Merge pull request #1196 from Yamato-Security/add-include-and-exclude…

…-tag-in-pivot-keywords-list#1195

Add `--include-tag` and `--exclude-tag` options in `pivot-keywords-list` command

CHANGELOG-Japanese.md

@@ -5,6 +5,8 @@
 **改善:**
 
 - 初心者のユーザのために有効にしたいルールを選択するようにスキャンウィザードを追加した。`-w, --no-wizard`オプションを追加すると、従来の形式でHayabusaを実行できる。(すべてのイベントとアラートをスキャンし、オプションを手動でカスタマイズする） (#1188) (@hitenkoku)
+- `pivot-keywords-list`コマンドに`--include-tag`オプションを追加し、指定した`tags`フィールドを持つルールのみをロードするようにした。(#1195) (@hitenkoku)
+- `pivot-keywords-list`コマンドに`--exclude-tag`オプションを追加し、指定した`tags`フィールドを持つルールをロードしないようにした。(#1195) (@hitenkoku)
 
 **バグ修正:**
 

CHANGELOG.md

@@ -5,6 +5,8 @@
 **Enhancements:**
 
 - Added a scan wizard to help new users choose which rules they want to enable. Add the `-w, --no-wizard` option to run Hayabusa in the traditional way. (Scan for all events and alerts, and customize options manually.) (#1188) (@hitenkoku)
+- Added the `--include-tag` option to the `pivot-keywords-list` command to only load rules with the specified `tags` field. (#1195) (@hitenkoku)
+- Added the `--exclude-tag` option to the `pivot-keywords-list` command to exclude rules with specific `tags` from being loaded. (#1195) (@hitenkoku)
 
 **Bug Fixes:**
 

src/detections/configs.rs

@@ -1196,6 +1196,14 @@ pub struct PivotKeywordOption {
     #[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", requires="no_wizard", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
     pub exclude_status: Option<Vec<String>>,
 
+    /// Only load rules with specific tags (ex: attack.execution,attack.discovery)
+    #[arg(help_heading = Some("Filtering"), long = "include-tag", value_name = "TAG...", requires="no_wizard", conflicts_with = "exclude_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 353)]
+    pub include_tag: Option<Vec<String>>,
+
+    /// Do not load rules with specific tags (ex: sysmon)
+    #[arg(help_heading = Some("Filtering"), long = "exclude-tag", value_name = "TAG...", requires="no_wizard", conflicts_with = "include_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
+    pub exclude_tag: Option<Vec<String>>,
+
     /// Minimum level for rules to load (default: informational)
     #[arg(
         help_heading = Some("Filtering"),
@@ -2145,16 +2153,16 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
             enable_unsupported_rules: option.enable_unsupported_rules,
             clobber: option.clobber,
             proven_rules: false,
-            include_tag: None,
-            exclude_tag: None,
+            include_tag: option.include_tag.clone(),
+            exclude_tag: option.exclude_tag.clone(),
             include_category: None,
             exclude_category: None,
             include_eid: option.include_eid.clone(),
             exclude_eid: option.exclude_eid.clone(),
             no_field: false,
             remove_duplicate_data: false,
             remove_duplicate_detections: false,
-            no_wizard: true,
+            no_wizard: option.no_wizard,
         }),
         Action::EidMetrics(option) => Some(OutputOption {
             input_args: option.input_args.clone(),
@@ -2939,6 +2947,8 @@ mod tests {
                 include_eid: None,
                 exclude_eid: None,
                 no_wizard: true,
+                include_tag: None,
+                exclude_tag: None,
             })),
             debug: false,
         }));

src/main.rs

@@ -1073,10 +1073,12 @@ impl App {
                         Some(exclude_tags.to_owned());
                 }
             }
-            println!();
-            println!("Loading detection rules. Please wait.");
-            println!();
+        } else {
+            stored_static.include_status.insert("*".into());
         }
+        println!();
+        println!("Loading detection rules. Please wait.");
+        println!();
 
         if stored_static.html_report_flag {
             let mut output_data = Nested::<String>::new();