update

2025-12-07 17:52:49 +01:00 · 2025-03-13 23:10:36 +09:00
parent 43ca0c5795
commit 749b52d3f1
1 changed files with 48 additions and 28 deletions
--- a/wela-extractor/src/main.rs
+++ b/wela-extractor/src/main.rs
@@ -58,38 +58,58 @@ fn extract_event_ids(yaml: &Yaml, event_ids: &mut HashSet<String>) {
    }
 }
-fn parse_yaml(doc: Yaml, eid_subcategory_pair: &Vec<(String, String)>) -> Option<Value> {
+fn contains_channel_security(yaml: &Yaml) -> bool {
-    if let Some(logsource) = doc["logsource"].as_hash() {
+    match yaml {
-        if let Some(service) = logsource.get(&Yaml::from_str("service")) {
+        Yaml::Hash(hash) => {
-            let uuid = doc["id"].as_str().unwrap_or("");
+            for (key, value) in hash {
-            let title = doc["title"].as_str().unwrap_or("");
+                if key.as_str() == Some("Channel") && value.as_str() == Some("Security") {
-            let desc = doc["description"].as_str().unwrap_or("");
+                    return true;
            let level = doc["level"].as_str().unwrap_or("");
            let mut event_ids = HashSet::new();
            let mut subcategories = HashSet::new();
            if service.as_str() == Some("security") {
                extract_event_ids(&doc, &mut event_ids);
                for event_id in &event_ids {
                    for (eid, subcategory) in eid_subcategory_pair {
                        if eid == event_id {
                            subcategories.insert(subcategory.clone());
                        }
                    }
                }
-                let event_ids: Vec<String> = event_ids.into_iter().collect();
+                if contains_channel_security(value) {
-                let subcategories: Vec<String> = subcategories.into_iter().collect();
+                    return true;
-                return Some(json!({
+                }
-                    "id": uuid,
+            }
-                    "title": title,
+        }
-                    "description": desc,
+        Yaml::Array(array) => {
-                    "level": level,
+            for item in array {
-                    "event_ids": event_ids,
+                if contains_channel_security(item) {
-                    "subcategory_guids": subcategories
+                    return true;
-                }));
+                }
            }
        }
        _ => {}
    }
    false
 }
 fn parse_yaml(doc: Yaml, eid_subcategory_pair: &Vec<(String, String)>) -> Option<Value> {
    if !contains_channel_security(&doc["detection"]) {
        return None;
    }
    let uuid = doc["id"].as_str().unwrap_or("");
    let title = doc["title"].as_str().unwrap_or("");
    let desc = doc["description"].as_str().unwrap_or("");
    let level = doc["level"].as_str().unwrap_or("");
    let mut event_ids = HashSet::new();
    let mut subcategories = HashSet::new();
    extract_event_ids(&doc, &mut event_ids);
    for event_id in &event_ids {
        for (eid, subcategory) in eid_subcategory_pair {
            if eid == event_id {
                subcategories.insert(subcategory.clone());
            }
        }
    }
-    None
+    let event_ids: Vec<String> = event_ids.into_iter().collect();
    let subcategories: Vec<String> = subcategories.into_iter().collect();
    Some(json!({
        "id": uuid,
        "title": title,
        "description": desc,
        "level": level,
        "event_ids": event_ids,
        "subcategory_guids": subcategories
    }))
 }
 fn load_event_id_guid_pairs(file_path: &str) -> Result<Vec<(String, String)>, Box<dyn Error>> {