Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid: -x option in logon-summary and eid-metrics will result in duplicate results #1478

Open
YamatoSecurity opened this issue Nov 7, 2024 · 5 comments · May be fixed by #1552
Open

Invalid: -x option in logon-summary and eid-metrics will result in duplicate results #1478

YamatoSecurity opened this issue Nov 7, 2024 · 5 comments · May be fixed by #1552
Assignees
@fukusuket
Labels
enhancement New feature or request invalid This doesn't seem right
Milestone
3.1 (2025/2/22 Ni...

Comments

@YamatoSecurity
Copy link
Collaborator

Turning on -x to carve records from slack will often result in duplicate events being read, however, logon-summary and eid-metrics does not do any filtering for duplicate events. I think we need to keep track of timestamp, etc.. information for events only when -x is being used and filter on duplicate events before giving results in order to give more accurate results.
@YamatoSecurity YamatoSecurity added the invalid This doesn't seem right label Nov 7, 2024
@fukusuket fukusuket mentioned this issue Nov 12, 2024
Merged
@YamatoSecurity
Copy link
Collaborator Author

@fukusuket Could I ask you to do this one?

@YamatoSecurity YamatoSecurity added this to the 3.1 milestone Jan 19, 2025
@fukusuket
Copy link
Collaborator

Yes! I would love to implement it!💪

@fukusuket fukusuket self-assigned this Jan 19, 2025
@fukusuket
Copy link
Collaborator

@YamatoSecurity
I have a question!
Is the specification expected to not count duplicate events, either with or without the -x option? (For example, if you simply copy evtx and specify it with the -d option)

@YamatoSecurity
Copy link
Collaborator Author

Good question! We probably need to also add a -X, --remove-duplicate-detections option as well to remove (and ignore) any duplicate events.

@fukusuket
Copy link
Collaborator

@YamatoSecurity
Thank you for checking! I'll add -X, --remove-duplicate-detections option. Are the following specifications correct?

  • with -X : output unique event(remove duplicate events)
  • without -X : output duplicate events(current behavior)

@fukusuket fukusuket added the enhancement New feature or request label Jan 20, 2025
@fukusuket fukusuket linked a pull request Jan 23, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fukusuket fukusuket

Labels
enhancement New feature or request invalid This doesn't seem right
Projects
None yet
Milestone
3.1 (2025/2/22 Ninja Day)
2 participants
@fukusuket @YamatoSecurity