fix: add jsonl to --JSON-input target extensions

[fukusuket]

What Changed

• Closed [bug] --JSON-input option does not work #1530

Evidence

Integration-Test

https://github.com/Yamato-Security/hayabusa/actions/runs/12362528975

I would appreciate it if you could check it out when you have time🙏

[fukusuket]

jsonl input

% ./hayabusa json-timeline -J -f ../apt29_evals_day1_manual_2020-05-01225525.jsonl -w -o timeline.json -q -C
Start time: 2024/12/17 07:35
Total event log files: 1
Total file size: 385.3 MB

Loading detection rules. Please wait.

Excluded rules: 26
Noisy rules: 12 (Disabled)

Deprecated rules: 214 (4.96%) (Disabled)
Experimental rules: 323 (7.49%)
Stable rules: 241 (5.59%)
Test rules: 3,751 (86.93%)
Unsupported rules: 42 (0.97%) (Disabled)

Correlation rules: 3 (0.07%)
Correlation referenced rules: 3 (0.07%)

Expand rules: 0 (0.00%)
Enabled expand rules: 0 (0.00%)

Hayabusa rules: 175
Sigma rules: 4,140
Total detection rules: 4,315

Output profile: standard

Scanning in progress. Please wait.

[00:00:23] 1 / 1   [========================================] 100%

Scanning finished. Please wait while the results are being saved.
                                                                                                                                               Rule Authors:

╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Zach Mathis (55)                  frack113 (36)                     Florian Roth (25)                 oscd.community (23)             │
│ Roberto Rodriguez (19)            OTR (16)                          Nasreddine Bencherchali (14)      Tim Shelton (9)                 │
│ Roberto Rodriguez @Cyb3r... (9)   Natalia Shornikova (5)            Teymur Kheirkhabarov (4)          Thomas Patzke (4)               │
│ Christian Burkard (3)             Nikita Nazarov (3)                Timur Zinniatullin (3)            Daniel Bohannon (2)             │
│ Relativity (2)                    X__Junior (2)                     Christopher Peacock @sec... (2)   Oleg Kolesnikov @securon... (2) │
│ @ROxPinTeddy (2)                  Yassine Oukessou (2)              Kutepov Anton (2)                 John Lambert (2)                │
│ Sean Metcalf (2)                  Center for Threat Inform... (2)   Romaissa Adjailia (2)             Markus Neis (2)                 │
│ E.M. Anhaus (2)                   Bartlomiej Czyz (2)               Swachchhanda Shrawan Poudel (1)   Bartlomiej Czyz @bczyz1 (1)     │
│ Hieu Tran (1)                     Austin Songer (1)                 SCYTHE @scythe_io (1)             Tobias Michalski (1)            │
│ Tuan Le (1)                       Tom Kern (1)                      Perez Diego (1)                   Fukusuke Takahashi (1)          │
│ Joshua Wright (1)                 @kostastsale (1)                  omkar72 (1)                       Tim Burrell (1)                 │
│ Aleksey Potapov (1)               Gleb Sukhodolskiy (1)             AlertIQ (1)                       SCYTHE (1)                      │
│ Michael Haag (1)                  Timur Zinniatullin oscd.... (1)   Vasiliy Burov (1)                 Bhabesh Raj (1)                 │
│ Micah Babinski (1)                Dimitrios Slamaris (1)            Mark Russinovich (1)              Ján Trenčanský (1)              │
│ Mustafa Kaan Demir (1)            Max Altgelt (1)                   Samir Bousseaden (1)              Daniil Yugoslavskiy (1)         │
│ Georg Lauenstein (1)              Patryk Prauze - ING Tech (1)                                                                        │
╰─────────────────────────────────╌─────────────────────────────────╌─────────────────────────────────╌─────────────────────────────────╯

Results Summary:

Events with hits / Total events: 28,063 / 196,081 (Data reduction: 168,018 events (85.69%))

Total | Unique detections: 58,790 | 183
Total | Unique critical detections: 1 (0.00%) | 1 (0.00%)
Total | Unique high detections: 255 (0.43%) | 32 (25.14%)
Total | Unique medium detections: 3,438 (5.85%) | 72 (17.49%)
Total | Unique low detections: 40,258 (68.48%) | 32 (39.34%)
Total | Unique informational detections: 14,838 (25.24%) | 46 (17.49%)

Dates with most total detections:
critical: 2020-05-02 (1), high: 2020-05-02 (255), medium: 2020-05-02 (3,438), low: 2020-05-02 (40,258), informational: 2020-05-02 (14,838)

Top 5 computers with most unique detections:
critical: SCRANTON.dmevals.local (1)
high: SCRANTON.dmevals.local (24), NASHUA.dmevals.local (8), NEWYORK.dmevals.local (1)
medium: SCRANTON.dmevals.local (57), NASHUA.dmevals.local (18), NEWYORK.dmevals.local (10), UTICA.dmevals.local (4)
low: SCRANTON.dmevals.local (28), NASHUA.dmevals.local (18), NEWYORK.dmevals.local (6), UTICA.dmevals.local (3)
informational: SCRANTON.dmevals.local (39), NASHUA.dmevals.local (24), NEWYORK.dmevals.local (22), UTICA.dmevals.local (10)

╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top critical alerts:                                      Top high alerts:                                             │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ CosmicDuke Service Installation (1)                       File Creation Date Changed to Another Year (108)             │
│ n/a                                                       Suspicious Svchost Process Access (74)                       │
│ n/a                                                       HackTool - SysmonEnte Execution (24)                         │
│ n/a                                                       Potential File Overwrite Via Sysinternals SDelete (6)        │
│ n/a                                                       Remote PowerShell Sessions Network Connections (WinRM... (4) │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:                                        Top low alerts:                                              │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Alternate PowerShell Hosts - PowerShell Module (954)      Proc Access (39,259)                                         │
│ Python Initiated Connection (696)                         Scheduled Task Created - Registry (298)                      │
│ Raw Access Read (652)                                     Creation of an Executable by an Executable (256)             │
│ Process Ran With High Privilege (440)                     Possible Timestomping (209)                                  │
│ Potential Binary Or Script Dropper Via PowerShell (293)   Network Connection Initiated By PowerShell Process (48)      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                                                                              │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ PwSh Pipeline Exec (5,080)                                Deleted File Archived (422)                                  │
│ Net Conn (4,392)                                          PwSh Scriptblock (414)                                       │
│ File Created (1,649)                                      Proc Terminated (401)                                        │
│ Proc Exec (906)                                           Pipe Conn (362)                                              │
│ PowerShell Decompress Commands (620)                      Pipe Created (84)                                            │
╰─────────────────────────────────────────────────────────╌──────────────────────────────────────────────────────────────╯

Saved file: timeline.json (203.3 MB)

Elapsed time: 00:00:24.1484

Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues
Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues
Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls

[YamatoSecurity]

@fukusuket LGTM! Thanks so much!