[bug] Timeline commands can read file but not folder

[Droid-HK47]

Describe the bug

In a particular environment, the command json-timeline or csv-timeline cannot read the EVTX folder, but can read a file alone.

Step to Reproduce
Steps to reproduce the behavior:

I think the bug cannot be reproduced because I have no problems with another computer, it might be proper to my environment.

1. Try : .\hayabusa-2.16.0-win-x64.exe csv-timeline -d 'C:<EVTX Logs Path>'
2. Hayabusa will indicate "Total event log files : X". In winevt, I got something like 400 files with 3-4 GB.
3. After loading the rules, Hayabusa will show

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 0
Detection rules enabled after channel filter: 0

So it just ignore all the EVTX it was able to read just before. Then the program finishes without doing much analyses since it has filtered out all of them.

4. Try : .\hayabusa-2.16.0-win-x64.exe csv-timeline -f 'C:<EVTX Logs Path>\Security.evtx'
5. It works like a charm. So it seems it got problems with reading a folder ?
6. --live-analysis got the same problem
7. I have tried to take only 2 EVTX in another neighbor folder with the same rights (Security.evtx / Application.evtx) : It works
8. I have double checked the rights of all the files. They are all in the scope of the user (Below local Admin / System, I have tried both). Defender has no logs trying to block something. I have checked in Procmon and I cannot see real problems (Successes and some "Buffer overflow", as usual, they exist also when it works)

Expected behavior

Just to not having the channel filter filtering all of the EVTX

Screenshots
If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

• OS: Windows 11 Enterprise 10.0.22631
• hayabusa version 2.16.0

Additional context

I know the problem seems linked to my environment (same problems of other machines from my enterprise regarding Hayabusa, it wasn't the case before). Could you verify if you have already seen such a behavior ?

[YamatoSecurity]

Thank you for reporting this. What happens when you scan the directory and add -a -A options to disable the channel filters?

[fukusuket]

I ran it on a newly created Windows 11 in Azure and it worked fine as follows. Thus, it appears to be a problem that occurs only in certain environments🤔 What about running it with the -a/-A/-v option, as @YamatoSecurity says?

[Droid-HK47]

Hello here,

Could you point me out where in the doc are the parameter "-a"/"-A" ? I just found this under the command "search" :

-a, --and-logic Search keywords with AND logic (default: OR)

That isn't exactly what I was expecting.

Anyway, it just works, and I don't understand exactly what is wrong with the filter channel since I have used exactly the same version of Hayabusa on both computers with the same set of data on a Windows 11 machine. I guess the default channel filter is different for some reasons ?

EDIT : nevermind, I haven't found the -a under the main page of the GIT for csv-timeline, but it is actually in the help of the cmd line.

[YamatoSecurity]

@Droid-HK47
You can get the help menu with hayabusa.exe help csv-timeline or hayabusa.exe csv-timeline -h.

The channel filter is explained here: https://github.com/Yamato-Security/hayabusa/blob/main/CHANGELOG.md but I will add it to the main readme later.

You are using the same latest 2.16.0 on two different Windows 11 machines with the same commands against the same data but for one machine the channel filter is causing Hayabusa not to detect anything. Is this correct?

Can you see if there is any other differences between these Windows machines? Are they using the same locale? etc?