update

2025-12-07 17:52:49 +01:00 · 2025-03-13 23:10:36 +09:00
parent 43ca0c5795
commit 749b52d3f1
1 changed files with 48 additions and 28 deletions
--- a/wela-extractor/src/main.rs
+++ b/wela-extractor/src/main.rs
@@ -58,16 +58,40 @@ fn extract_event_ids(yaml: &Yaml, event_ids: &mut HashSet<String>) {
    }
 }

+fn contains_channel_security(yaml: &Yaml) -> bool {
+    match yaml {
+        Yaml::Hash(hash) => {
+            for (key, value) in hash {
+                if key.as_str() == Some("Channel") && value.as_str() == Some("Security") {
+                    return true;
+                }
+                if contains_channel_security(value) {
+                    return true;
+                }
+            }
+        }
+        Yaml::Array(array) => {
+            for item in array {
+                if contains_channel_security(item) {
+                    return true;
+                }
+            }
+        }
+        _ => {}
+    }
+    false
+}
+
 fn parse_yaml(doc: Yaml, eid_subcategory_pair: &Vec<(String, String)>) -> Option<Value> {
-    if let Some(logsource) = doc["logsource"].as_hash() {
-        if let Some(service) = logsource.get(&Yaml::from_str("service")) {
+    if !contains_channel_security(&doc["detection"]) {
+        return None;
+    }
    let uuid = doc["id"].as_str().unwrap_or("");
    let title = doc["title"].as_str().unwrap_or("");
    let desc = doc["description"].as_str().unwrap_or("");
    let level = doc["level"].as_str().unwrap_or("");
    let mut event_ids = HashSet::new();
    let mut subcategories = HashSet::new();
-            if service.as_str() == Some("security") {
    extract_event_ids(&doc, &mut event_ids);
    for event_id in &event_ids {
        for (eid, subcategory) in eid_subcategory_pair {
@@ -78,18 +102,14 @@ fn parse_yaml(doc: Yaml, eid_subcategory_pair: &Vec<(String, String)>) -> Option
    }
    let event_ids: Vec<String> = event_ids.into_iter().collect();
    let subcategories: Vec<String> = subcategories.into_iter().collect();
-                return Some(json!({
+    Some(json!({
        "id": uuid,
        "title": title,
        "description": desc,
        "level": level,
        "event_ids": event_ids,
        "subcategory_guids": subcategories
-                }));
-            }
-        }
-    }
-    None
+    }))
 }

 fn load_event_id_guid_pairs(file_path: &str) -> Result<Vec<(String, String)>, Box<dyn Error>> {