Merge pull request #1497 from Yamato-Security/1485-option-disable-abb…

…riviation

feat: add `--disable-abbreviations` option

.github/workflows/integration-test.yml

@@ -41,6 +41,9 @@ jobs:
       - name: computer-metrics
         run: cd main && cargo run --release -- computer-metrics -d ../hayabusa-sample-evtx -q
 
+      - name: computer-metrics(-o)
+        run: cd main && cargo run --release -- computer-metrics -d ../hayabusa-sample-evtx -q -o out.csv -C
+
       - name: csv-timeline
         run: cd main && cargo run --release -- csv-timeline -d ../hayabusa-sample-evtx -o out.csv -q -w -D -n -u
 
@@ -50,6 +53,9 @@ jobs:
       - name: eid-metrics
         run: cd main && cargo run --release -- eid-metrics -d ../hayabusa-sample-evtx -q
 
+      - name: eid-metrics(-o)
+        run: cd main && cargo run --release -- eid-metrics -d ../hayabusa-sample-evtx -q -o out.csv -C
+
       - name: json-timeline
         run: cd main && cargo run --release -- json-timeline -d ../hayabusa-sample-evtx -o out.json -q -w -D -n -u
 
@@ -68,13 +74,25 @@ jobs:
       - name: list-profiles
         run: cd main && cargo run --release -- list-profiles -q
 
+      - name: log-metrics
+        run: cd main && cargo run --release -- log-metrics -d ../hayabusa-sample-evtx -q
+
+      - name: log-metrics(-o)
+        run: cd main && cargo run --release -- log-metrics -d ../hayabusa-sample-evtx -q -o out.csv -C
+
       - name: logon-summary
         run: cd main && cargo run --release -- logon-summary -d ../hayabusa-sample-evtx -q
 
+      - name: logon-summary(-o)
+        run: cd main && cargo run --release -- logon-summary -d ../hayabusa-sample-evtx -q -o out.csv -C
+
       - name: pivot-keywords-list
         run: cd main && cargo run --release -- pivot-keywords-list -d ../hayabusa-sample-evtx -o key -q -w
 
       - name: search
+        run: cd main && cargo run --release -- search -d ../hayabusa-sample-evtx -k mimikatz -q
+
+      - name: search(-o)
         run: cd main && cargo run --release -- search -d ../hayabusa-sample-evtx -k mimikatz -o search.csv -q
 
       - name: set-default-profile

CHANGELOG-Japanese.md

@@ -6,6 +6,7 @@
 
 - `gt`、`gte`、`lt`、`lte`のフィールドモディファイアに対応した。(#1433) (@fukusuket)
 - 新しい`log-metrics`コマンドで`.evtx`ファイルの情報を取得できるようになった。(コンピュータ名、イベント数、最初のタイムスタンプ、最後のタイムスタンプ、チャネル、プロバイダ) (#1474) (@fukusuket)
+- 新しい`-b, --disable-abbreviations`コマンドは、`Channel`と`Provider`の略称を無効にする。元の値を確認したい時に便利。 (#1485) (@fukusuket)
 
 **改善:**
 

CHANGELOG.md

@@ -6,6 +6,7 @@
 
 - Support for the `gt`, `gte`, `lt`, `lte` field modifiers. (#1433) (@fukusuket)
 - New `log-metrics` command to get information about `.evtx` files. (computer names, event count, first timestamp, last timestamp, channels, providers) (#1474) (@fukusuket)
+- New `-b, --disable-abbreviations` command to disable `Channel` and `Provider` abbreviations for when you want to check the original values. (#1485) (@fukusuket)
 
