Enhancement: Duplicate detections for logon-summary

[mischw]

I saw that the csv-timeline and json-timeline commands support deduplication using the flag --remove-duplicate-detections. I think that is incredibly useful. Unfortunately the logon-summary does not have a equivalent flag it seems? The resulting output therefore shows many times more logon attempts when also using evtx from shadow copies for example.

Either way I am happy with a solution that allows deduplicated logon-summary. But I thought maybe you hadn't considered adding it as a flag to logon-summary too :)

[YamatoSecurity]

We will look into adding this feature. For now, you might just have to write a script to remove the duplicates.

[mischw]

Thanks for considering adding this feature. In the mean time I am happy to write a script. Do you happen to know a tool or two which would be suitable for usage in script and at the same time is able to output a format which hayabusa is able to parse?

[YamatoSecurity]

@mischw To work around this, you can remove duplicates with the json-timeline command, output to JSONL and then use the stack-logons in Takajo to get the same information. (https://github.com/Yamato-Security/takajo?tab=readme-ov-file#stack-logons-command)
Right now, it only summarizes successful logons but will add an option to analyze failed logons as well.

[YamatoSecurity]

@mischw We updated the stack-logons command so if you compile takajo with the main branch, you can get failed logon info as well.

[mischw]

I gave it a try and it looks like a nice way to get the info I need. Thanks for letting me know!