Can't get hayabusa to use JSON as input

[mischw]

I tried to use JSON(L) input to hayabusa 2.14 on Linux which I can't seem to get to work.
I tried both, JSON and JSONL:

./hayabusa-2.14.0-lin-x64-gnu json-timeline --JSONL-output --output ../JSON/results.jsonl --directory ../EVTX
./hayabusa-2.14.0-lin-x64-gnu json-timeline --output ../JSON/results.json --directory ../EVTX

The output looks like I would expect, being a JSON and a JSONL file.
Then I tried to parse it with logon-summary for example:

./hayabusa-2.14.0-lin-x64-gnu logon-summary --JSON-input --file ../JSON/results.json
...
[Many times reapeated error here]
...
[ERROR] timestamp parse error. input: null input contains invalid characters
[ERROR] timestamp parse error. input: null input contains invalid characters
[ERROR] timestamp parse error. input: null input contains invalid characters
[00:00:00] 1 / 1   [========================================] 100%

Scanning finished. Please wait while the results are being saved.

Evtx File Path: ../JSON/results.json

Total Event Records: 3,366

Logon Summary:

-----------------------------------------
|     No logon events were detected.    |
-----------------------------------------


Elapsed time: 00:00:00.070

It does produce no logon events here and shows a lot of errors. Do note that it says "Evtx File Path:". Maybe it tries to parse evtx files?
logon-summary help claims to also support JSONL ("Scan JSON formatted logs instead of .evtx (.json or .jsonl)") so I also tried that:

./hayabusa-2.14.0-lin-x64-gnu logon-summary --JSON-input --file ../JSON/results.jsonl                                                       18:32:50

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security 

Generating Logon Summary

Start time: 2024/04/07 18:33

[ERROR] --filepath only accepts .evtx files. Hidden files are ignored.

Elapsed time: 00:00:00.000

Now it says it only accepts evtx files, which also confuses me.

Is that behavior a bug or am I using it wrong somehow?

[YamatoSecurity]

You are using it wrong. Why are you trying to output results to JSON from EVTX and then re-run scans against the outputted JSON? Typically, if you have the original .evtx files, you will never use the JSON input. JSON input is only for when you have event log information in JSON format. For example, you exported data from Splunk or another SIEM. The only time you use Hayabusa JSON as input is for when using Takajo.

[mischw]

I re-ran the scan with the JSON output because I wanted to make use of the --remove-duplicate-detections, which the logon-summary command does not support. So I used the flag with the json-timeline command and got confused when hayabusa did not accept its own generated JSON output. So yeah, sorry. I think I misunderstood what this is used for.
Maybe the help output for the json-timeline command and the --JSON-input flag would profit from a more detailed description of their intended use?
Is there documentation on how the JSON has to look like for making it work with haybusa?
Besides that I think this issue is not really an issue.

[YamatoSecurity]

@mischw Thanks, I will try to update the documentation to make it clearer.