 **Enhancements:**
 

src/afterfact.rs

@@ -2297,6 +2297,7 @@ mod tests {
         let mock_ch_filter = message::create_output_filter_config(
             "test_files/config/channel_abbreviations.txt",
             true,
+            false,
         );
         let test_filepath: &str = "test.evtx";
         let test_rulepath: &str = "test-rule.yml";
@@ -2383,6 +2384,7 @@ mod tests {
             geo_ip: None,
             output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
             multiline: false,
+            disable_abbreviations: false,
         });
         let dummy_config = Some(Config {
             action: Some(dummy_action),
@@ -2645,6 +2647,7 @@ mod tests {
         let mock_ch_filter = message::create_output_filter_config(
             "test_files/config/channel_abbreviations.txt",
             true,
+            false,
         );
         let test_filepath: &str = "test.evtx";
         let test_rulepath: &str = "test-rule.yml";
@@ -2731,6 +2734,7 @@ mod tests {
             geo_ip: None,
             output: Some(Path::new("./test_emit_csv_multiline.csv").to_path_buf()),
             multiline: true,
+            disable_abbreviations: false,
         });
         let dummy_config = Some(Config {
             action: Some(dummy_action),
@@ -2987,6 +2991,7 @@ mod tests {
         let mock_ch_filter = message::create_output_filter_config(
             "test_files/config/channel_abbreviations.txt",
             true,
+            false,
         );
         let test_filepath: &str = "test.evtx";
         let test_rulepath: &str = "test-rule.yml";
@@ -3073,6 +3078,7 @@ mod tests {
             geo_ip: None,
             output: Some(Path::new("./test_emit_csv_remove_duplicate.csv").to_path_buf()),
             multiline: false,
+            disable_abbreviations: false,
         });
         let dummy_config = Some(Config {
             action: Some(dummy_action),
@@ -3330,6 +3336,7 @@ mod tests {
         let mock_ch_filter = message::create_output_filter_config(
             "test_files/config/channel_abbreviations.txt",
             true,
+            false,
         );
         let test_filepath: &str = "test.evtx";
         let test_rulepath: &str = "test-rule.yml";
@@ -3416,6 +3423,7 @@ mod tests {
             geo_ip: None,
             output: Some(Path::new("./test_emit_csv_remove_duplicate.json").to_path_buf()),
             jsonl_timeline: false,
+            disable_abbreviations: false,
         });
         let dummy_config = Some(Config {
             action: Some(dummy_action),
@@ -3747,6 +3755,7 @@ mod tests {
         let mock_ch_filter = message::create_output_filter_config(
             "test_files/config/channel_abbreviations.txt",
             true,
+            false,
         );
         let test_filepath: &str = "test.evtx";
         let test_rulepath: &str = "test-rule.yml";
@@ -3832,6 +3841,7 @@ mod tests {
             geo_ip: None,
             output: Some(Path::new("./test_multiple_data_in_details.json").to_path_buf()),
             jsonl_timeline: false,
+            disable_abbreviations: false,
         });
         let dummy_config = Some(Config {
             action: Some(dummy_action),
@@ -4108,6 +4118,7 @@ mod tests {
         let mock_ch_filter = message::create_output_filter_config(
             "test_files/config/channel_abbreviations.txt",
             true,
+            false,
         );
         let test_filepath: &str = "test.evtx";
         let test_rulepath: &str = "test-rule.yml";
@@ -4193,6 +4204,7 @@ mod tests {
             geo_ip: None,
             output: Some(Path::new("./test_emit_csv_json.json").to_path_buf()),
             jsonl_timeline: false,
+            disable_abbreviations: false,
         });
 
         let dummy_config = Some(Config {
@@ -4394,6 +4406,7 @@ mod tests {
         let mock_ch_filter = message::create_output_filter_config(
             "test_files/config/channel_abbreviations.txt",
             true,
+            false,
         );
         let test_filepath: &str = "test.evtx";
         let test_rulepath: &str = "test-rule.yml";
@@ -4479,6 +4492,7 @@ mod tests {
             geo_ip: None,
             output: Some(Path::new("./test_emit_csv_jsonl.jsonl").to_path_buf()),
             jsonl_timeline: true,
+            disable_abbreviations: false,
         });
 
