[bug] Number of rules enabled after channel filtering differs between live response and standard hayabusa

[crayy8]

Describe the bug
I am testing out hayabusa both the normal version and the live response version. I noticed that when running both side by side on the same data set using the same release version and same command options that the number of rules differ after channel filtering. It appears both release version have the same rule sets both based on hayabusa output and diffing the number of rule ids

Image showing number of rules differing between live response and the non live response version (Right console is live response version)

Step to Reproduce
Steps to reproduce the behavior:

1. Download both release 3.0.1 x64 versions of hayabusa (live response and non live response versions)
2. Run both side by side on the sample data set provided here. Example command hayabusa-3.0.1-win-x64.exe json-timeline -d ..\hayabusa-sample-evtx-main -o test.json (press enter for wizard options)
3. Observe that the final rule counts after channel filtering differ.

Expected behavior
I would have expected both to have the same number of rules applied but I could be missing something.

[YamatoSecurity]

@crayy8 Thanks for letting us know about this. Yes, they should be the same. We will investigate into it.
(@fukusuket could you take a look when you have time?)

[fukusuket]

memo

The following three files were differences 🤔

% diff rule_ids.txt ../hayabusa-3.1.0-mac-aarch64-live-response/rule_ids.txt
871a872
> 3318e98f-7614-2bef-f5b2-78af7cbba518
2469a2471
> 93786e05-1808-f3b1-9841-7fee02fd7247
4099a4102
> f4e538d8-94a9-8ecc-779e-e03aa85aedb4

• 3318e98f-7614-2bef-f5b2-78af7cbba518
• 93786e05-1808-f3b1-9841-7fee02fd7247
• f4e538d8-94a9-8ecc-779e-e03aa85aedb4