Add back -h, --help option to General Options

[YamatoSecurity]

I think in the past we removed the -h, --help option from General Options because we could check the help menu by specifying no arguments (Example: hayabusa.exe csv-timeline). However, with #1235 , we now check to see if the user specifies one of the required input options (-d, -f or -l), so now we get an error instead of the help screen get displayed. If it is not possible to show the help screen when only typing the subcommand and no options, then I would like to add a -h, --help show the help menu option to easily show the help menu instead of having to type hayabusa.exe help csv-timeline, etc...)

[hitenkoku]

@YamatoSecurity Thanks for your issue.
I confirmed this feature in hayabusa v2.12.0.
I think added already feature.
Could you check following result?

> ./hayabusa-2.12.0.exe
...
Usage:
  hayabusa.exe <COMMAND> [OPTIONS]
  hayabusa.exe help <COMMAND>

Commands:
  computer-metrics     Print computer name metrics
  csv-timeline         Save the timeline in CSV format
  eid-metrics          Print event ID metrics
  json-timeline        Save the timeline in JSON/JSONL format
  level-tuning         Tune alert levels (default: ./rules/config/level_tuning.txt)
  list-contributors    Print the list of contributors
  list-profiles        List the output profiles
  logon-summary        Print a summary of successful and failed logons
  pivot-keywords-list  Create a list of pivot keywords
  search               Search all events by keyword(s) or regular expression
  set-default-profile  Set default output profile
  update-rules         Update to the latest rules in the hayabusa-rules github repository
  help                 Print this message or the help of the given subcommand(s)

> ./hayabusa-2.12.0.exe help csv-timeline
Hayabusa v2.12.0 - SECCON Christmas Release
Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)

Usage:
  hayabusa.exe csv-timeline <INPUT> [OPTIONS]

Input:
  -d, --directory <DIR>  Directory of multiple .evtx files
  -f, --file <FILE>      File path to one .evtx file
  -l, --live-analysis    Analyze the local C:\Windows\System32\winevt\Logs folder
  -J, --JSON-input       Scan JSON formatted logs instead of .evtx (.json or .jsonl)
  -x, --recover-records  Carve evtx records from slack space (default: disabled)

Filtering:
  -E, --EID-filter                      Scan only common EIDs for faster speed (./rules/config/target_event_IDs.txt)
  -D, --enable-deprecated-rules         Enable rules with a status of deprecated
  -n, --enable-noisy-rules              Enable rules set to noisy (./rules/config/noisy_rules.txt)      
  -u, --enable-unsupported-rules        Enable rules with a status of unsupported
  -e, --exact-level <LEVEL>             Only load rules with a specific level (informational, low, medium, high, critical)
      --exclude-category <CATEGORY...>  Do not load rules with specified logsource categories (ex: process_creation,pipe_created)
      --exclude-computer <COMPUTER...>  Do not scan specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
      --exclude-eid <EID...>            Do not scan specific EIDs for faster speed (ex: 1) (ex: 1,4688) 
      --exclude-status <STATUS...>      Do not load rules according to status (ex: experimental) (ex: stable,test)
      --exclude-tag <TAG...>            Do not load rules with specific tags (ex: sysmon)
      --include-category <CATEGORY...>  Only load rules with specified logsource categories (ex: process_creation,pipe_created)
      --include-computer <COMPUTER...>  Scan only specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
      --include-eid <EID...>            Scan only specified EIDs for faster speed (ex: 1) (ex: 1,4688)  
      --include-tag <TAG...>            Only load rules with specific tags (ex: attack.execution,attack.discovery)
  -m, --min-level <LEVEL>               Minimum level for rules to load (default: informational)        
  -P, --proven-rules                    Scan with only proven rules for faster speed (./rules/config/proven_rules.txt)
      --timeline-end <DATE>             End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00")
      --timeline-offset <OFFSET>        Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)
      --timeline-start <DATE>           Start time of the event logs to load (ex: "2020-02-22 00:00:00 +09:00")

Output:
  -G, --GeoIP <MAXMIND-DB-DIR>       Add GeoIP (ASN, city, country) info to IP addresses
  -H, --HTML-report <FILE>           Save Results Summary details to an HTML report (ex: results.html)  
  -M, --multiline                    Output event field information in multiple rows
  -F, --no-field-data-mapping        Disable field data mapping
      --no-pwsh-field-extraction     Disable field extraction of PowerShell classic logs
  -o, --output <FILE>                Save the timeline in CSV format (ex: results.csv)
  -p, --profile <PROFILE>            Specify output profile
  -R, --remove-duplicate-data        Duplicate field data will be replaced with "DUP"
  -X, --remove-duplicate-detections  Remove duplicate detections (default: disabled)

Display Settings:
      --no-color            Disable color output
  -N, --no-summary          Do not display Results Summary for faster speed
  -q, --quiet               Quiet mode: do not display the launch banner
  -v, --verbose             Output verbose information
  -T, --visualize-timeline  Output event frequency timeline (terminal needs to support unicode)

General Options:
  -C, --clobber                        Overwrite files when saving
  -w, --no-wizard                      Do not ask questions. Scan for all events and alerts
  -Q, --quiet-errors                   Quiet errors mode: do not save error logs
  -r, --rules <DIR/FILE>               Specify a custom rule directory or file (default: ./rules)       
  -c, --rules-config <DIR>             Specify custom rule config directory (default: ./rules/config)   
      --target-file-ext <FILE-EXT...>  Specify additional evtx file extensions (ex: evtx_data)
  -t, --threads <NUMBER>               Number of threads (default: optimal number for performance)      

Time Format:
      --European-time     Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00) 
      --ISO-8601          Output timestamp in ISO-8601 format (ex: 2022-02-22T10:10:10.1234567Z) (Always UTC)
      --RFC-2822          Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600)     
      --RFC-3339          Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)    
      --US-military-time  Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
      --US-time           Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)    
  -U, --UTC               Output time in UTC format (default: local time)

[YamatoSecurity]

Yes, the help <command> syntax works but not <command> -h.
So:

./target/release/hayabusa csv-timeline -h
error: unexpected argument '-h' found

Usage: hayabusa csv-timeline [OPTIONS] <--directory <DIR>|--file <FILE>|--live-analysis>

Adding a -h to get the help menu is much more convenient than having to delete all the options and scroll back and add help. It is now a bit cumbersome when I need to constantly look up the help menu.

[hitenkoku]

@YamatoSecurity Thanks for your comment. I got it. I will fix it.