         let dummy_config = Some(Config {

src/detections/configs.rs

@@ -356,10 +356,19 @@ impl StoredStatic {
             Some(Action::LogMetrics(opt)) => opt.output.as_ref(),
             _ => None,
         };
+        let disable_abbreviation = match &input_config.as_ref().unwrap().action {
+            Some(Action::CsvTimeline(opt)) => opt.disable_abbreviations,
+            Some(Action::JsonTimeline(opt)) => opt.disable_abbreviations,
+            Some(Action::EidMetrics(opt)) => opt.disable_abbreviations,
+            Some(Action::Search(opt)) => opt.disable_abbreviations,
+            Some(Action::LogMetrics(opt)) => opt.disable_abbreviations,
+            _ => false,
+        };
+
         let general_ch_abbr = create_output_filter_config(
-            utils::check_setting_path(config_path, "generic_abbreviations.txt", false)
+            check_setting_path(config_path, "generic_abbreviations.txt", false)
                 .unwrap_or_else(|| {
-                    utils::check_setting_path(
+                    check_setting_path(
                         &CURRENT_EXE_PATH.to_path_buf(),
                         "rules/config/generic_abbreviations.txt",
                         true,
@@ -369,6 +378,7 @@ impl StoredStatic {
                 .to_str()
                 .unwrap(),
             false,
+            disable_abbreviation,
         );
         let multiline_flag = match &input_config.as_ref().unwrap().action {
             Some(Action::CsvTimeline(opt)) => opt.multiline,
@@ -653,9 +663,9 @@ impl StoredStatic {
             config: input_config.as_ref().unwrap().to_owned(),
             config_path: config_path.to_path_buf(),
             ch_config: create_output_filter_config(
-                utils::check_setting_path(config_path, "channel_abbreviations.txt", false)
+                check_setting_path(config_path, "channel_abbreviations.txt", false)
                     .unwrap_or_else(|| {
-                        utils::check_setting_path(
+                        check_setting_path(
                             &CURRENT_EXE_PATH.to_path_buf(),
                             "rules/config/channel_abbreviations.txt",
                             true,
@@ -665,6 +675,7 @@ impl StoredStatic {
                     .to_str()
                     .unwrap(),
                 true,
+                disable_abbreviation,
             ),
             disp_abbr_generic: AhoCorasickBuilder::new()
                 .ascii_case_insensitive(true)
@@ -673,9 +684,9 @@ impl StoredStatic {
                 .unwrap(),
             disp_abbr_general_values: general_ch_abbr.values().map(|x| x.to_owned()).collect_vec(),
             provider_abbr_config: create_output_filter_config(
-                utils::check_setting_path(config_path, "provider_abbreviations.txt", false)
+                check_setting_path(config_path, "provider_abbreviations.txt", false)
                     .unwrap_or_else(|| {
-                        utils::check_setting_path(
+                        check_setting_path(
                             &CURRENT_EXE_PATH.to_path_buf(),
                             "rules/config/provider_abbreviations.txt",
                             true,
@@ -685,11 +696,12 @@ impl StoredStatic {
                     .to_str()
                     .unwrap(),
                 false,
+                disable_abbreviation,
             ),
             default_details: Self::get_default_details(
-                utils::check_setting_path(config_path, "default_details.txt", false)
+                check_setting_path(config_path, "default_details.txt", false)
                     .unwrap_or_else(|| {
-                        utils::check_setting_path(
+                        check_setting_path(
                             &CURRENT_EXE_PATH.to_path_buf(),
                             "rules/config/default_details.txt",
                             true,
@@ -700,9 +712,9 @@ impl StoredStatic {
                     .unwrap(),
             ),
             eventkey_alias: load_eventkey_alias(
-                utils::check_setting_path(config_path, "eventkey_alias.txt", false)
+                check_setting_path(config_path, "eventkey_alias.txt", false)
                     .unwrap_or_else(|| {
-                        utils::check_setting_path(
+                        check_setting_path(
                             &CURRENT_EXE_PATH.to_path_buf(),
                             "rules/config/eventkey_alias.txt",
                             true,
@@ -726,9 +738,9 @@ impl StoredStatic {
             profiles: None,
             thread_number: check_thread_number(input_config.as_ref().unwrap()),
             event_timeline_config: load_eventcode_info(
-                utils::check_setting_path(config_path, "channel_eid_info.txt", false)
+                check_setting_path(config_path, "channel_eid_info.txt", false)
                     .unwrap_or_else(|| {
-                        utils::check_setting_path(
+                        check_setting_path(
                             &CURRENT_EXE_PATH.to_path_buf(),
                             "rules/config/channel_eid_info.txt",
                             true,
@@ -739,9 +751,9 @@ impl StoredStatic {
                     .unwrap(),
             ),
             target_eventids: load_target_ids(
-                utils::check_setting_path(config_path, "target_event_IDs.txt", false)
+                check_setting_path(config_path, "target_event_IDs.txt", false)
                     .unwrap_or_else(|| {
-                        utils::check_setting_path(
+                        check_setting_path(
                             &CURRENT_EXE_PATH.to_path_buf(),
                             "rules/config/target_event_IDs.txt",
                             true,
@@ -1241,6 +1253,10 @@ pub struct SearchOption {
 
