Skip to content

Commit

Permalink
chg: enable pwsh field extraction by default
Browse files Browse the repository at this point in the history
  • Loading branch information
@fukusuket
fukusuket committed Nov 24, 2023
1 parent 24697f5 commit 994e320
Show file tree
Hide file tree
Showing 13 changed files with 60 additions and 60 deletions.
26 changes: 13 additions & 13 deletions src/afterfact.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1945,7 +1945,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2035,7 +2035,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2275,7 +2275,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2367,7 +2367,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2593,7 +2593,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2683,7 +2683,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2920,7 +2920,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -3010,7 +3010,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -3332,7 +3332,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -3501,7 +3501,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -3590,7 +3590,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -3768,7 +3768,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -3857,7 +3857,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down
30 changes: 15 additions & 15 deletions src/detections/configs.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -499,8 +499,8 @@ impl StoredStatic {
};

let field_data_extraction_flag = match &input_config.as_ref().unwrap().action {
Some(Action::CsvTimeline(opt)) => opt.output_options.field_data_extraction,
Some(Action::JsonTimeline(opt)) => opt.output_options.field_data_extraction,
Some(Action::CsvTimeline(opt)) => opt.output_options.no_pwsh_field_extraction,
Some(Action::JsonTimeline(opt)) => opt.output_options.no_pwsh_field_extraction,
_ => false,
};

Expand Down Expand Up @@ -1485,14 +1485,14 @@ pub struct OutputOption {
#[arg(help_heading = Some("General Options"), short='C', long = "clobber", display_order = 290, requires = "output")]
pub clobber: bool,

/// Enable PowerShell Classic Data field extraction (default: disabled)
#[arg(help_heading = Some("Output"), long = "field-data-extraction", display_order = 390)]
pub field_data_extraction: bool,

/// Disable field data mapping
#[arg(help_heading = Some("Output"), short = 'F', long = "no-field-data-mapping", display_order = 400)]
pub no_field: bool,

/// Disable PowerShell Classic Data field extraction
#[arg(help_heading = Some("Output"), long = "no-pwsh-field-extraction", display_order = 410)]
pub no_pwsh_field_extraction: bool,

Check warning on line 1494 in src/detections/configs.rs

View check run for this annotation

Codecov / codecov/patch

src/detections/configs.rs#L1494 

Added line #L1494 was not covered by tests

/// Duplicate field data will be replaced with "DUP"
#[arg(
help_heading = Some("Output"),
Expand Down Expand Up @@ -2173,7 +2173,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
include_eid: option.include_eid.clone(),
exclude_eid: option.exclude_eid.clone(),
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: option.no_wizard,
Expand Down Expand Up @@ -2212,7 +2212,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2251,7 +2251,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2299,7 +2299,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2347,7 +2347,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2401,7 +2401,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,

Check warning on line 2404 in src/detections/configs.rs

View check run for this annotation

Codecov / codecov/patch

src/detections/configs.rs#L2404 

Added line #L2404 was not covered by tests
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2455,7 +2455,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2705,7 +2705,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -2778,7 +2778,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down
10 changes: 5 additions & 5 deletions src/detections/detection.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1246,7 +1246,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -1508,7 +1508,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -1644,7 +1644,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -1776,7 +1776,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down Expand Up @@ -1921,7 +1921,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down
2 changes: 1 addition & 1 deletion src/detections/rule/condition_parser.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -606,7 +606,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down
2 changes: 1 addition & 1 deletion src/detections/rule/count.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -630,7 +630,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down
2 changes: 1 addition & 1 deletion src/detections/rule/matchers.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -865,7 +865,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down
2 changes: 1 addition & 1 deletion src/detections/rule/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -450,7 +450,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down
2 changes: 1 addition & 1 deletion src/detections/rule/selectionnodes.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -573,7 +573,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down
8 changes: 4 additions & 4 deletions src/detections/utils.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -304,7 +304,7 @@ pub fn create_rec_info(
path: String,
keys: &Nested<String>,
recovered_record: &bool,
enable_field_extraction: &bool,
no_pwsh_field_extraction: &bool,
) -> EvtxRecordInfo {
// 高速化のための処理

Expand All @@ -330,7 +330,7 @@ pub fn create_rec_info(
continue;
}

if *enable_field_extraction {
if !*no_pwsh_field_extraction {
if key == "EventID" {
event_id = val.clone();
}
Expand All @@ -340,7 +340,7 @@ pub fn create_rec_info(
}

Check warning on line 340 in src/detections/utils.rs

View check run for this annotation

Codecov / codecov/patch

src/detections/utils.rs#L340 

Added line #L340 was not covered by tests
key_2_values.insert(key.to_string(), val.unwrap());
}
if *enable_field_extraction {
if !*no_pwsh_field_extraction {
extract_fields(channel, event_id, &mut data);
}

Expand Down Expand Up @@ -1071,7 +1071,7 @@ mod tests {
include_eid: None,
exclude_eid: None,
no_field: false,
field_data_extraction: false,
no_pwsh_field_extraction: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
Expand Down
Loading

0 comments on commit 994e320

Please sign in to comment.