Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: output field information in green and messages in orange #1498

Merged
merged 22 commits into from
Nov 16, 2024
Merged

feat: output field information in green and messages in orange #1498

merged 22 commits into from
Nov 16, 2024

Conversation

fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Nov 15, 2024
edited
Loading

What Changed

Evidence

Integration-Test

https://github.com/Yamato-Security/hayabusa/actions/runs/11853318764

I would appreciate it if you could check it out when you have time🙏

@fukusuket fukusuket added the enhancement New feature or request label Nov 15, 2024
@fukusuket fukusuket added this to the 2.19.0 milestone Nov 15, 2024
@fukusuket fukusuket self-assigned this Nov 15, 2024
@fukusuket fukusuket marked this pull request as ready for review November 15, 2024 09:06
@fukusuket fukusuket marked this pull request as draft November 15, 2024 09:14
@YamatoSecurity
Copy link
Collaborator

@fukusuket Thanks so much! Looking great! One small part, I noticed Scanning finished. Please wait while the results are being saved. is still white. Is it possible to display in orange? If it is hard because it is part of the progress bar then we can leave it white or make everything (files being scanned) all orange if possible.

@fukusuket
Copy link
Collaborator Author

@YamatoSecurity
Thank you so much for checking!
Unfortunately I tried, but that message was output in the Progress Bar module and I could not change the color... :(

@fukusuket
Copy link
Collaborator Author

fukusuket commented Nov 15, 2024
edited
Loading

The color can be changed by erasing the progress bar itself at the end of the progress bar, but I think it is easier to understand if the progress bar is output at 100%.

@fukusuket
Copy link
Collaborator Author

Sorry, I noticed that commands other than timeline (metrics/pivot ... etc) still need to be colored, so I'm fixing it!

@fukusuket fukusuket marked this pull request as ready for review November 15, 2024 11:39
@fukusuket
Copy link
Collaborator Author

@YamatoSecurity
I fixed coloring except for timeline commands as follows! Could you please check it?🙏
https://github.com/Yamato-Security/hayabusa/actions/runs/11855691986

@YamatoSecurity
Copy link
Collaborator

@fukusuket Thanks! I figured out how to make the "Scanning finished...." message orange but it is still orange when --no-color option is enabled. Do you know how to disable the coloring when this is enabled?
Also, could you add a short-hand option for --no-color. Maybe -k? (anything that is not already used it ok)

@fukusuket
Copy link
Collaborator Author

fukusuket commented Nov 15, 2024
edited
Loading

@YamatoSecurity
Thank you so much! Great!!🚀 I updated #1498 (comment) :)

@YamatoSecurity
Copy link
Collaborator

@fukusuket Thanks!

Could you add a space here:

./target/release/hayabusa list-profiles

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Collecting the gold specks in the desert~

Start time: 2024/11/16 08:40
List of available profiles:
- minimal:                 %Timestamp%, %RuleTitle%, %Level%, %Computer%, %Channel%, %EventID%, %RecordID%, %Details%
- standard:                %Timestamp%, %RuleTitle%, %Level%, %Computer%, %Channel%, %EventID%, %RecordID%, %Details%, %ExtraFieldInfo%
- verbose:                 %Timestamp%, %RuleTitle%, %Level%, %Computer%, %Channel%, %EventID%, %MitreTactics%, %MitreTags%, %OtherTags%, %RecordID%, %Details%, %ExtraFieldInfo%, %RuleFile%, %EvtxFile%
- all-field-info:          %Timestamp%, %RuleTitle%, %Level%, %Computer%, %Channel%, %EventID%, %RecordID%, %AllFieldInfo%, %RuleFile%, %EvtxFile%
- all-field-info-verbose:  %Timestamp%, %RuleTitle%, %Level%, %Computer%, %Channel%, %EventID%, %MitreTactics%, %MitreTags%, %OtherTags%, %RecordID%, %AllFieldInfo%, %RuleFile%, %EvtxFile%
- super-verbose:           %Timestamp%, %RuleTitle%, %Level%, %Computer%, %Channel%, %EventID%, %RuleAuthor%, %RuleModifiedDate%, %Status%, %RecordID%, %Details%, %ExtraFieldInfo%, %MitreTactics%, %MitreTags%, %OtherTags%, %Provider%, %RuleCreationDate%, %RuleFile%, %EvtxFile%
- timesketch-minimal:      %Timestamp%, hayabusa, %RuleTitle%, %Level%, %Computer%, %Channel%, %EventID%, %MitreTactics%, %MitreTags%, %OtherTags%, %RecordID%, %Details%, %RuleFile%, %EvtxFile%
- timesketch-verbose:      %Timestamp%, hayabusa, %RuleTitle%, %Level%, %Computer%, %Channel%, %EventID%, %MitreTactics%, %MitreTags%, %OtherTags%, %RecordID%, %Details%, %ExtraFieldInfo%, %RuleFile%, %EvtxFile%
日々是好日 - Nichinichi Kore Koujitsu - Everyday is a good day.

