output fix logontype and change order #197 #198 (#217)

* changed output column order #198 * added eventkey alias #197 * fixed eventid double quatation #197 * fixed eventid double quatation #197 * fixed logontype not converted #197 * fixed WorkStation and added TargetDomainName #205 * fixed typo #205 * Fixed the problem that conversion for No-String types #197
2021-11-20 11:03:28 +09:00
parent 199a8231c1
commit 0b85a280f0
5 changed files with 28 additions and 14 deletions
--- a/config/eventkey_alias.txt
+++ b/config/eventkey_alias.txt
@@ -26,7 +26,7 @@ TicketEncryptionType,Event.EventData.TicketEncryptionType
 PreAuthType,Event.EventData.PreAuthType
 TaskName,Event.EventData.TaskName
 WorkStationName,Event.EventData.WorkStationName
-Workstation,Event.EventData.WorkStation
+Workstation,Event.EventData.WorkstationName
 UserName,Event.EventData.UserName
 ServiceFileName,Event.EventData.ServiceFileName
 ComputerName,Event.System.Computer
@@ -170,3 +170,6 @@ Workstation,Event.EventData.Workstation
 WorkstationName,Event.EventData.WorkstationName
 JobTitle,Event.EventData.name
 Url,Event.EventData.url
+IpPort,Event.EventData.IpPort
+SubStatus,Event.EventData.SubStatus
+TargetDomainName,Event.EventData.TargetDomainName
--- a/src/afterfact.rs
+++ b/src/afterfact.rs
@@ -12,13 +12,13 @@ use std::process;
 #[serde(rename_all = "PascalCase")]
 pub struct CsvFormat<'a> {
    time: &'a str,
-    filepath: &'a str,
-    rulepath: &'a str,
-    level: &'a str,
    computername: &'a str,
    eventid: &'a str,
+    level: &'a str,
    alert: &'a str,
    details: &'a str,
+    rulepath: &'a str,
+    filepath: &'a str,
 }

 pub fn after_fact() {
@@ -152,25 +152,25 @@ fn test_emit_csv() {
        .datetime_from_str("1996-02-27T01:05:01Z", "%Y-%m-%dT%H:%M:%SZ")
        .unwrap();
    let expect_tz = expect_time.with_timezone(&Local);
-    let expect = "Time,Filepath,Rulepath,Level,Computername,Eventid,Alert,Details\n".to_string()
+    let expect = "Time,Computername,Eventid,Level,Alert,Details,Rulepath,Filepath\n".to_string()
        + &expect_tz
            .clone()
            .format("%Y-%m-%d %H:%M:%S%.3f %:z")
            .to_string()
        + ","
-        + &testfilepath.replace(".evtx", "").to_string()
-        + ","
-        + testrulepath
-        + ","
-        + test_level
-        + ","
        + test_computername
        + ","
        + test_eventid
        + ","
+        + test_level
+        + ","
        + test_title
        + ","
        + output
+        + ","
+        + testrulepath
+        + ","
+        + &testfilepath.replace(".evtx", "").to_string()
        + "\n";

    let mut file: Box<dyn io::Write> =
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -8,6 +8,7 @@ use crate::detections::print::AlertMessage;
 use crate::detections::print::MESSAGES;
 use crate::detections::rule;
 use crate::detections::rule::RuleNode;
+use crate::detections::utils::get_serde_number_to_string;
 use crate::yaml::ParseYaml;

 use std::sync::Arc;
@@ -156,11 +157,11 @@ impl Detection {
            record_info.evtx_filepath.to_string(),
            rule.rulepath.to_string(),
            &record_info.record,
-            rule.yaml["level"].as_str().unwrap_or("").to_string(),
+            rule.yaml["level"].as_str().unwrap_or("-").to_string(),
            record_info.record["Event"]["System"]["Computer"]
                .to_string()
                .replace("\"", ""),
-            record_info.record["Event"]["System"]["EventID"].to_string(),
+            get_serde_number_to_string(&record_info.record["Event"]["System"]["EventID"]),
            rule.yaml["title"].as_str().unwrap_or("").to_string(),
            rule.yaml["output"].as_str().unwrap_or("").to_string(),
        );
--- a/src/detections/print.rs
+++ b/src/detections/print.rs
@@ -1,5 +1,6 @@
 extern crate lazy_static;
 use crate::detections::configs;
+use crate::detections::utils::get_serde_number_to_string;
 use chrono::{DateTime, TimeZone, Utc};
 use lazy_static::lazy_static;
 use regex::Regex;
@@ -125,7 +126,7 @@ impl Message {
                }
                hash_map.insert(
                    full_target_str.to_string(),
-                    tmp_event_record.as_str().unwrap_or("").to_string(),
+                    get_serde_number_to_string(tmp_event_record),
                );
            }
        }
--- a/src/detections/utils.rs
+++ b/src/detections/utils.rs
@@ -89,6 +89,15 @@ pub fn get_event_id_key() -> String {
    return "Event.System.EventID".to_string();
 }

+/// serde:Valueの型を確認し、文字列を返します。
+pub fn get_serde_number_to_string(value: &serde_json::Value) -> String {
+    if value.is_string() {
+        return value.as_str().unwrap_or("").to_string();
+    } else {
+        return value.to_string();
+    }
+}
+
 // alias.txtについて、指定されたevent_keyに対応するaliasを取得します。
 pub fn get_alias(event_key: &String) -> Option<String> {
    let conf = configs::CONFIG.read().unwrap();