From c5f5a2a223ddadfe18769027cab774a5909ef4e2 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 15 Nov 2024 11:01:08 +0900 Subject: [PATCH 1/4] feat: add disable-abbreviation option --- src/afterfact.rs | 14 ++++++ src/detections/configs.rs | 65 +++++++++++++++++++------ src/detections/detection.rs | 5 ++ src/detections/message.rs | 14 ++++-- src/detections/rule/condition_parser.rs | 1 + src/detections/rule/count.rs | 1 + src/detections/rule/matchers.rs | 1 + src/detections/rule/mod.rs | 1 + src/detections/rule/selectionnodes.rs | 1 + src/detections/utils.rs | 1 + src/main.rs | 7 +++ src/options/htmlreport.rs | 4 ++ src/options/profile.rs | 3 ++ src/timeline/metrics.rs | 1 + src/timeline/timelines.rs | 1 + src/yaml.rs | 1 + 16 files changed, 103 insertions(+), 18 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 3c74d183b..8f8fd86a7 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -2297,6 +2297,7 @@ mod tests { let mock_ch_filter = message::create_output_filter_config( "test_files/config/channel_abbreviations.txt", true, + false, ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; @@ -2383,6 +2384,7 @@ mod tests { geo_ip: None, output: Some(Path::new("./test_emit_csv.csv").to_path_buf()), multiline: false, + disable_abbreviations: false, }); let dummy_config = Some(Config { action: Some(dummy_action), @@ -2645,6 +2647,7 @@ mod tests { let mock_ch_filter = message::create_output_filter_config( "test_files/config/channel_abbreviations.txt", true, + false, ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; @@ -2731,6 +2734,7 @@ mod tests { geo_ip: None, output: Some(Path::new("./test_emit_csv_multiline.csv").to_path_buf()), multiline: true, + disable_abbreviations: false, }); let dummy_config = Some(Config { action: Some(dummy_action), @@ -2987,6 +2991,7 @@ mod tests { let mock_ch_filter = message::create_output_filter_config( "test_files/config/channel_abbreviations.txt", true, + false, ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; @@ -3073,6 +3078,7 @@ mod tests { geo_ip: None, output: Some(Path::new("./test_emit_csv_remove_duplicate.csv").to_path_buf()), multiline: false, + disable_abbreviations: false, }); let dummy_config = Some(Config { action: Some(dummy_action), @@ -3330,6 +3336,7 @@ mod tests { let mock_ch_filter = message::create_output_filter_config( "test_files/config/channel_abbreviations.txt", true, + false, ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; @@ -3416,6 +3423,7 @@ mod tests { geo_ip: None, output: Some(Path::new("./test_emit_csv_remove_duplicate.json").to_path_buf()), jsonl_timeline: false, + disable_abbreviations: false, }); let dummy_config = Some(Config { action: Some(dummy_action), @@ -3747,6 +3755,7 @@ mod tests { let mock_ch_filter = message::create_output_filter_config( "test_files/config/channel_abbreviations.txt", true, + false, ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; @@ -3832,6 +3841,7 @@ mod tests { geo_ip: None, output: Some(Path::new("./test_multiple_data_in_details.json").to_path_buf()), jsonl_timeline: false, + disable_abbreviations: false, }); let dummy_config = Some(Config { action: Some(dummy_action), @@ -4108,6 +4118,7 @@ mod tests { let mock_ch_filter = message::create_output_filter_config( "test_files/config/channel_abbreviations.txt", true, + false, ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; @@ -4193,6 +4204,7 @@ mod tests { geo_ip: None, output: Some(Path::new("./test_emit_csv_json.json").to_path_buf()), jsonl_timeline: false, + disable_abbreviations: false, }); let dummy_config = Some(Config { @@ -4394,6 +4406,7 @@ mod tests { let mock_ch_filter = message::create_output_filter_config( "test_files/config/channel_abbreviations.txt", true, + false, ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; @@ -4479,6 +4492,7 @@ mod tests { geo_ip: None, output: Some(Path::new("./test_emit_csv_jsonl.jsonl").to_path_buf()), jsonl_timeline: true, + disable_abbreviations: false, }); let dummy_config = Some(Config { diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 3eb719886..7fc823905 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -356,10 +356,19 @@ impl StoredStatic { Some(Action::LogMetrics(opt)) => opt.output.as_ref(), _ => None, }; + let disable_abbreviation = match &input_config.as_ref().unwrap().action { + Some(Action::CsvTimeline(opt)) => opt.disable_abbreviations, + Some(Action::JsonTimeline(opt)) => opt.disable_abbreviations, + Some(Action::EidMetrics(opt)) => opt.disable_abbreviations, + Some(Action::Search(opt)) => opt.disable_abbreviations, + Some(Action::LogMetrics(opt)) => opt.disable_abbreviations, + _ => false, + }; + let general_ch_abbr = create_output_filter_config( - utils::check_setting_path(config_path, "generic_abbreviations.txt", false) + check_setting_path(config_path, "generic_abbreviations.txt", false) .unwrap_or_else(|| { - utils::check_setting_path( + check_setting_path( &CURRENT_EXE_PATH.to_path_buf(), "rules/config/generic_abbreviations.txt", true, @@ -369,6 +378,7 @@ impl StoredStatic { .to_str() .unwrap(), false, + disable_abbreviation, ); let multiline_flag = match &input_config.as_ref().unwrap().action { Some(Action::CsvTimeline(opt)) => opt.multiline, @@ -653,9 +663,9 @@ impl StoredStatic { config: input_config.as_ref().unwrap().to_owned(), config_path: config_path.to_path_buf(), ch_config: create_output_filter_config( - utils::check_setting_path(config_path, "channel_abbreviations.txt", false) + check_setting_path(config_path, "channel_abbreviations.txt", false) .unwrap_or_else(|| { - utils::check_setting_path( + check_setting_path( &CURRENT_EXE_PATH.to_path_buf(), "rules/config/channel_abbreviations.txt", true, @@ -665,6 +675,7 @@ impl StoredStatic { .to_str() .unwrap(), true, + disable_abbreviation, ), disp_abbr_generic: AhoCorasickBuilder::new() .ascii_case_insensitive(true) @@ -673,9 +684,9 @@ impl StoredStatic { .unwrap(), disp_abbr_general_values: general_ch_abbr.values().map(|x| x.to_owned()).collect_vec(), provider_abbr_config: create_output_filter_config( - utils::check_setting_path(config_path, "provider_abbreviations.txt", false) + check_setting_path(config_path, "provider_abbreviations.txt", false) .unwrap_or_else(|| { - utils::check_setting_path( + check_setting_path( &CURRENT_EXE_PATH.to_path_buf(), "rules/config/provider_abbreviations.txt", true, @@ -685,11 +696,12 @@ impl StoredStatic { .to_str() .unwrap(), false, + disable_abbreviation, ), default_details: Self::get_default_details( - utils::check_setting_path(config_path, "default_details.txt", false) + check_setting_path(config_path, "default_details.txt", false) .unwrap_or_else(|| { - utils::check_setting_path( + check_setting_path( &CURRENT_EXE_PATH.to_path_buf(), "rules/config/default_details.txt", true, @@ -700,9 +712,9 @@ impl StoredStatic { .unwrap(), ), eventkey_alias: load_eventkey_alias( - utils::check_setting_path(config_path, "eventkey_alias.txt", false) + check_setting_path(config_path, "eventkey_alias.txt", false) .unwrap_or_else(|| { - utils::check_setting_path( + check_setting_path( &CURRENT_EXE_PATH.to_path_buf(), "rules/config/eventkey_alias.txt", true, @@ -726,9 +738,9 @@ impl StoredStatic { profiles: None, thread_number: check_thread_number(input_config.as_ref().unwrap()), event_timeline_config: load_eventcode_info( - utils::check_setting_path(config_path, "channel_eid_info.txt", false) + check_setting_path(config_path, "channel_eid_info.txt", false) .unwrap_or_else(|| { - utils::check_setting_path( + check_setting_path( &CURRENT_EXE_PATH.to_path_buf(), "rules/config/channel_eid_info.txt", true, @@ -739,9 +751,9 @@ impl StoredStatic { .unwrap(), ), target_eventids: load_target_ids( - utils::check_setting_path(config_path, "target_event_IDs.txt", false) + check_setting_path(config_path, "target_event_IDs.txt", false) .unwrap_or_else(|| { - utils::check_setting_path( + check_setting_path( &CURRENT_EXE_PATH.to_path_buf(), "rules/config/target_event_IDs.txt", true, @@ -1241,6 +1253,10 @@ pub struct SearchOption { #[clap(flatten)] pub time_format_options: TimeFormatOptions, + + /// Disable abbreviations + #[arg(help_heading = Some("General Options"), short='b', long = "disable-abbreviations", display_order = 300)] + pub disable_abbreviations: bool, } #[derive(Args, Clone, Debug)] @@ -1301,6 +1317,10 @@ pub struct EidMetricsOption { /// Overwrite files when saving #[arg(help_heading = Some("General Options"), short='C', long = "clobber", display_order = 290, requires = "output")] pub clobber: bool, + + /// Disable abbreviations + #[arg(help_heading = Some("General Options"), short='b', long = "disable-abbreviations", display_order = 300)] + pub disable_abbreviations: bool, } #[derive(Args, Clone, Debug)] @@ -1669,6 +1689,10 @@ pub struct CsvOutputOption { /// Save the timeline in CSV format (ex: results.csv) #[arg(help_heading = Some("Output"), short = 'o', long, value_name = "FILE", display_order = 410)] pub output: Option, + + /// Disable abbreviations + #[arg(help_heading = Some("General Options"), short='b', long = "disable-abbreviations", display_order = 300)] + pub disable_abbreviations: bool, } #[derive(Args, Clone, Debug)] @@ -1693,6 +1717,10 @@ pub struct JSONOutputOption { display_order = 70 )] pub geo_ip: Option, + + /// Disable abbreviations + #[arg(help_heading = Some("General Options"), short='b', long = "disable-abbreviations", display_order = 300)] + pub disable_abbreviations: bool, } #[derive(Args, Clone, Debug)] @@ -1775,6 +1803,10 @@ pub struct LogMetricsOption { /// Overwrite files when saving #[arg(help_heading = Some("General Options"), short='C', long = "clobber", display_order = 290, requires = "output")] pub clobber: bool, + + /// Disable abbreviations + #[arg(help_heading = Some("General Options"), short='b', long = "disable-abbreviations", display_order = 300)] + pub disable_abbreviations: bool, } #[derive(Parser, Clone, Debug)] @@ -2236,6 +2268,7 @@ fn extract_search_options(config: &Config) -> Option { jsonl_output: option.jsonl_output, time_format_options: option.time_format_options.clone(), and_logic: option.and_logic, + disable_abbreviations: option.disable_abbreviations, }), _ => None, } @@ -2907,6 +2940,7 @@ mod tests { geo_ip: None, output: None, multiline: false, + disable_abbreviations: false, })), debug: false, })); @@ -2987,6 +3021,7 @@ mod tests { geo_ip: None, output: None, jsonl_timeline: false, + disable_abbreviations: false, })), debug: false, })); @@ -3036,6 +3071,7 @@ mod tests { us_time: false, utc: false, }, + disable_abbreviations: false, })), debug: false, })); @@ -3082,6 +3118,7 @@ mod tests { include_computer: None, exclude_computer: None, }, + disable_abbreviations: false, })), debug: false, })); diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 74542cba9..72191078d 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -1393,6 +1393,7 @@ mod tests { geo_ip: None, output: None, multiline: false, + disable_abbreviations: false, })), debug: false, })) @@ -1652,6 +1653,7 @@ mod tests { geo_ip: Some(Path::new("test_files/mmdb").to_path_buf()), output: Some(Path::new("./test_emit_csv.csv").to_path_buf()), multiline: false, + disable_abbreviations: false, }); let dummy_config = Some(Config { action: Some(dummy_action), @@ -1793,6 +1795,7 @@ mod tests { geo_ip: Some(Path::new("test_files/mmdb").to_path_buf()), output: Some(Path::new("./test_emit_csv.csv").to_path_buf()), multiline: false, + disable_abbreviations: false, }); let dummy_config = Some(Config { action: Some(dummy_action), @@ -1929,6 +1932,7 @@ mod tests { geo_ip: None, output: Some(Path::new("./test_emit_csv.csv").to_path_buf()), multiline: true, + disable_abbreviations: false, }); let dummy_config = Some(Config { action: Some(dummy_action), @@ -2081,6 +2085,7 @@ mod tests { geo_ip: None, output: Some(Path::new("./test_emit_csv.csv").to_path_buf()), multiline: true, + disable_abbreviations: false, }); let dummy_config = Some(Config { action: Some(dummy_action), diff --git a/src/detections/message.rs b/src/detections/message.rs index e23b79e0e..a40bf5e6d 100644 --- a/src/detections/message.rs +++ b/src/detections/message.rs @@ -62,7 +62,8 @@ lazy_static! { utils::check_setting_path(&CURRENT_EXE_PATH.to_path_buf(), "config/mitre_tactics.txt", true) .unwrap().to_str() .unwrap(), - true + true, + false ); pub static ref COMPUTER_MITRE_ATTCK_MAP : DashMap> = DashMap::new(); pub static ref LEVEL_ABBR_MAP:HashMap<&'static str, &'static str> = HashMap::from_iter(vec![ @@ -87,8 +88,12 @@ lazy_static! { pub fn create_output_filter_config( path: &str, is_lower_case: bool, + disable_abbreviation: bool, ) -> HashMap { let mut ret: HashMap = HashMap::new(); + if disable_abbreviation { + return ret; + } let read_result = match utils::read_csv(path) { Ok(c) => c, Err(e) => { @@ -780,7 +785,8 @@ mod tests { #[test] /// test of loading output filter config by mitre_tactics.txt fn test_load_mitre_tactics_log() { - let actual = create_output_filter_config("test_files/config/mitre_tactics.txt", true); + let actual = + create_output_filter_config("test_files/config/mitre_tactics.txt", true, false); let expected: HashMap = HashMap::from([ ("attack.impact".into(), "Impact".into()), ("xxx".into(), "yyy".into()), @@ -792,9 +798,9 @@ mod tests { /// loading test to channel_abbrevations.txt fn test_load_abbrevations() { let actual = - create_output_filter_config("test_files/config/channel_abbreviations.txt", true); + create_output_filter_config("test_files/config/channel_abbreviations.txt", true, false); let actual2 = - create_output_filter_config("test_files/config/channel_abbreviations.txt", true); + create_output_filter_config("test_files/config/channel_abbreviations.txt", true, false); let expected: HashMap = HashMap::from([ ("security".into(), "Sec".into()), ("xxx".into(), "yyy".into()), diff --git a/src/detections/rule/condition_parser.rs b/src/detections/rule/condition_parser.rs index 5226ef759..44cc4c903 100644 --- a/src/detections/rule/condition_parser.rs +++ b/src/detections/rule/condition_parser.rs @@ -517,6 +517,7 @@ mod tests { geo_ip: None, output: None, multiline: false, + disable_abbreviations: false, })), debug: false, })) diff --git a/src/detections/rule/count.rs b/src/detections/rule/count.rs index 05a452cde..4ee9a813d 100644 --- a/src/detections/rule/count.rs +++ b/src/detections/rule/count.rs @@ -648,6 +648,7 @@ mod tests { geo_ip: None, output: None, multiline: false, + disable_abbreviations: false, })), debug: