diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 862ff9a14..0ca343bfa 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -716,8 +716,9 @@ impl Detection { FieldDataMapKey::default() } else { FieldDataMapKey { - channel: CompactString::from(ch_str.clone().to_lowercase()), + channel: CompactString::from(ch_str.to_lowercase()), event_id: eid.clone(), + provider: CompactString::from(provider.to_lowercase()), } }; let detect_info = DetectInfo { diff --git a/src/detections/field_data_map.rs b/src/detections/field_data_map.rs index 855a53ed1..65cd50f08 100644 --- a/src/detections/field_data_map.rs +++ b/src/detections/field_data_map.rs @@ -17,10 +17,11 @@ pub enum FieldDataConverter { ReplaceStr((AhoCorasick, Vec)), } -#[derive(Debug, Eq, Hash, PartialEq, Default, Clone)] +#[derive(Debug, Default, Clone, PartialEq, Eq, Hash)] pub struct FieldDataMapKey { pub channel: CompactString, pub event_id: CompactString, + pub provider: CompactString, } impl FieldDataMapKey { @@ -38,6 +39,12 @@ impl FieldDataMapKey { .unwrap_or_default() .to_string(), ), + provider: CompactString::from( + yaml_data["Provider_Name"] + .as_str() + .unwrap_or_default() + .to_lowercase(), + ), } } } @@ -189,6 +196,7 @@ mod tests { let key = FieldDataMapKey { channel: CompactString::from("Security".to_lowercase()), event_id: CompactString::from("4625".to_string()), + provider: CompactString::from(""), }; map.insert(key.clone(), HashMap::new()); let r = convert_field_data(&map, &key, "", ""); diff --git a/src/detections/message.rs b/src/detections/message.rs index 646b87eb6..d30fb3ee8 100644 --- a/src/detections/message.rs +++ b/src/detections/message.rs @@ -314,6 +314,7 @@ pub fn parse_message( .unwrap_or(tmp_event_record) .get((suffix - 1) as usize) .unwrap_or(tmp_event_record); + field = target_str; } let hash_value = get_serde_number_to_string(tmp_event_record, false); if hash_value.is_some() {