
 Options:
 

src/takajo.nim

@@ -114,7 +114,7 @@ when isMainModule:
  "displayTable": "display the result table",
  "output": "output directory (default: scriptblock-logs)",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any)",
  }
  ],
  [
@@ -125,7 +125,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "output directory (default: scriptblock-logs)",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any)",
  }
  ],
  [
@@ -137,7 +137,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "save results to a text file",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any besides all-field-info*)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)",
  },
  short = {
  "includeSubdomains": 'd',
@@ -152,7 +152,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "specify the base name to save results to text files (ex: -o case-1)",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any besides all-field-info*)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)",
  }
  ],
  [
@@ -165,7 +165,7 @@ when isMainModule:
  "output": "save results to a text file",
  "privateIp": "include private IP addresses",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any besides all-field-info*)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)",
  },
  short = {
  "output": 'o',
@@ -210,7 +210,7 @@ when isMainModule:
  help = {
  "output": "output directory (default: output)",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any)",
  }
  ],
  [
@@ -222,7 +222,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "save results to a CSV file",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any besides all-field-info*)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)",
  },
  short = {
  "sourceComputers": 'c'
@@ -238,7 +238,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "save results to a CSV file",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any besides all-field-info*)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)",
  },
  short = {
  "ignoreSysmon": 'y',
@@ -253,7 +253,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "save results to a CSV file",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any besides all-field-info*)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)",
  }
  ],
  [
@@ -265,7 +265,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "save results to a CSV file",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any)",
  },
  short = {
  "targetIpAddresses": 'a'
@@ -279,7 +279,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "save results to a CSV file",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any besides all-field-info*)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)",
  }
  ],
  [
@@ -292,7 +292,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "save results to a CSV file",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any besides all-field-info*)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)",
  }, 
  short = {
  "ignoreSysmon": 'y',
@@ -307,7 +307,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "save results to a CSV file",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any besides all-field-info*)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)",
  },
  short = {
  "ignoreSystem": 'y',
@@ -322,7 +322,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "save results to a CSV file",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any besides all-field-info*)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)",
  }
  ],
  [
@@ -336,7 +336,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "save results to a CSV file",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any)",
  },
  short = {
  "filterComputerAccounts": 'c',
@@ -350,7 +350,7 @@ when isMainModule:
  "output": "save results to a text file",
  "processGuid": "sysmon process GUID",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any besides all-field-info*)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)",
  }
  ],
  [
@@ -363,7 +363,7 @@ when isMainModule:
  "outputLogoffEvents": "output logoff events as separate entries",
  "skipProgressBar": "do not display the progress bar",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any besides all-field-info*)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)",
  },
  short = {
  "outputLogoffEvents": 'l',
@@ -377,7 +377,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "save results to a CSV file",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any)",
  }
  ],
  [
@@ -388,7 +388,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "save results to a CSV file",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any besides all-field-info*)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)",
  }
  ],
  [
@@ -398,7 +398,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "save results to a CSV file",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any)",
  }
  ],
  [
@@ -408,7 +408,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "save results to a csv file",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any verbose profile)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any verbose profile)",
  }
  ],
  [
@@ -418,7 +418,7 @@ when isMainModule:
  "skipProgressBar": "do not display the progress bar",
  "output": "save results to a json file",
  "quiet": "do not display the launch banner",
- "timeline": "Hayabusa JSONL timeline (profile: any verbose profile)",
+ "timeline": "Hayabusa JSONL timeline file or directory (profile: any verbose profile)",
  }
  ],
  [