Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JSON output does not output in original order #1264

Closed
YamatoSecurity opened this issue Feb 3, 2024 · 0 comments · Fixed by #1265
Closed

JSON output does not output in original order #1264

YamatoSecurity opened this issue Feb 3, 2024 · 0 comments · Fixed by #1265
Assignees
@hitenkoku
Labels
invalid This doesn't seem right
Milestone
v2.13.0

Comments

@YamatoSecurity
Copy link
Collaborator

I noticed that the fields in JSON output are outputted in alphabetical order instead of the original order. This makes creating rules a little difficult so it would be better to output in the original order.
Here is the rule that I was creating:

author: Zach Mathis
date: 2024/02/03
modified: 2024/02/03

title: Computer Startup
#details: 'MajorVer: %Data[1]% ¦ BuildNum: %Data[2]% ¦ RevNum: %Data[3]% ¦ UpdateBuildVer: %Data[4]%'
details: 'First: %Data[1]% ¦ Second: %Data[2]% ¦ Third: %Data[3]% ¦ Forth: %Data[4]% ¦ Fifth: %Data[5]%'
description: The computer started up. This event is important because it also contains the OS version information.

id: b27292f1a-18b3-4433-b340-151874a7d4e8
level: informational
status: test
logsource:
    product: windows
    service: system
detection:
    selection:
        Channel: System
        EventID: 6009
    condition: selection
falsepositives:
tags:
references:
ruletype: Hayabusa

When using csv-timeline (./target/release/hayabusa csv-timeline -d ../hayabusa-sample-evtx -r ../hayabusa-rules/hayabusa/builtin/System/Sys_6009_Info_ComputerStartup.yml -C -w -o 6009-test.csv), the order is correct:

"2014-11-26 06:52:38.000 +09:00","IE8Win7","Sys",6009,"info",3554,"Computer Startup","First: 6.01. ¦ Second: 7601 ¦ Third: Service Pack 1 ¦ Forth: Multiprocessor Free ¦ Fifth: 17514","-"

However, when I save to JSON (./hayabusa-2.13.-dev json-timeline -d ../hayabusa-sample-evtx -r ../hayabusa-rules/hayabusa/builtin/System/Sys_6009_Info_ComputerStartup.yml -w), the order changes:

{
    "Timestamp": "2016-09-20 22:07:41.000 +09:00",
    "Computer": "IE10Win7",
    "Channel": "Sys",
    "EventID": 6009,
    "Level": "info",
    "RecordID": 8273,
    "RuleTitle": "Computer Startup",
    "Details": {
        "Fifth": 17514,
        "First": "6.01.",
        "Forth": "Multiprocessor Free",
        "Second": 7601,
        "Third": "Service Pack 1"
    },
    "ExtraFieldInfo": {
    }
}

@hitenkoku Could you take a look at this?
@YamatoSecurity YamatoSecurity added the invalid This doesn't seem right label Feb 3, 2024
@YamatoSecurity YamatoSecurity added this to the v2.13.0 milestone Feb 3, 2024
@hitenkoku hitenkoku self-assigned this Feb 3, 2024
hitenkoku added a commit that referenced this issue Feb 3, 2024
@hitenkoku
feat(afterfact, message): modified JSON output from alphabetical orde…
a9ca6cf 
…r to original order in rule #1264
hitenkoku added a commit that referenced this issue Feb 3, 2024
@hitenkoku
docs(CHANGELOG): added #1264
4aa2943
@hitenkoku hitenkoku linked a pull request Feb 3, 2024 that will close this issue
Changed Details output in json-timeline output to original rule order #1265
Merged
@hitenkoku hitenkoku mentioned this issue Feb 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hitenkoku hitenkoku

Labels
invalid This doesn't seem right
Projects
None yet
Milestone
v2.13.0
Development

Successfully merging a pull request may close this issue.

Changed Details output in json-timeline output to original rule order Yamato-Security/hayabusa
2 participants
@hitenkoku @YamatoSecurity