From e0a90a580e38760937dc8e7ecac7488af2de4d86 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 10 Jul 2024 20:33:12 +0900 Subject: [PATCH] chg: output evtx_file_path when agg/correlation rule --- src/detections/detection.rs | 14 ++++++++++---- src/detections/rule/count.rs | 18 +++++++++++------- src/detections/rule/mod.rs | 2 +- 3 files changed, 22 insertions(+), 12 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 90ced8ca4..81274885e 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -858,7 +858,15 @@ impl Detection { profile_converter.insert(key.as_str(), RuleFile(rule_path.into())); } EvtxFile(_) => { - profile_converter.insert(key.as_str(), EvtxFile("-".into())); + profile_converter.insert( + key.as_str(), + EvtxFile( + Detection::join_agg_values(&agg_result.agg_record_time_info, |x| { + x.evtx_file_path.clone() + }) + .into(), + ), + ); } MitreTactics(_) => { let tactics = tag_info @@ -1021,11 +1029,9 @@ impl Detection { .map(&extractor) .collect::>() // Convert to HashSet to remove duplicates .into_iter() - .collect::>() // Convert back to Vec to sort - .iter() .sorted() .join(" ¦ ") - .into() // Convert to CompactString + .into() } /// rule内のtagsの内容を配列として返却する関数 fn get_tag_info(rule: &RuleNode) -> Nested { diff --git a/src/detections/rule/count.rs b/src/detections/rule/count.rs index 2da437d28..c7278c85f 100644 --- a/src/detections/rule/count.rs +++ b/src/detections/rule/count.rs @@ -1,9 +1,11 @@ use crate::detections::configs::EventKeyAliasConfig; use crate::detections::configs::StoredStatic; use crate::detections::configs::STORED_EKEY_ALIAS; +use crate::detections::detection::EvtxRecordInfo; use crate::detections::message; use crate::detections::message::AlertMessage; use crate::detections::message::ERROR_LOG_STACK; +use crate::detections::rule::aggregation_parser::AggregationConditionToken; use crate::detections::rule::AggResult; use crate::detections::rule::RuleNode; use chrono::{DateTime, TimeZone, Utc}; @@ -12,21 +14,19 @@ use serde_json::Value; use std::num::ParseIntError; use std::path::Path; -use crate::detections::rule::aggregation_parser::AggregationConditionToken; - use crate::detections::utils; /// 検知された際にカウント情報を投入する関数 pub fn count( rule: &mut RuleNode, - record: &Value, + evtx_rec: &EvtxRecordInfo, verbose_flag: bool, quiet_errors_flag: bool, json_input_flag: bool, ) { let key: String = create_count_key( rule, - record, + &evtx_rec.record, verbose_flag, quiet_errors_flag, STORED_EKEY_ALIAS.read().unwrap().as_ref().unwrap(), @@ -43,14 +43,14 @@ pub fn count( let field_value = get_alias_value_in_record( rule, field_name, - record, + &evtx_rec.record, false, verbose_flag, quiet_errors_flag, STORED_EKEY_ALIAS.read().unwrap().as_ref().unwrap(), ) .unwrap_or_default(); - countup(rule, key, field_value, record, json_input_flag); + countup(rule, key, field_value, evtx_rec, json_input_flag); } ///count byの条件に合致する検知済みレコードの数を増やすための関数 @@ -58,9 +58,10 @@ pub fn countup( rule: &mut RuleNode, key: String, field_value: String, - record: &Value, + evtx_rec: &EvtxRecordInfo, json_input_flag: bool, ) { + let record = &evtx_rec.record; let default_time = Utc.with_ymd_and_hms(1977, 1, 1, 0, 0, 0).unwrap(); let time = message::get_event_time(record, json_input_flag).unwrap_or(default_time); let event_id = utils::get_event_value( @@ -84,6 +85,7 @@ pub fn countup( ) .unwrap(); let channel = channel.to_string().trim_matches('\"').to_string(); + let evtx_file_path = evtx_rec.evtx_filepath.to_string(); let value_map = rule.countdata.entry(key).or_default(); value_map.push(AggRecordTimeInfo { field_value, @@ -91,6 +93,7 @@ pub fn countup( event_id, computer, channel, + evtx_file_path, }); } @@ -217,6 +220,7 @@ pub struct AggRecordTimeInfo { pub event_id: String, pub computer: String, pub channel: String, + pub evtx_file_path: String, } #[derive(Debug)] diff --git a/src/detections/rule/mod.rs b/src/detections/rule/mod.rs index 17482f8b7..f8cfea3ff 100644 --- a/src/detections/rule/mod.rs +++ b/src/detections/rule/mod.rs @@ -94,7 +94,7 @@ impl RuleNode { if result && self.has_agg_condition() { count::count( self, - &event_record.record, + event_record, verbose_flag, quiet_errors_flag, json_input_flag,