false, })) diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index e4840cc1a..15f61807e 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -1121,6 +1121,7 @@ mod tests { geo_ip: None, output: None, multiline: false, + disable_abbreviations: false, })), debug: false, })); diff --git a/src/detections/rule/mod.rs b/src/detections/rule/mod.rs index 4adebe603..c6515e1f2 100644 --- a/src/detections/rule/mod.rs +++ b/src/detections/rule/mod.rs @@ -491,6 +491,7 @@ mod tests { geo_ip: None, output: None, multiline: false, + disable_abbreviations: false, })), debug: false, })) diff --git a/src/detections/rule/selectionnodes.rs b/src/detections/rule/selectionnodes.rs index 691b820d4..2cbca2304 100644 --- a/src/detections/rule/selectionnodes.rs +++ b/src/detections/rule/selectionnodes.rs @@ -590,6 +590,7 @@ mod tests { geo_ip: None, output: None, multiline: false, + disable_abbreviations: false, })), debug: false, })) diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 46eaa0626..a86678b0c 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -1171,6 +1171,7 @@ mod tests { geo_ip: None, output: None, multiline: false, + disable_abbreviations: false, })), debug: false, })); diff --git a/src/main.rs b/src/main.rs index 948c0feb0..5cc99644d 100644 --- a/src/main.rs +++ b/src/main.rs @@ -2543,6 +2543,7 @@ mod tests { geo_ip: None, output: None, multiline: false, + disable_abbreviations: false, })), debug: false, })) @@ -2719,6 +2720,7 @@ mod tests { geo_ip: None, output: Some(Path::new("overwrite.csv").to_path_buf()), multiline: false, + disable_abbreviations: false, }); let config = Some(Config { action: Some(action), @@ -2809,6 +2811,7 @@ mod tests { geo_ip: None, output: Some(Path::new("overwrite.csv").to_path_buf()), multiline: false, + disable_abbreviations: false, }); let config = Some(Config { action: Some(action), @@ -2898,6 +2901,7 @@ mod tests { geo_ip: None, output: Some(Path::new("overwrite.json").to_path_buf()), jsonl_timeline: false, + disable_abbreviations: false, }); let config = Some(Config { action: Some(action), @@ -2988,6 +2992,7 @@ mod tests { geo_ip: None, output: Some(Path::new("overwrite.json").to_path_buf()), jsonl_timeline: false, + disable_abbreviations: false, }); let config = Some(Config { action: Some(action), @@ -3043,6 +3048,7 @@ mod tests { utc: false, }, clobber: false, + disable_abbreviations: false, }); let config = Some(Config { action: Some(action), @@ -3100,6 +3106,7 @@ mod tests { utc: false, }, clobber: true, + disable_abbreviations: false, }); let config = Some(Config { action: Some(action), diff --git a/src/options/htmlreport.rs b/src/options/htmlreport.rs index 43224fbc1..199e6cfd9 100644 --- a/src/options/htmlreport.rs +++ b/src/options/htmlreport.rs @@ -318,6 +318,7 @@ mod tests { geo_ip: None, output: None, multiline: false, + disable_abbreviations: false, }); let csv_html_flag_enable = create_dummy_stored_static(Some(enable_csv_action)); assert!(htmlreport::check_html_flag(&csv_html_flag_enable.config)); @@ -390,6 +391,7 @@ mod tests { geo_ip: None, output: None, multiline: false, + disable_abbreviations: false, }); let csv_html_flag_disable = create_dummy_stored_static(Some(disable_csv_action)); assert!(!htmlreport::check_html_flag(&csv_html_flag_disable.config)); @@ -465,6 +467,7 @@ mod tests { jsonl_timeline: false, geo_ip: None, output: None, + disable_abbreviations: false, }); let json_html_flag_enable = create_dummy_stored_static(Some(enable_json_action)); assert!(htmlreport::check_html_flag(&json_html_flag_enable.config)); @@ -537,6 +540,7 @@ mod tests { jsonl_timeline: false, geo_ip: None, output: None, + disable_abbreviations: false, }); let json_html_flag_disable = create_dummy_stored_static(Some(disable_json_action)); assert!