     #[clap(flatten)]
     pub time_format_options: TimeFormatOptions,
+
+    /// Disable abbreviations
+    #[arg(help_heading = Some("Output"), short='b', long = "disable-abbreviations", display_order = 60)]
+    pub disable_abbreviations: bool,
 }
 
 #[derive(Args, Clone, Debug)]
@@ -1301,6 +1317,10 @@ pub struct EidMetricsOption {
     /// Overwrite files when saving
     #[arg(help_heading = Some("General Options"), short='C', long = "clobber", display_order = 290, requires = "output")]
     pub clobber: bool,
+
+    /// Disable abbreviations
+    #[arg(help_heading = Some("Output"), short='b', long = "disable-abbreviations", display_order = 60)]
+    pub disable_abbreviations: bool,
 }
 
 #[derive(Args, Clone, Debug)]
@@ -1669,6 +1689,10 @@ pub struct CsvOutputOption {
     /// Save the timeline in CSV format (ex: results.csv)
     #[arg(help_heading = Some("Output"), short = 'o', long, value_name = "FILE", display_order = 410)]
     pub output: Option<PathBuf>,
+
+    /// Disable abbreviations
+    #[arg(help_heading = Some("Output"), short='b', long = "disable-abbreviations", display_order = 60)]
+    pub disable_abbreviations: bool,
 }
 
 #[derive(Args, Clone, Debug)]
@@ -1693,6 +1717,10 @@ pub struct JSONOutputOption {
         display_order = 70
     )]
     pub geo_ip: Option<PathBuf>,
+
+    /// Disable abbreviations
+    #[arg(help_heading = Some("Output"), short='b', long = "disable-abbreviations", display_order = 60)]
+    pub disable_abbreviations: bool,
 }
 
 #[derive(Args, Clone, Debug)]
@@ -1775,6 +1803,10 @@ pub struct LogMetricsOption {
     /// Overwrite files when saving
     #[arg(help_heading = Some("General Options"), short='C', long = "clobber", display_order = 290, requires = "output")]
     pub clobber: bool,
+
+    /// Disable abbreviations
+    #[arg(help_heading = Some("Output"), short='b', long = "disable-abbreviations", display_order = 60)]
+    pub disable_abbreviations: bool,
 }
 
 #[derive(Parser, Clone, Debug)]
@@ -2236,6 +2268,7 @@ fn extract_search_options(config: &Config) -> Option<SearchOption> {
             jsonl_output: option.jsonl_output,
             time_format_options: option.time_format_options.clone(),
             and_logic: option.and_logic,
+            disable_abbreviations: option.disable_abbreviations,
         }),
         _ => None,
     }
@@ -2907,6 +2940,7 @@ mod tests {
                 geo_ip: None,
                 output: None,
                 multiline: false,
+                disable_abbreviations: false,
             })),
             debug: false,
         }));
@@ -2987,6 +3021,7 @@ mod tests {
                 geo_ip: None,
                 output: None,
                 jsonl_timeline: false,
+                disable_abbreviations: false,
             })),
             debug: false,
         }));
@@ -3036,6 +3071,7 @@ mod tests {
                     us_time: false,
                     utc: false,
                 },
+                disable_abbreviations: false,
             })),
             debug: false,
         }));
@@ -3082,6 +3118,7 @@ mod tests {
                     include_computer: None,
                     exclude_computer: None,
                 },
+                disable_abbreviations: false,
             })),
             debug: false,
         }));