Json output instead of csv for detections

[baileydauterman]

I have a thought on a somewhat easy way to transition from csv to json if that is something that you're interested in. In quite a few places where detections are created to be output they look similar to this:

$detection = [PSCustomObject]@{
            Name = 'Narrator Missing DLL is Present'
            Risk = 'Medium'
            Source = 'Windows Narrator'
            Technique = "T1546: Event Triggered Execution"
            Meta = "File: "+$item.FullName+", Created: "+$item.CreationTime+", Last Modified: "+$item.LastWriteTime
        }

I think we could take the Metadata and use the object directly so it will convert to json better. i.e.:

$detection = [PSCustomObject]@{
            Name = 'Narrator Missing DLL is Present'
            Risk = 'Medium'
            Source = 'Windows Narrator'
            Technique = "T1546: Event Triggered Execution"
            Meta =  $item | Select FullName, CreationTime, LastWriteTime
        }

This way we are able to convert the PSCustomObject into proper json using the headers that correlate to the object. I think a couple helper methods could be created to easily convert to either json or csv with somewhat minimal uplift.