(!htmlreport::check_html_flag(&json_html_flag_disable.config)); diff --git a/src/options/profile.rs b/src/options/profile.rs index 925c28128..5c94dd046 100644 --- a/src/options/profile.rs +++ b/src/options/profile.rs @@ -561,6 +561,7 @@ mod tests { geo_ip: None, output: None, multiline: false, + disable_abbreviations: false, })); *GEOIP_DB_PARSER.write().unwrap() = None; assert_eq!( @@ -644,6 +645,7 @@ mod tests { geo_ip: None, output: None, multiline: false, + disable_abbreviations: false, })); let expect: Vec<(CompactString, Profile)> = vec![ @@ -757,6 +759,7 @@ mod tests { geo_ip: None, output: None, multiline: false, + disable_abbreviations: false, })); //両方のファイルが存在しない場合 assert_eq!( diff --git a/src/timeline/metrics.rs b/src/timeline/metrics.rs index e51334e6f..7e4a46a69 100644 --- a/src/timeline/metrics.rs +++ b/src/timeline/metrics.rs @@ -534,6 +534,7 @@ mod tests { }, output: None, clobber: false, + disable_abbreviations: false, })); let mut timeline = Timeline::new(); diff --git a/src/timeline/timelines.rs b/src/timeline/timelines.rs index cbe5858d2..f63429e7d 100644 --- a/src/timeline/timelines.rs +++ b/src/timeline/timelines.rs @@ -906,6 +906,7 @@ mod tests { }, output: Some(Path::new("./test_tm_stats.csv").to_path_buf()), clobber: false, + disable_abbreviations: false, })); *STORED_EKEY_ALIAS.write().unwrap() = Some(dummy_stored_static.eventkey_alias.clone()); let mut timeline = Timeline::default(); diff --git a/src/yaml.rs b/src/yaml.rs index 826dd2ca3..e8ad21f12 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -860,6 +860,7 @@ mod tests { geo_ip: None, output: None, multiline: false, + disable_abbreviations: false, })), debug: false, })) From d7ff8981aac19b4a6963f30cdbb92e588d82d246 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 15 Nov 2024 11:03:56 +0900 Subject: [PATCH 2/4] test: add command --- .github/workflows/integration-test.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml index 4e8d4b139..26983a3c3 100644 --- a/.github/workflows/integration-test.yml +++ b/.github/workflows/integration-test.yml @@ -41,6 +41,9 @@ jobs: - name: computer-metrics run: cd main && cargo run --release -- computer-metrics -d ../hayabusa-sample-evtx -q + - name: computer-metrics(-o) + run: cd main && cargo run --release -- computer-metrics -d ../hayabusa-sample-evtx -q -o out.csv -C + - name: csv-timeline run: cd main && cargo run --release -- csv-timeline -d ../hayabusa-sample-evtx -o out.csv -q -w -D -n -u @@ -50,6 +53,9 @@ jobs: - name: eid-metrics run: cd main && cargo run --release -- eid-metrics -d ../hayabusa-sample-evtx -q + - name: eid-metrics(-o) + run: cd main && cargo run --release -- eid-metrics -d ../hayabusa-sample-evtx -q -o out.csv -C + - name: json-timeline run: cd main && cargo run --release -- json-timeline -d ../hayabusa-sample-evtx -o out.json -q -w -D -n -u @@ -68,13 +74,25 @@ jobs: - name: list-profiles run: cd main && cargo run --release -- list-profiles -q + - name: log-metrics + run: cd main && cargo run --release -- log-metrics -d ../hayabusa-sample-evtx -q + + - name: log-metrics(-o) + run: cd main && cargo run --release -- log-metrics -d ../hayabusa-sample-evtx -q -o out.csv -C + - name: logon-summary run: cd main && cargo run --release -- logon-summary -d ../hayabusa-sample-evtx -q + - name: logon-summary(-o) + run: cd main && cargo run --release -- logon-summary -d ../hayabusa-sample-evtx -q -o out.csv -C + - name: pivot-keywords-list run: cd main && cargo run --release -- pivot-keywords-list -d ../hayabusa-sample-evtx -o key -q -w - name: search + run: cd main && cargo run --release -- search -d ../hayabusa-sample-evtx -k mimikatz -q + + - name: search(-o) run: cd main && cargo run --release -- search -d ../hayabusa-sample-evtx -k mimikatz -o search.csv -q - name: set-default-profile From 3b75add864893826eee732109f8c11dc45f9df65 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Fri, 15 Nov 2024 12:42:19 +0900 Subject: [PATCH 3/4] update changelog --- CHANGELOG-Japanese.md | 1 + CHANGELOG.md | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 3a33e5a55..2d67e7ed0 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -6,6 +6,7 @@ - `gt`、`gte`、`lt`、`lte`のフィールドモディファイアに対応した。(#1433) (@fukusuket) - 新しい`log-metrics`コマンドで`.evtx`ファイルの情報を取得できるようになった。(コンピュータ名、イベント数、最初のタイムスタンプ、最後のタイムスタンプ、チャネル、プロバイダ) (#1474) (@fukusuket) +- 新しい`-b, --disable-abbreviations`コマンドは、`Channel`と`Provider`の略称を無効にする。元の値を確認したい時に便利。 (#1485) (@fukusuket) **改善:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e75efa00..b07cd7bbe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ - Support for the `gt`, `gte`, `lt`, `lte` field modifiers. (#1433) (@fukusuket) - New `log-metrics` command to get information about `.evtx` files. (computer names, event count, first timestamp, last timestamp, channels, providers) (#1474) (@fukusuket) +- New `-b, --disable-abbreviations` command to disable `Channel` and `Provider` abbreviations for when you want to check the original values. (#1485) (@fukusuket) **Enhancements:** From 2c4961c635380d6a2894a1f9f2bc3843cfc87083 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 15 Nov 2024 13:41:33 +0900 Subject: [PATCH 4/4] chg: move disable-abbreviations options to Output --- src/detections/configs.rs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 7fc823905..8900c4beb 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -1255,7 +1255,7 @@ pub struct SearchOption { pub time_format_options: TimeFormatOptions, /// Disable abbreviations - #[arg(help_heading = Some("General Options"), short='b', long = "disable-abbreviations", display_order = 300)] + #[arg(help_heading = Some("Output"), short='b', long = "disable-abbreviations", display_order = 60)] pub disable_abbreviations: bool, } @@ -1319,7 +1319,7 @@ pub struct EidMetricsOption { pub clobber: bool, /// Disable abbreviations - #[arg(help_heading = Some("General Options"), short='b', long = "disable-abbreviations", display_order = 300)] + #[arg(help_heading = Some("Output"), short='b', long = "disable-abbreviations", display_order = 60)] pub disable_abbreviations: bool, } @@ -1691,7 +1691,7 @@ pub struct CsvOutputOption { pub output: Option, /// Disable abbreviations - #[arg(help_heading = Some("General Options"), short='b', long = "disable-abbreviations", display_order = 300)] + #[arg(help_heading = Some("Output"), short='b', long = "disable-abbreviations", display_order = 60)] pub disable_abbreviations: bool, } @@ -1719,7 +1719,7 @@ pub struct JSONOutputOption { pub geo_ip: Option, /// Disable abbreviations - #[arg(help_heading = Some("General Options"), short='b', long = "disable-abbreviations", display_order = 300)] + #[arg(help_heading = Some("Output"), short='b', long = "disable-abbreviations", display_order = 60)] pub disable_abbreviations: bool, } @@ -1805,7 +1805,7 @@ pub struct LogMetricsOption { pub clobber: bool, /// Disable abbreviations - #[arg(help_heading = Some("General Options"), short='b', long = "disable-abbreviations", display_order = 300)] + #[arg(help_heading = Some("Output"), short='b', long = "disable-abbreviations", display_order = 60)] pub disable_abbreviations: bool, }