fix: remove extra comma

[fukusuket]

What Changed

• Closed Extra comma #1589

Evidence

Integrarion-Test

https://github.com/Yamato-Security/hayabusa/actions/runs/13370505625

Sorry! I fixed it! I would appreciate it if you could check it out when you have time🙏

[fukusuket]

emergency: n/a
critical: MSEDGEWIN10 (9), srvdefender01.offsec.lan (2), alice.insecurebank.local (1), FS03.offsec.lan (1), win10-02.offsec.lan (1)
high: MSEDGEWIN10 (102), IEWIN7 (61), FS03.offsec.lan (26), IE10Win7 (23), fs03vuln.offsec.lan (23)
medium: MSEDGEWIN10 (91), IEWIN7 (58), FS03.offsec.lan (28), fs03vuln.offsec.lan (24), rootdc1.offsec.lan (20)
low: MSEDGEWIN10 (38), FS03.offsec.lan (21), IEWIN7 (21), fs03vuln.offsec.lan (17), fs01.offsec.lan (13)
informational: IEWIN7 (18), MSEDGEWIN10 (17), PC01.example.corp (15), FS03.offsec.lan (14), fs01.offsec.lan (14)

╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top emergency alerts:                              Top critical alerts:                                      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                                                Sticky Key Like Backdoor Usage - Registry (8)             │
│ n/a                                                CobaltStrike Service Installations - System (6)           │
│ n/a                                                Active Directory Replication from Non Machine Account (6) │
│ n/a                                                WannaCry Ransomware Activity (4)                          │
│ n/a                                                Defender Alert (Severe) (4)                               │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top high alerts:                                   Top medium alerts:                                        │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Metasploit SMB Authentication (3,562)              Potentially Malicious PwSh (235)                          │
│ Suspicious Service Path (277)                      Reg Key Value Set (Sysmon Alert) (107)                    │
│ Suspicious Service Installation Script (250)       Proc Injection (104)                                      │
│ PowerShell Scripts Installed as Services (250)     Remote Thread Creation Via PowerShell (93)                │
│ Suspicious Service Name (80)                       Remote Thread Creation In Uncommon Target Image (93)      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top low alerts:                                    Top informational alerts:                                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Logon Failure (Wrong Password) (3,580)             Proc Exec (11,173)                                        │
│ Possible LOLBIN (1,418)                            NetShare File Access (2,558)                              │
│ Non Interactive PowerShell Process Spawned (326)   PwSh Scriptblock (789)                                    │
│ User with Privileges Logon (179)                   PwSh Pipeline Exec (680)                                  │
│ Proc Access (156)                                  NetShare Access (403)                                     │
╰──────────────────────────────────────────────────╌───────────────────────────────────────────────────────────╯

Saved file: timeline.csv (33.2 MB)

Elapsed time: 00:00:06.713

Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues
Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues
Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls

fukusuke@Mac hayabusa-3.1.0-mac-aarch64 % cler
zsh: command not found: cler
fukusuke@Mac hayabusa-3.1.0-mac-aarch64 % clear
fukusuke@Mac hayabusa-3.1.0-mac-aarch64 % ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -w -o timeline.csv -q -C
Start time: 2025/02/17 21:42
Total event log files: 598
Total file size: 139.2 MB

Loading detection rules. Please wait.

Excluded rules: 26
Noisy rules: 12 (Disabled)

Deprecated rules: 215 (4.95%) (Disabled)
Experimental rules: 229 (5.28%)
Stable rules: 243 (5.60%)
Test rules: 3,869 (89.13%)
Unsupported rules: 42 (0.97%) (Disabled)

Correlation rules: 3 (0.07%)
Correlation referenced rules: 3 (0.07%)

Expand rules: 0 (0.00%)
Enabled expand rules: 0 (0.00%)

Hayabusa rules: 177
Sigma rules: 4,164
Total detection rules: 4,341

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 585
Detection rules enabled after channel filter: 4,264

Output profile: standard

Scanning in progress. Please wait.

[00:00:05] 585 / 585   [========================================] 100%

Scanning finished. Please wait while the results are being saved.
                                                                                                                                                                          Rule Authors:

╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Florian Roth (180)                 Nasreddine Bencherchali (123)      Zach Mathis (111)                 oscd.community (108)            │
│ frack113 (91)                      Tim Shelton (33)                   Daniil Yugoslavskiy (23)          Jonhnathan Ribeiro (22)         │
│ Teymur Kheirkhabarov (21)          Thomas Patzke (20)                 Christian Burkard (17)            Markus Neis (16)                │
│ Timur Zinniatullin (14)            Roberto Rodriguez @Cyb3r... (14)   Tim Rauch (12)                    E.M. Anhaus (12)                │
│ Elastic (12)                       Roberto Rodriguez (12)             Samir Bousseaden (11)             Michael Haag (11)               │
│ Swachchhanda Shrawan Poudel (10)   OTR (8)                            Victor Sergeev (8)                Natalia Shornikova (7)          │
│ Endgame) (7)                       Endgame (6)                        Ecco (6)                          X__Junior (6)                   │
│ David ANDRE (6)                    JHasenbusch (6)                    omkar72 (5)                       Arnim Rupp (5)                  │
│ Sander Wiebing (5)                 Tobias Michalski (4)               Andreas Hunkeler (4)              @neu5ron (4)                    │
│ Gleb Sukhodolskiy (4)              Max Altgelt (4)                    FPT.EagleEye Team (3)             Yusuke Matsui (3)               │
│ pH-T (3)                           Janantha Marasinghe (3)            Christopher Peacock @sec... (3)   FPT.EagleEye (3)                │
│ wagga (3)                          Daniel Bohannon (3)                juju4 (3)                         Eric Conrad (3)                 │
│ Anton Kutepov (3)                  James Pemberton@4A616D6573 (3)     elhoim (3)                        @twjackomo (3)                  │
│ Ilyas Ochkov (3)                   Nikita Nazarov (3)                 Hieu Tran (3)                     Wojciech Lesicki (3)            │
│ Fukusuke Takahashi (3)             Vasiliy Burov (3)                  Austin Songer @austinsonger (3)   @dreadphones (2)                │
│ Alexandr Yampolskyi (2)            Tony Lambert (2)                   Sean Metcalf (2)                  keepwatch (2)                   │
│ Jakob Weinzettl (2)                Vadim Khrykov (2)                  Karneades (2)                     James Pemberton@4A616D65... (2) │
│ Tony Lambert) (2)                  SOC Prime (2)                      Mark Russinovich (2)              Aleksey Potapov (2)             │
│ Bartlomiej Czyz (2)                Hosni Mribah (2)                   Chakib Gzenayi (2)                Cyb3rEng (2)                    │
│ Yassine Oukessou (2)               Modexp (2)                         Sreeman (2)                       SCYTHE @scythe_io (2)           │
│ Romaissa Adjailia (2)              Jordan Lloyd (2)                   Tom Ueltschi (2)                  @SBousseaden (2)                │
│ Darkrael (2)                       Zach Stanford @svch0st (2)         Justin C. (2)                     Relativity (2)                  │
│ Dimitrios Slamaris (2)             Mark Woan (2)                      Nik Seetharaman (2)               Perez Diego (2)                 │
│ D3F7A5105 (2)                      Oleg Kolesnikov @securon... (2)    @2xxeformyshirt (2)               Ahmed Farouk (1)                │
│ Ali Alwashali (1)                  Matt Anderson (1)                  blueteam0ps (1)                   Center for Threat Inform... (1) │
│ @caliskanfurkan_ (1)               Swisscom CSIRT (1)                 @atc_project (1)                  @juju4 (1)                      │
│ Zaw Min Htun (1)                   Sorina Ionescu (1)                 Alec Costello (1)                 j4son (1)                       │
│ Nextron Systems (1)                Maxime Thiebaut (1)                Scott Dermott (1)                 @scythe_io (1)                  │
│ CD_ROM_ (1)                        Stephen Lincoln `@slinco... (1)    alias support) (1)                David Burkett (1)               │
│ Dan Beavin) (1)                    David Strassegger (1)              Maxim Pavlunin (1)                Teymur Kheirkhabarov @He... (1) │
│ vburov (1)                         Timon Hackenjos (1)                Mangatas Tondang (1)              SCYTHE (1)                      │
│ Andreas Braathen (1)               EagleEye Team (1)                  Jeff Warren (1)                   Sherif Eldeeb (1)               │
│ Anish Bogati (1)                   Ivan Dyachkov (1)                  Kutepov Anton (1)                 John Lambert (1)                │
│ MalGamy (1)                        Jose Rodriguez (1)                 Pushkarev Dmitry (1)              fuzzyf10w (1)                   │
│ Margaritis Dimitrios (1)           SBousseaden (1)                    Oddvar Moe (1)                    Joshua Wright (1)               │
│ @svch0st (1)                       KevTheHermit (1)                   @Joseliyo_Jstnk (1)               James Dickenson (1)             │
│ Dave Kennedy (1)                   Josh Nickels (1)                   Open Threat Research (1)          Cedric MAURUGEON (1)            │
│ Bhabesh Raj (1)                    Bartlomiej Czyz @bczyz1 (1)        Dominik Schaudel (1)              rukawa (1)                      │
│ @signalblur (1)                    Tom Kern (1)                       James Pemberton @4A616D6573 (1)   Trent Liffick (1)               │
│ @oscd_initiative (1)               Subhash Popuri (1)                 Tom U. @c_APT_ure (1)             Dmitriy Lifanov (1)             │
│ Joseliyo Sanchez (1)               Semanur Guneysu @semanurtg (1)     Benjamin Delpy (1)                Stamatis Chatzimangou (1)       │
│ Austin Songer (1)                  Omer Faruk Celik (1)               Markus Neis @Karneades (1)        mdecrevoisier (1)               │
│ Matthew Green @mgreen27 (1)        Christopher Peacock @Sec... (1)    @kostastsale (1)                  Tuan Le (1)                     │
│ The DFIR Report (1)                Sami Ruohonen (1)                  NVISO (1)                         Furkan CALISKAN (1)             │
│ Maxence Fossat (1)                 @gott_cyber (1)                    Mustafa Kaan Demir (1)            Jack Croock (1)                 │
│ Harish Segar (1)                   Fatih Sirin (1)                    Jason Lynch (1)                   Daniel Koifman (1)              │
│ Chad Hudson (1)                    Julia Fomina (1)                   Georg Lauenstein (1)                                              │
╰──────────────────────────────────╌──────────────────────────────────╌─────────────────────────────────╌─────────────────────────────────╯

