Skip to content

fix: replace hyphen with empty string in event ID handling #1694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
YamatoSecurity merged 2 commits into from
Sep 17, 2025
Merged

fix: replace hyphen with empty string in event ID handling #1694

YamatoSecurity merged 2 commits into from
Sep 17, 2025

Conversation

@fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Sep 16, 2025
edited
Loading

What Changed

Evidence

Integration-Test

I’d appreciate it if you could check it when you have time🙏

@fukusuket fukusuket self-assigned this Sep 16, 2025
@fukusuket fukusuket requested a review from Copilot September 16, 2025 22:20
@fukusuket fukusuket added the enhancement New feature or request label Sep 16, 2025
Copilot AI reviewed Sep 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes event ID handling by replacing hyphen fallback values with empty strings. The change ensures that when event IDs cannot be parsed or are missing, an empty string is used instead of a hyphen character.

  • Replace hyphen with empty string in event ID fallback handling
  • Update both event ID extraction and profile converter initialization

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@fukusuket fukusuket added this to the 3.6.0 milestone Sep 16, 2025
@fukusuket
Copy link
Collaborator Author

fukusuket commented Sep 16, 2025 

./hayabusa-3.5.0-mac-aarch64 csv-timeline -d ../data/windows/hayabusa-sample-evtx-main -w -q -o timeline.csv -C -s
./hayabusa csv-timeline -d ../data/windows/hayabusa-sample-evtx-main -w -q -o timeline-new.csv -C -s
diff timeline.csv timeline-new.csv
9496c9496
< "2016-09-20 01:50:06.513 +09:00","PW Guessing","med","DESKTOP-M5SN04R","Sec",4625,"-","Count:3558 ¦ TargetUserName:Administrator ¦ TargetDomainName:. ¦ IpAddress:192.168.198.149 ¦ LogonType:3 ¦ ProcessName:- ¦ LogonProcessName:NtLmSsp","-","23179f25-6fce-4827-bae1-b219deaf563e"
---
> "2016-09-20 01:50:06.513 +09:00","PW Guessing","med","DESKTOP-M5SN04R","Sec",4625,"","Count:3558 ¦ TargetUserName:Administrator ¦ TargetDomainName:. ¦ IpAddress:192.168.198.149 ¦ LogonType:3 ¦ ProcessName:- ¦ LogonProcessName:NtLmSsp","-","23179f25-6fce-4827-bae1-b219deaf563e"
19925c19925
< "2019-05-01 04:27:02.847 +09:00","PW Spray","med","DESKTOP-JR78RLP","Sec",4648,"-","Count:41 ¦ TargetUserName:Administrator/baker/bgalbraith/bgreenwood/bhostetler/bking/cdavis/celgee/cfleener/cmoody/cragoso/cspizor/dmashburn/dpendolino/drook/ebooth/econrad/edygert/eskoudis/gsalinas/jkulikowski/jlake/jleytevidal/jorchilles/jwright/kperryman/lpesce/lschifano/mdouglas/melliott/mtoussain/psmith/rbowes/sanson/sarmstrong/smisenar/ssims/tbennett/thessman/wstrzelec/zmathis ¦ IpAddress:172.16.144.128 ¦ Computer:DESKTOP-JR78RLP","-","49d15187-4203-4e11-8acd-8736f25b6608"
---
> "2019-05-01 04:27:02.847 +09:00","PW Spray","med","DESKTOP-JR78RLP","Sec",4648,"","Count:41 ¦ TargetUserName:Administrator/baker/bgalbraith/bgreenwood/bhostetler/bking/cdavis/celgee/cfleener/cmoody/cragoso/cspizor/dmashburn/dpendolino/drook/ebooth/econrad/edygert/eskoudis/gsalinas/jkulikowski/jlake/jleytevidal/jorchilles/jwright/kperryman/lpesce/lschifano/mdouglas/melliott/mtoussain/psmith/rbowes/sanson/sarmstrong/smisenar/ssims/tbennett/thessman/wstrzelec/zmathis ¦ IpAddress:172.16.144.128 ¦ Computer:DESKTOP-JR78RLP","-","49d15187-4203-4e11-8acd-8736f25b6608"
20206c20206
< "2019-05-01 04:32:03.525 +09:00","PW Spray","med","DESKTOP-JR78RLP","Sec",4648,"-","Count:14 ¦ TargetUserName:baker/bgalbraith/bgreenwood/bking/cragoso/cspizor/dmashburn/drook/edygert/jlake/jorchilles/mdouglas/smisenar/ssims ¦ IpAddress:172.16.144.128 ¦ Computer:DESKTOP-JR78RLP","-","49d15187-4203-4e11-8acd-8736f25b6608"
---
> "2019-05-01 04:32:03.525 +09:00","PW Spray","med","DESKTOP-JR78RLP","Sec",4648,"","Count:14 ¦ TargetUserName:baker/bgalbraith/bgreenwood/bking/cragoso/cspizor/dmashburn/drook/edygert/jlake/jorchilles/mdouglas/smisenar/ssims ¦ IpAddress:172.16.144.128 ¦ Computer:DESKTOP-JR78RLP","-","49d15187-4203-4e11-8acd-8736f25b6608"

@fukusuket fukusuket marked this pull request as ready for review September 16, 2025 22:27
YamatoSecurity
YamatoSecurity approved these changes Sep 17, 2025
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fukusuket Thanks so much!! LGTM!

@YamatoSecurity YamatoSecurity merged commit 1a01ed2 into main Sep 17, 2025
5 checks passed
@YamatoSecurity YamatoSecurity deleted the 1692-remove-hypen branch September 20, 2025 04:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

Assignees

@fukusuket fukusuket

Labels

enhancement New feature or request

Projects

None yet

Milestone

3.6.0

Development

Successfully merging this pull request may close these issues.

Remove - for integer fields

3 participants

@fukusuket @YamatoSecurity