Merge pull request #208 from Yamato-Security/207-fix-logon-timeline-c…

…olumn fix: `timeline-logon` output column(`SourceIP` and `SourceComputer`)
Yamato-Security · Oct 31, 2024 · 2732c09 · 2732c09
2 parents bb6753b + 09dff2a
commit 2732c09
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml
@@ -55,7 +55,7 @@ jobs:
           ./hayabusa-${LATEST_VER#v}-lin-x64-gnu json-timeline -d ../../hayabusa-sample-evtx -L -w -p super-verbose -o ../../takajo/timeline.jsonl
 
       - name: run extract-credentials
-        run: cd takajo && ./takajo eextract-credentials -t timeline.jsonl -o credentials.csv
+        run: cd takajo && ./takajo extract-credentials -t timeline.jsonl -o credentials.csv
 
       - name: run extract-scriptblocks
         run: cd takajo && ./takajo extract-scriptblocks -t timeline.jsonl

diff --git a/src/takajopkg/timelineLogon.nim b/src/takajopkg/timelineLogon.nim
@@ -47,11 +47,11 @@ method analyze*(self: TimelineLogonCmd, x: HayabusaJson) =
         singleResultTable["TargetUser"] = details.extractStr("TgtUser")
         let impersonationLevel = extraFieldInfo.extractStr("ImpersonationLevel")
         singleResultTable["Impersonation"] = impersonationLevelIdToName(impersonationLevel)
-        singleResultTable["SourceIP"] = details.extractStr("SrcComp")
+        singleResultTable["SourceIP"] = details.extractStr("SrcIP")
         singleResultTable["Process"] = details.extractStr("LogonProcessName")
         singleResultTable["LID"] = details.extractStr("LID")
         singleResultTable["LGUID"] = extraFieldInfo.extractStr("LogonGuid")
-        singleResultTable["SourceComputer"] = details.extractStr("SrcIP")
+        singleResultTable["SourceComputer"] = details.extractStr("SrcComp")
         let elevatedToken = extraFieldInfo.extractStr("ElevatedToken")
         singleResultTable["ElevatedToken"] = elevatedTokenIdToName(elevatedToken)
         singleResultTable["TargetUserSID"] = extraFieldInfo.extractStr("TargetUserSid")