Skip to content

Commit

Permalink
feat: added powershell classic data fields extraction option
Browse files Browse the repository at this point in the history
  • Loading branch information
@fukusuket
fukusuket committed Nov 23, 2023
1 parent 919f593 commit 860c318
Show file tree
Hide file tree
Showing 17 changed files with 232 additions and 13 deletions.
13 changes: 13 additions & 0 deletions src/afterfact.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1945,6 +1945,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2034,6 +2035,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2273,6 +2275,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2364,6 +2367,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2589,6 +2593,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2678,6 +2683,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2914,6 +2920,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -3003,6 +3010,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -3324,6 +3332,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -3492,6 +3501,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -3580,6 +3590,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -3757,6 +3768,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -3845,6 +3857,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down
22 changes: 22 additions & 0 deletions src/detections/configs.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ pub struct StoredStatic {
pub exclude_eid: HashSet<CompactString>,
pub include_status: HashSet<CompactString>, // 読み込み対象ルールのステータスのセット。*はすべてのステータスを読み込む
pub field_data_map: Option<FieldDataMap>,
pub field_data_extraction: bool,
pub enable_recover_records: bool,
pub timeline_offset: Option<String>,
}
Expand Down Expand Up @@ -496,6 +497,13 @@ impl StoredStatic {
.unwrap(),
))
};

let field_data_extraction_flag = match &input_config.as_ref().unwrap().action {
Some(Action::CsvTimeline(opt)) => opt.output_options.field_data_extraction,
Some(Action::JsonTimeline(opt)) => opt.output_options.field_data_extraction,
_ => false,
};

let enable_recover_records = match &input_config.as_ref().unwrap().action {
Some(Action::CsvTimeline(opt)) => opt.output_options.input_args.recover_records,
Some(Action::JsonTimeline(opt)) => opt.output_options.input_args.recover_records,
Expand Down Expand Up @@ -629,6 +637,7 @@ impl StoredStatic {
include_eid,
exclude_eid,
field_data_map,
field_data_extraction: field_data_extraction_flag,
enable_recover_records,
timeline_offset,
include_status: HashSet::new(),
Expand Down Expand Up @@ -1476,6 +1485,10 @@ pub struct OutputOption {
#[arg(help_heading = Some("General Options"), short='C', long = "clobber", display_order = 290, requires = "output")]
pub clobber: bool,

/// Enable PowerShell Classic Data field extraction (default: disabled)
#[arg(help_heading = Some("Output"), long = "field-data-extraction", display_order = 390)]
pub field_data_extraction: bool,

/// Disable field data mapping
#[arg(help_heading = Some("Output"), short = 'F', long = "no-field-data-mapping", display_order = 400)]
pub no_field: bool,
Expand Down Expand Up @@ -2160,6 +2173,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
include_eid: option.include_eid.clone(),
exclude_eid: option.exclude_eid.clone(),
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: option.no_wizard,
Expand Down Expand Up @@ -2198,6 +2212,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2236,6 +2251,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2283,6 +2299,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2330,6 +2347,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2383,6 +2401,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2436,6 +2455,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2685,6 +2705,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2757,6 +2778,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down
13 changes: 9 additions & 4 deletions src/detections/detection.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1246,6 +1246,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -1507,6 +1508,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -1559,7 +1561,7 @@ mod tests {
let keys = detections::rule::get_detection_keys(&dummy_rule);

let input_evtxrecord =
utils::create_rec_info(event, test_filepath.to_owned(), &keys, &false);
utils::create_rec_info(event, test_filepath.to_owned(), &keys, &false, &false);
Detection::insert_message(&dummy_rule, &input_evtxrecord, &stored_static);
let multi = message::MESSAGES.get(&expect_time).unwrap();
let (_, detect_infos) = multi.pair();
Expand Down Expand Up @@ -1642,6 +1644,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -1694,7 +1697,7 @@ mod tests {
let keys = detections::rule::get_detection_keys(&dummy_rule);

let input_evtxrecord =
utils::create_rec_info(event, test_filepath.to_owned(), &keys, &false);
utils::create_rec_info(event, test_filepath.to_owned(), &keys, &false, &false);
Detection::insert_message(&dummy_rule, &input_evtxrecord, &stored_static);
let multi = message::MESSAGES.get(&expect_time).unwrap();
let (_, detect_infos) = multi.pair();
Expand Down Expand Up @@ -1773,6 +1776,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -1842,7 +1846,7 @@ mod tests {

let keys = detections::rule::get_detection_keys(&rule_node);
let input_evtxrecord =
utils::create_rec_info(event, test_filepath.to_owned(), &keys, &false);
utils::create_rec_info(event, test_filepath.to_owned(), &keys, &false, &false);
Detection::insert_message(&rule_node, &input_evtxrecord, &stored_static.clone());
let multi = message::MESSAGES.get(&expect_time).unwrap();
let (_, detect_infos) = multi.pair();
Expand Down Expand Up @@ -1917,6 +1921,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -1987,7 +1992,7 @@ mod tests {

let keys = detections::rule::get_detection_keys(&rule_node);
let input_evtxrecord =
utils::create_rec_info(event, test_filepath.to_owned(), &keys, &false);
utils::create_rec_info(event, test_filepath.to_owned(), &keys, &false, &false);
Detection::insert_message(&rule_node, &input_evtxrecord, &stored_static.clone());
let multi = message::MESSAGES.get(&expect_time).unwrap();
let (_, detect_infos) = multi.pair();
Expand Down
Loading

0 comments on commit 860c318

Please sign in to comment.