After:

./target/release/hayabusa list-profiles

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Collecting the gold specks in the desert~

Start time: 2024/11/16 08:40
List of available profiles:
- minimal:                 %Timestamp%, %RuleTitle%, %Level%, %Computer%, %Channel%, %EventID%, %RecordID%, %Details%
- standard:                %Timestamp%, %RuleTitle%, %Level%, %Computer%, %Channel%, %EventID%, %RecordID%, %Details%, %ExtraFieldInfo%
- verbose:                 %Timestamp%, %RuleTitle%, %Level%, %Computer%, %Channel%, %EventID%, %MitreTactics%, %MitreTags%, %OtherTags%, %RecordID%, %Details%, %ExtraFieldInfo%, %RuleFile%, %EvtxFile%
- all-field-info:          %Timestamp%, %RuleTitle%, %Level%, %Computer%, %Channel%, %EventID%, %RecordID%, %AllFieldInfo%, %RuleFile%, %EvtxFile%
- all-field-info-verbose:  %Timestamp%, %RuleTitle%, %Level%, %Computer%, %Channel%, %EventID%, %MitreTactics%, %MitreTags%, %OtherTags%, %RecordID%, %AllFieldInfo%, %RuleFile%, %EvtxFile%
- super-verbose:           %Timestamp%, %RuleTitle%, %Level%, %Computer%, %Channel%, %EventID%, %RuleAuthor%, %RuleModifiedDate%, %Status%, %RecordID%, %Details%, %ExtraFieldInfo%, %MitreTactics%, %MitreTags%, %OtherTags%, %Provider%, %RuleCreationDate%, %RuleFile%, %EvtxFile%
- timesketch-minimal:      %Timestamp%, hayabusa, %RuleTitle%, %Level%, %Computer%, %Channel%, %EventID%, %MitreTactics%, %MitreTags%, %OtherTags%, %RecordID%, %Details%, %RuleFile%, %EvtxFile%
- timesketch-verbose:      %Timestamp%, hayabusa, %RuleTitle%, %Level%, %Computer%, %Channel%, %EventID%, %MitreTactics%, %MitreTags%, %OtherTags%, %RecordID%, %Details%, %ExtraFieldInfo%, %RuleFile%, %EvtxFile%

日々是好日 - Nichinichi Kore Koujitsu - Everyday is a good day.

@YamatoSecurity
Copy link
Collaborator

Sorry, it is unrelated to this PR but here:

./target/release/hayabusa list-contributors

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Giving you the Windows event logs you've always wanted~

Start time: 2024/11/16 08:42
Hayabusa was possible thanks to the following people (in alphabetical order):

Akira Nishikawa (@nishikawaakira): First lead developer (core hayabusa rule support, etc...)
Fukusuke Takahashi (fukusuket): Core developer (Too many bug fixes to count, hayabusa converter upgrades, new features, etc...)
Garigariganzy (@garigariganzy31): Developer (Event ID metrics implementation, etc...)
ItiB (@itiB_S144):  Core developer (sigmac hayabusa backend, search command, etc...)
James Takai / hachiyone(@hach1yon): Second lead developer (Tokio multi-threading, sigma aggregation logic, sigmac backend, rule creation, sigma count implementation etc…)
Kazuminn (@k47_um1n): Core Developer (Many features.)
Matthew Seyer: adding the ability to carve out records
Tsubokku (@ytsuboi0322): Translations
Yusuke Matsui (@apt773): AD hacking working group leader, rule testing, documentation, research, support, etc...
Zach Mathis (@yamatosecurity, Yamato Security Founder): Project leader, tool and concept design, rule creation and tuning, etc…

Also a big thanks to the following people for projects that make Hayabusa possible:

Omer BenAmram for creating the Rust evtx crate.
The maintainers and contributors of the Sigma project.

Can you remove the Start time: 2024/11/16 08:42 ?

@YamatoSecurity
Copy link
Collaborator

Sorry, the search command has a -k option for keyword searching. How about we use -K instead?

@fukusuket
Copy link
Collaborator Author

Thank you for checking! I fixed above comments!

@YamatoSecurity
Copy link
Collaborator

thanks! Sorry, one more small thing:

./target/release/hayabusa update-rules

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Faster insights, deeper analysis, every time~

Start time: 2024/11/16 08:58
You currently have the latest rules.

柔よく剛を制す - Juu Yoku Gou O Seisu - Softness overcomes hardness.

can you add a space here ->

./target/release/hayabusa update-rules

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Faster insights, deeper analysis, every time~

Start time: 2024/11/16 08:58

You currently have the latest rules.

柔よく剛を制す - Juu Yoku Gou O Seisu - Softness overcomes hardness.

@YamatoSecurity
Copy link
Collaborator

sorry! here as well

./target/release/hayabusa set-default-profile -p super-verbose

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Elevating Windows DFIR to new heights~

Start time: 2024/11/16 09:00
Successfully updated the default profile.

不言実行 - Fugen Jikkou - Actions speak louder than words.

->

./target/release/hayabusa set-default-profile -p super-verbose

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Elevating Windows DFIR to new heights~

Start time: 2024/11/16 09:00

Successfully updated the default profile.

不言実行 - Fugen Jikkou - Actions speak louder than words.

YamatoSecurity
YamatoSecurity approved these changes Nov 16, 2024
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fukusuket Perfect! Thanks so much!

@YamatoSecurity YamatoSecurity merged commit 684d134 into main Nov 16, 2024
9 checks passed
@fukusuket fukusuket deleted the 1491-output-field-info-in-green-and-msg-in-orange branch November 16, 2024 00:18
@fukusuket fukusuket mentioned this pull request Nov 24, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

Assignees

@fukusuket fukusuket

Labels
enhancement New feature or request
Projects
None yet
Milestone
2.19.0
Development

Successfully merging this pull request may close these issues.

Output field information in green and messages in orange
2 participants
@fukusuket @YamatoSecurity