Skip to content

Commit

Permalink
Merge pull request #1484 from Yamato-Security/1474-log-metrics-command
Browse files Browse the repository at this point in the history 
feat: add `log-metrics` command feature
  • Loading branch information
@YamatoSecurity
YamatoSecurity authored Nov 12, 2024
2 parents 23032ed + a09df8a commit 730aec8
Show file tree
Hide file tree
Showing 20 changed files with 1,009 additions and 627 deletions.
1 change: 1 addition & 0 deletions CHANGELOG-Japanese.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
**新機能:**

- `gt``gte``lt``lte`のフィールドモディファイアに対応した。(#1433) (@fukusuket)
- 新しい`log-metrics`コマンドで`.evtx`ファイルの情報を取得できるようになった。(コンピュータ名、イベント数、最初のタイムスタンプ、最後のタイムスタンプ、チャネル、プロバイダ) (#1474) (@fukusuket)

**改善:**

Expand Down
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
**New Features:**

- Support for the `gt`, `gte`, `lt`, `lte` field modifiers. (#1433) (@fukusuket)
- New `log-metrics` command to get information about `.evtx` files. (computer names, event count, first timestamp, last timestamp, channels, providers) (#1474) (@fukusuket)

**Enhancements:**

Expand Down
277 changes: 166 additions & 111 deletions src/afterfact.rs
View file

Large diffs are not rendered by default.

458 changes: 233 additions & 225 deletions src/detections/configs.rs
View file

Large diffs are not rendered by default.

97 changes: 58 additions & 39 deletions src/detections/detection.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,8 @@ impl Detection {
if !(stored_static.logon_summary_flag
|| stored_static.search_flag
|| stored_static.metrics_flag
|| stored_static.computer_metrics_flag)
|| stored_static.computer_metrics_flag
|| stored_static.log_metrics_flag)
{
Detection::print_rule_load_info(
&rulefile_loader.rulecounter,
Expand Down Expand Up @@ -317,7 +318,11 @@ impl Detection {
format_time(
&time,
false,
stored_static.output_option.as_ref().unwrap(),
&stored_static
.output_option
.as_ref()
.unwrap()
.time_format_options,
)
.into(),
),
Expand Down Expand Up @@ -786,7 +791,11 @@ impl Detection {
format_time(
&agg_result.start_timedate,
false,
stored_static.output_option.as_ref().unwrap(),
&stored_static
.output_option
.as_ref()
.unwrap()
.time_format_options,
)
.into(),
),
Expand Down Expand Up @@ -1295,7 +1304,6 @@ mod tests {
use yaml_rust2::YamlLoader;

use crate::detections;
use crate::detections::configs::load_eventkey_alias;
use crate::detections::configs::Action;
use crate::detections::configs::CommonOptions;
use crate::detections::configs::Config;
Expand All @@ -1306,6 +1314,7 @@ mod tests {
use crate::detections::configs::StoredStatic;
use crate::detections::configs::CURRENT_EXE_PATH;
use crate::detections::configs::STORED_EKEY_ALIAS;
use crate::detections::configs::{load_eventkey_alias, TimeFormatOptions};
use crate::detections::detection::Detection;
use crate::detections::rule::create_rule;
use crate::detections::rule::AggResult;
Expand Down Expand Up @@ -1334,13 +1343,15 @@ mod tests {
end_timeline: None,
start_timeline: None,
eid_filter: false,
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
time_format_options: TimeFormatOptions {
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
},
visualize_timeline: false,
rules: Path::new("./rules").to_path_buf(),
html_report: None,
Expand Down Expand Up @@ -1591,13 +1602,15 @@ mod tests {
end_timeline: None,
start_timeline: None,
eid_filter: false,
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
time_format_options: TimeFormatOptions {
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
},
visualize_timeline: false,
rules: Path::new("./rules").to_path_buf(),
html_report: None,
Expand Down Expand Up @@ -1730,13 +1743,15 @@ mod tests {
end_timeline: None,
start_timeline: None,
eid_filter: false,
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
time_format_options: TimeFormatOptions {
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
},
visualize_timeline: false,
rules: Path::new("./rules").to_path_buf(),
html_report: None,
Expand Down Expand Up @@ -1864,13 +1879,15 @@ mod tests {
end_timeline: None,
start_timeline: None,
eid_filter: false,
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
time_format_options: TimeFormatOptions {
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
},
visualize_timeline: false,
rules: Path::new("./rules").to_path_buf(),
html_report: None,
Expand Down Expand Up @@ -2014,13 +2031,15 @@ mod tests {
end_timeline: None,
start_timeline: None,
eid_filter: false,
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
time_format_options: TimeFormatOptions {
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
},
visualize_timeline: false,
rules: Path::new("./rules").to_path_buf(),
html_report: None,
Expand Down
18 changes: 10 additions & 8 deletions src/detections/rule/condition_parser.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -421,7 +421,7 @@ impl ConditionCompiler {
mod tests {
use crate::detections::configs::{
Action, CommonOptions, Config, CsvOutputOption, DetectCommonOption, InputOption,
OutputOption, StoredStatic, STORED_EKEY_ALIAS,
OutputOption, StoredStatic, TimeFormatOptions, STORED_EKEY_ALIAS,
};
use crate::detections::rule::condition_parser::ConditionCompiler;
use crate::detections::rule::create_rule;
Expand Down Expand Up @@ -467,13 +467,15 @@ mod tests {
end_timeline: None,
start_timeline: None,
eid_filter: false,
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
time_format_options: TimeFormatOptions {
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
},
visualize_timeline: false,
rules: Path::new("./rules").to_path_buf(),
html_report: None,
Expand Down
18 changes: 10 additions & 8 deletions src/detections/rule/count.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -542,7 +542,6 @@ mod tests {
use std::path::Path;

