Add --timeline-start/--timeline-end option to search command #1543
Description
It would be nice if the search command had a --timeline-start/--timeline-end option.
This is because there are occasional use cases where I want to see all the logs for a specific period of time with --regex ".*"
@YamatoSecurity
What do you think? :D
Current Option:
% ./hayabusa search --help
Hayabusa v3.0.1 - 3rd Year Anniversary Release
Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)
Usage:
hayabusa.exe search <INPUT> <--keywords "<KEYWORDS>" OR --regex "<REGEX>"> [OPTIONS]
Display Settings:
-K, --no-color Disable color output
-q, --quiet Quiet mode: do not display the launch banner
-v, --verbose Output verbose information
General Options:
-C, --clobber Overwrite files when saving
-h, --help Show the help menu
-Q, --quiet-errors Quiet errors mode: do not save error logs
-x, --recover-records Carve evtx records from slack space (default: disabled)
-c, --rules-config <DIR> Specify custom rule config directory (default: ./rules/config)
-t, --threads <NUMBER> Number of threads (default: optimal number for performance)
--target-file-ext <FILE-EXT...> Specify additional evtx file extensions (ex: evtx_data)
Input:
-d, --directory <DIR> Directory of multiple .evtx files
-f, --file <FILE> File path to one .evtx file
-l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder
Filtering:
-a, --and-logic Search keywords with AND logic (default: OR)
-F, --filter <FILTER...> Filter by specific field(s)
-i, --ignore-case Case-insensitive keyword search
-k, --keyword <KEYWORD...> Search by keyword(s)
-r, --regex <REGEX> Search by regular expression
--time-offset <OFFSET> Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)
Output: