From 8ed304a7703cd0eeb5ced125097c2a8065930c8f Mon Sep 17 00:00:00 2001
From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com>
Date: Sat, 27 Jan 2024 12:42:56 +0900
Subject: [PATCH] fix csv output bug and new release

---
 CHANGELOG-Japanese.md                         | 6 +++++-
 CHANGELOG.md                                  | 6 +++++-
 src/takajo.nim                                | 4 ++--
 src/takajopkg/timelineSuspiciousProcesses.nim | 3 ++-
 takajo.nimble                                 | 2 +-
 5 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md
index af026872..2bccff6c 100644
--- a/CHANGELOG-Japanese.md
+++ b/CHANGELOG-Japanese.md
@@ -1,12 +1,16 @@
 # 変更点
 
-## 2.x.x [xxxx/xx/xx]
+## 2.3.1 [2024/01/27] - Year Of The Dragon Release
 
 **改善:**
 
 - `ttp-visualize` コマンドで、MITRE ATT&CK Navigator上のテクニックをマウスオーバーしたときに、検知ルール名が表示されるようした。(#82) (@fukusuket)
 - `ttp-summary`コマンドの結果にルールのタイトルを追加した。(#83) (@fukusuket)
 
+**バグ修正:**
+
+`timeline-suspicious-process`コマンドで、Security 4688またはSysmon 1のイベント数が0であり、他の形式のイベントがある場合、CSVファイルは保存されなかった。(#86) (@YamatoSecurity)
+
 ## 2.3.0 [2023/12/23] - SECCON Christmas Release
 
 **新機能:**
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 680bda2e..486d5227 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,12 +1,16 @@
 # Changes
 
-## 2.x.x [xxxx/xx/xx]
+## 2.3.1 [2024/01/27] - Year Of The Dragon Release
 
 **Enhancements:**
 
 - In the `ttp-visualize` command, the name of the rule that detected the technique will now be shown in the comment when hovering over the technique in MITRE ATT&CK Navigator. (#82) (@fukusuket)
 - Added rule titles to the `ttp-summary` command output. (#83) (@fukusuket)
 
+**Bug Fixes:**
+
+- The CSV file would not be saved in the `timeline-suspicious-process` command if either the number of Security 4688 or Sysmon 1 events was zero while having events in the other format. (#86) (@YamatoSecurity)
+
 ## 2.3.0 [2023/12/23] - SECCON Christmas Release
 
 **New Features:**
diff --git a/src/takajo.nim b/src/takajo.nim
index 3758bb2e..f9e0238d 100644
--- a/src/takajo.nim
+++ b/src/takajo.nim
@@ -38,7 +38,7 @@ include takajopkg/vtIpLookup
 include takajopkg/vtHashLookup
 
 when isMainModule:
-    clCfg.version = "2.3.0"
+    clCfg.version = "2.3.1"
     const examples = "Examples:\p"
     const example_extract_scriptblocks = "  extract-scriptblocks -t ../hayabusa/timeline.jsonl [--level low] -o scriptblock-logs\p"
     const example_list_domains = "  list-domains -t ../hayabusa/timeline.jsonl -o domains.txt\p"
@@ -59,7 +59,7 @@ when isMainModule:
     const example_vt_hash_lookup = "  vt-hash-lookup -a <API-KEY> --hashList case-1-MD5-hashes.txt -r 1000 -o results.csv --jsonOutput responses.json\p"
     const example_vt_ip_lookup = "  vt-ip-lookup -a <API-KEY> --ipList ipAddresses.txt -r 1000 -o results.csv --jsonOutput responses.json\p"
 
-    clCfg.useMulti = "Version: 2.3.0 SECCON Christmas Release\pUsage: takajo.exe <COMMAND>\p\pCommands:\p$subcmds\pCommand help: $command help <COMMAND>\p\p" &
+    clCfg.useMulti = "Version: 2.3.1 Year Of The Dragon Release\pUsage: takajo.exe <COMMAND>\p\pCommands:\p$subcmds\pCommand help: $command help <COMMAND>\p\p" &
         examples & example_extract_scriptblocks &
         example_list_domains & example_list_hashes & example_list_ip_addresses & example_list_undetected_evtx & example_list_unused_rules &
         example_split_csv_timeline & example_split_json_timeline & example_stack_logons & example_sysmon_process_tree &
diff --git a/src/takajopkg/timelineSuspiciousProcesses.nim b/src/takajopkg/timelineSuspiciousProcesses.nim
index 1e6ce846..bd255d62 100644
--- a/src/takajopkg/timelineSuspiciousProcesses.nim
+++ b/src/takajopkg/timelineSuspiciousProcesses.nim
@@ -209,7 +209,7 @@ proc timelineSuspiciousProcesses(level: string = "high", output: string = "", qu
                 seqOfResultsTables.add(singleResultTable)
     bar.finish()
 
-    if output != "" and suspicousProcessCount_Sec_4688 != 0 and suspicousProcessCount_Sysmon_1 != 0: # Save results to CSV
+    if output != "" and (suspicousProcessCount_Sec_4688 > 0 or suspicousProcessCount_Sysmon_1 > 0): # Save results to CSV
         # Open file to save results
         var outputFile = open(output, fmWrite)
         let header = ["Timestamp", "Computer", "Type", "Level", "Rule", "RuleAuthor", "Cmdline", "Process", "PID", "User", "LID", "LGUID", "ProcessGUID", "ParentCmdline", "ParentPID", "ParentPGUID", "Description", "Product", "Company", "MD5 Hash", "SHA1 Hash", "SHA256 Hash", "Import Hash"]
@@ -228,6 +228,7 @@ proc timelineSuspiciousProcesses(level: string = "high", output: string = "", qu
         outputFile.close()
         let fileSize = getFileSize(output)
 
+        echo ""
         echo "Saved results to " & output & " (" & formatFileSize(fileSize) & ")"
         echo ""
 
diff --git a/takajo.nimble b/takajo.nimble
index 2852a865..6074623d 100644
--- a/takajo.nimble
+++ b/takajo.nimble
@@ -1,6 +1,6 @@
 # Package
 
-version       = "2.3.0"
+version       = "2.3.1"
 author        = "Yamato Security @SecurityYamato"
 description   = "Takajo is an analyzer for Hayabusa results."
 license       = "GPL-3.0"