Skip to content

feat: add RuleID to TimelineSuspiciousProcesses.csv#292

Merged
YamatoSecurity merged 1 commit intomainfrom
291-add-rule-id
Dec 19, 2025
Merged

feat: add RuleID to TimelineSuspiciousProcesses.csv#292
YamatoSecurity merged 1 commit intomainfrom
291-add-rule-id

Conversation

@fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Dec 19, 2025
edited
Loading

Closed #291
I added RuleId! Could you please confirm?🙏

Integration-Test

@fukusuket
fix: update macOS version in CI workflow from 'macos-26' to 'macos-la…
e5a4240 
…test' and adjust build conditions for macOS 15 Intel
@fukusuket fukusuket requested a review from Copilot December 19, 2025 09:14
@fukusuket fukusuket self-assigned this Dec 19, 2025
@fukusuket fukusuket added the enhancement New feature or request label Dec 19, 2025
@fukusuket fukusuket added this to the v2.15.0 milestone Dec 19, 2025
Copilot AI reviewed Dec 19, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds the RuleID field to the TimelineSuspiciousProcesses CSV output, enhancing the forensic timeline with rule identification information alongside the existing RuleTitle and RuleAuthor fields.

Key changes:

  • Extended the HayabusaJson type to include RuleID as a required field
  • Added RuleID extraction and output to both Security 4688 and Sysmon 1 process creation event handlers
  • Updated CSV header to include RuleID column between RuleAuthor and Cmdline

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
src/takajopkg/hayabusaJson.nim Added RuleID as a required field in the HayabusaJson type definition and validation logic
src/takajopkg/timelineSuspiciousProcesses.nim Added RuleID extraction, display, and CSV export for both Security 4688 and Sysmon 1 event types

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@fukusuket fukusuket marked this pull request as ready for review December 19, 2025 09:18
YamatoSecurity
YamatoSecurity approved these changes Dec 19, 2025
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fukusuket LGTM! Thanks so much!!

@YamatoSecurity YamatoSecurity merged commit 1097b7b into main Dec 19, 2025
9 checks passed
@YamatoSecurity YamatoSecurity deleted the 291-add-rule-id branch December 19, 2025 10:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

Assignees

@fukusuket fukusuket

Labels

enhancement New feature or request

Projects

None yet

Milestone

v2.15.0

Development

Successfully merging this pull request may close these issues.

Add Rule ID to TimelineSuspiciousProcesses.csv

3 participants

@fukusuket @YamatoSecurity