Results Summary:

Events with hits / Total events: 19,830 / 46,495 (Data reduction: 26,665 events (57.35%))

Total | Unique detections: 32,395 | 672
Total | Unique emergency detections: 0 (0.00%) | 0 (0.00%)
Total | Unique critical detections: 51 (0.16%) | 20 (9.08%)
Total | Unique high detections: 5,587 (17.25%) | 261 (12.50%)
Total | Unique medium detections: 2,135 (6.59%) | 246 (36.61%)
Total | Unique low detections: 6,323 (19.52%) | 84 (38.84%)
Total | Unique informational detections: 18,299 (56.49%) | 61 (2.98%)

Dates with most total detections:
emergency: n/a, critical: 2019-07-19 (16), high: 2016-09-20 (3,650), medium: 2019-05-19 (249), low: 2016-09-20 (3,708), informational: 2016-08-19 (2,115)

Top 5 computers with most unique detections:
emergency: n/a
critical: MSEDGEWIN10 (9), srvdefender01.offsec.lan (2), Isaac (1), alice.insecurebank.local (1), DC1.insecurebank.local (1)
high: MSEDGEWIN10 (102), IEWIN7 (61), FS03.offsec.lan (26), IE10Win7 (23), fs03vuln.offsec.lan (23)
medium: MSEDGEWIN10 (91), IEWIN7 (58), FS03.offsec.lan (28), fs03vuln.offsec.lan (24), rootdc1.offsec.lan (20)
low: MSEDGEWIN10 (38), IEWIN7 (21), FS03.offsec.lan (21), fs03vuln.offsec.lan (17), fs01.offsec.lan (13)
informational: IEWIN7 (18), MSEDGEWIN10 (17), PC01.example.corp (15), fs01.offsec.lan (14), FS03.offsec.lan (14)

╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top emergency alerts:                              Top critical alerts:                                      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                                                Sticky Key Like Backdoor Usage - Registry (8)             │
│ n/a                                                CobaltStrike Service Installations - System (6)           │
│ n/a                                                Active Directory Replication from Non Machine Account (6) │
│ n/a                                                WannaCry Ransomware Activity (4)                          │
│ n/a                                                Defender Alert (Severe) (4)                               │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top high alerts:                                   Top medium alerts:                                        │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Metasploit SMB Authentication (3,562)              Potentially Malicious PwSh (235)                          │
│ Suspicious Service Path (277)                      Reg Key Value Set (Sysmon Alert) (107)                    │
│ PowerShell Scripts Installed as Services (250)     Proc Injection (104)                                      │
│ Suspicious Service Installation Script (250)       Remote Thread Creation Via PowerShell (93)                │
│ Suspicious Service Name (80)                       Remote Thread Creation In Uncommon Target Image (93)      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top low alerts:                                    Top informational alerts:                                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Logon Failure (Wrong Password) (3,580)             Proc Exec (11,173)                                        │
│ Possible LOLBIN (1,418)                            NetShare File Access (2,558)                              │
│ Non Interactive PowerShell Process Spawned (326)   PwSh Scriptblock (789)                                    │
│ User with Privileges Logon (179)                   PwSh Pipeline Exec (680)                                  │
│ Proc Access (156)                                  NetShare Access (403)                                     │
╰──────────────────────────────────────────────────╌───────────────────────────────────────────────────────────╯

Saved file: timeline.csv (33.2 MB)

Elapsed time: 00:00:06.688

Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues
Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues
Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls

fukusuke@Mac hayabusa-3.1.0-mac-aarch64 %

[YamatoSecurity]

@fukusuket Thanks so much! LGTM!