fix: Added hex conversion processing for -F, --no-field-data-mapping …

…JSONL
Yamato-Security · Oct 7, 2023 · d960bec · d960bec
1 parent 23280ae
commit d960bec
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/takajopkg/timelineSuspiciousProcesses.nim b/src/takajopkg/timelineSuspiciousProcesses.nim
@@ -69,6 +69,12 @@ proc timelineSuspiciousProcesses(level: string = "high", output: string = "", qu
             pidStr = $jsonLine["Details"]["PID"].getInt()
             user = jsonLine["Details"]["User"].getStr()
             lid = jsonLine["Details"]["LID"].getStr()
+            try:
+              if pidStr == "0":
+                # -F, --no-field-data-mapping JSONL requires hex conversion
+                pidStr = intToStr(fromHex[int](jsonLine["Details"]["PID"].getStr()))
+            except ValueError:
+              discard
             try:
                 ruleAuthor = jsonLine["RuleAuthor"].getStr()
             except KeyError: