Changed channel abbreviation timing when messge is inserted

2022-07-24 19:35:29 +09:00
parent b7264082e8
commit 00293d9753
3 changed files with 36 additions and 27 deletions
--- a/src/afterfact.rs
+++ b/src/afterfact.rs
@@ -185,20 +185,13 @@ fn emit_csv<W: std::io::Write>(
        HashMap::new();

    let levels = Vec::from([
-        "critical",
+        "crit",
        "high",
-        "medium",
+        "med ",
        "low ",
-        "informational",
+        "info",
        "undefined",
    ]);
-    let level_abbr: HashMap<String, String> = HashMap::from([
-        (String::from("cruitical"), String::from("crit")),
-        (String::from("high"), String::from("high")),
-        (String::from("medium"), String::from("med ")),
-        (String::from("low"), String::from("low ")),
-        (String::from("informational"), String::from("info")),
-    ]);
    // レベル別、日ごとの集計用変数の初期化
    for level_init in levels {
        detect_counts_by_date_and_level.insert(level_init.to_string(), HashMap::new());
@@ -484,7 +477,14 @@ fn _print_detection_summary_by_date(
    let mut wtr = buf_wtr.buffer();
    wtr.set_color(ColorSpec::new().set_fg(None)).ok();

-    let output_levels = Vec::from(["critical", "high", "medium", "low", "informational"]);
+    let output_levels = Vec::from(["crit", "high", "med ", "low ", "info"]);
+    let level_full_map = HashMap::from([
+        ("crit", "critical"),
+        ("high", "high"),
+        ("med ", "medium"),
+        ("low ", "low"),
+        ("info", "informational"),
+    ]);

    for level in output_levels {
        // output_levelsはlevelsからundefinedを除外した配列であり、各要素は必ず初期化されているのでSomeであることが保証されているのでunwrapをそのまま実施
@@ -499,7 +499,7 @@ fn _print_detection_summary_by_date(
                tmp_cnt = *cnt;
            }
        }
-        wtr.set_color(ColorSpec::new().set_fg(_get_output_color(color_map, level)))
+        wtr.set_color(ColorSpec::new().set_fg(_get_output_color(color_map, level_full_map.get(level).unwrap())))
            .ok();
        if date_str == String::default() {
            max_detect_str = "n/a".to_string();
@@ -507,7 +507,7 @@ fn _print_detection_summary_by_date(
        writeln!(
            wtr,
            "Date with most total {} detections: {}",
-            level, &max_detect_str
+            level_full_map.get(level).unwrap(), &max_detect_str
        )
        .ok();
    }
@@ -523,7 +523,14 @@ fn _print_detection_summary_by_computer(
    let mut wtr = buf_wtr.buffer();
    wtr.set_color(ColorSpec::new().set_fg(None)).ok();

-    let output_levels = Vec::from(["critical", "high", "medium", "low", "informational"]);
+    let output_levels = Vec::from(["crit", "high", "med ", "low ", "info"]);
+    let level_full_map = HashMap::from([
+        ("crit", "critical"),
+        ("high", "high"),
+        ("med ", "medium"),
+        ("low ", "low"),
+        ("info", "informational"),
+    ]);

    for level in output_levels {
        // output_levelsはlevelsからundefinedを除外した配列であり、各要素は必ず初期化されているのでSomeであることが保証されているのでunwrapをそのまま実施
@@ -546,26 +553,18 @@ fn _print_detection_summary_by_computer(
            result_vec.join(", ")
        };

-        wtr.set_color(ColorSpec::new().set_fg(_get_output_color(color_map, level)))
+        wtr.set_color(ColorSpec::new().set_fg(_get_output_color(color_map, level_full_map.get(level).unwrap())))
            .ok();
        writeln!(
            wtr,
            "Top 5 computers with most unique {} detections: {}",
-            level, &result_str
+            level_full_map.get(level).unwrap(), &result_str
        )
        .ok();
    }
    buf_wtr.print(&wtr).ok();
 }

-fn format_time(time: &DateTime<Utc>, date_only: bool) -> String {
-    if configs::CONFIG.read().unwrap().args.utc {
-        format_rfc(time, date_only)
-    } else {
-        format_rfc(&time.with_timezone(&Local), date_only)
-    }
-}
-
 /// get timestamp to input datetime.
 fn _get_timestamp(time: &DateTime<Utc>) -> i64 {
    if configs::CONFIG.read().unwrap().args.utc {
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -31,6 +31,7 @@ use std::sync::Arc;
 use tokio::{runtime::Runtime, spawn, task::JoinHandle};

 use super::message;
+use super::message::LEVEL_ABBR;

 // イベントファイルの1レコード分の情報を保持する構造体
 #[derive(Clone, Debug)]
@@ -256,15 +257,16 @@ impl Detection {
            Some(str) => str.to_owned(),
            None => recinfo.as_ref().unwrap_or(&"-".to_string()).to_string(),
        };
-        let opt_record_info = if configs::CONFIG.read().unwrap().args.full_data {
+        let opt_record_info = if profile_all_alias.contains("%RecordInformation%") {
            recinfo
        } else {
            None
        };
+        let level= rule.yaml["level"].as_str().unwrap_or("-").to_string();
        let detect_info = DetectInfo {
            filepath: record_info.evtx_filepath.to_string(),
            rulepath: (&rule.rulepath).to_owned(),
-            level: rule.yaml["level"].as_str().unwrap_or("-").to_string(),
+            level: LEVEL_ABBR.get(&level).unwrap_or(&level).to_string(),
            computername: record_info.record["Event"]["System"]["Computer"]
                .to_string()
                .replace('\"', ""),
--- a/src/detections/message.rs
+++ b/src/detections/message.rs
@@ -83,6 +83,14 @@ lazy_static! {
            .as_path()
            .display()
    ));
+    pub static ref LEVEL_ABBR: HashMap<String, String> = HashMap::from([
+        (String::from("cruitical"), String::from("crit")),
+        (String::from("high"), String::from("high")),
+        (String::from("medium"), String::from("med ")),
+        (String::from("low"), String::from("low ")),
+        (String::from("informational"), String::from("info")),
+    ]);
+
 }

 /// ファイルパスで記載されたtagでのフル名、表示の際に置き換えられる文字列のHashMapを作成する関数。