use crate::detections;
use crate::detections::configs::Action;
use crate::detections::configs::CommonOptions;
use crate::detections::configs::Config;
use crate::detections::configs::CsvOutputOption;
Expand All @@ -551,6 +550,7 @@ mod tests {
use crate::detections::configs::OutputOption;
use crate::detections::configs::StoredStatic;
use crate::detections::configs::STORED_EKEY_ALIAS;
use crate::detections::configs::{Action, TimeFormatOptions};
use crate::detections::rule::create_rule;
use crate::detections::rule::AggResult;
use crate::detections::utils;
Expand Down Expand Up @@ -598,13 +598,15 @@ mod tests {
end_timeline: None,
start_timeline: None,
eid_filter: false,
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
time_format_options: TimeFormatOptions {
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
},
visualize_timeline: false,
rules: Path::new("./rules").to_path_buf(),
html_report: None,
Expand Down
18 changes: 10 additions & 8 deletions src/detections/rule/matchers.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1044,7 +1044,7 @@ mod tests {
};
use crate::detections::configs::{
Action, CommonOptions, Config, CsvOutputOption, DetectCommonOption, InputOption,
OutputOption, StoredStatic, STORED_EKEY_ALIAS,
OutputOption, StoredStatic, TimeFormatOptions, STORED_EKEY_ALIAS,
};
use crate::detections::rule::matchers::FastMatch;
use crate::detections::rule::tests::parse_rule_from_str;
Expand All @@ -1071,13 +1071,15 @@ mod tests {
end_timeline: None,
start_timeline: None,
eid_filter: false,
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
time_format_options: TimeFormatOptions {
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
},
visualize_timeline: false,
rules: Path::new("./rules").to_path_buf(),
html_report: None,
Expand Down
20 changes: 11 additions & 9 deletions src/detections/rule/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -409,6 +409,8 @@ mod tests {

use yaml_rust2::YamlLoader;

use super::RuleNode;
use crate::detections::configs::TimeFormatOptions;
use crate::detections::{
self,
configs::{
Expand All @@ -419,8 +421,6 @@ mod tests {
utils,
};

use super::RuleNode;

fn create_dummy_stored_static() -> StoredStatic {
StoredStatic::create_static_data(Some(Config {
action: Some(Action::CsvTimeline(CsvOutputOption {
Expand All @@ -441,13 +441,15 @@ mod tests {
end_timeline: None,
start_timeline: None,
eid_filter: false,
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
time_format_options: TimeFormatOptions {
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
},
visualize_timeline: false,
rules: Path::new("./rules").to_path_buf(),
html_report: None,
Expand Down
17 changes: 10 additions & 7 deletions src/detections/rule/selectionnodes.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -509,6 +509,7 @@ impl SelectionNode for LeafSelectionNode {
mod tests {
use std::path::Path;

use crate::detections::configs::TimeFormatOptions;
use crate::detections::{
self,
configs::{
Expand Down Expand Up @@ -539,13 +540,15 @@ mod tests {
end_timeline: None,
start_timeline: None,
eid_filter: false,
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
time_format_options: TimeFormatOptions {
european_time: false,
iso_8601: false,
rfc_2822: false,
rfc_3339: false,
us_military_time: false,
us_time: false,
utc: false,
},
visualize_timeline: false,
rules: Path::new("./rules").to_path_buf(),
html_report: None,
Expand Down
Loading

0 comments on commit 730aec8

Please sign in to comment.