From 11477f8e137920646907fba9073d47550bfeb449 Mon Sep 17 00:00:00 2001
From: DastInDark <2350416+hitenkoku@users.noreply.github.com>
Date: Thu, 29 Sep 2022 00:36:54 +0900
Subject: [PATCH] ADD chanel column to table output #707

- 1. [x] Unified output one table with -s and -d option
- 2. [x] add channel column to table output
- 3. [x] Remove First Timestamp and Last Timestamp with -d option
- 4. [] Output csv with -o and  -s option
- 5. [x] Separete two column Count and Percent
- 6. [x] change table format output crate from prettytable-rs to comfy_table.
---
 src/timeline/metrics.rs   | 11 ++++++++---
 src/timeline/timelines.rs | 20 +++++++++++---------
 2 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/src/timeline/metrics.rs b/src/timeline/metrics.rs
index 6a376611..d88c2f8e 100644
--- a/src/timeline/metrics.rs
+++ b/src/timeline/metrics.rs
@@ -8,7 +8,7 @@ pub struct EventMetrics {
     pub filepath: String,
     pub start_time: String,
     pub end_time: String,
-    pub stats_list: HashMap<String, usize>,
+    pub stats_list: HashMap<(String, String), usize>,
     pub stats_login_list: HashMap<String, [usize; 2]>,
 }
 /**
@@ -20,7 +20,7 @@ impl EventMetrics {
         filepath: String,
         start_time: String,
         end_time: String,
-        stats_list: HashMap<String, usize>,
+        stats_list: HashMap<(String, String), usize>,
         stats_login_list: HashMap<String, [usize; 2]>,
     ) -> EventMetrics {
         EventMetrics {
@@ -87,8 +87,13 @@ impl EventMetrics {
     fn stats_eventid(&mut self, records: &[EvtxRecordInfo]) {
         //        let mut evtstat_map = HashMap::new();
         for record in records.iter() {
+            let channel = if let Some(ch) = utils::get_event_value("Channel", &record.record) {
+                ch.to_string()
+            } else {
+                "-".to_string()
+            };
             if let Some(idnum) = utils::get_event_value("EventID", &record.record) {
-                let count: &mut usize = self.stats_list.entry(idnum.to_string()).or_insert(0);
+                let count: &mut usize = self.stats_list.entry((idnum.to_string(), channel)).or_insert(0);
                 *count += 1;
             };
 
diff --git a/src/timeline/timelines.rs b/src/timeline/timelines.rs
index f09c22c2..bab366b7 100644
--- a/src/timeline/timelines.rs
+++ b/src/timeline/timelines.rs
@@ -1,4 +1,4 @@
-use crate::detections::message::{LOGONSUMMARY_FLAG, METRICS_FLAG};
+use crate::detections::message::{LOGONSUMMARY_FLAG, METRICS_FLAG, CH_CONFIG};
 use crate::detections::{configs::CONFIG, detection::EvtxRecordInfo};
 use comfy_table::*;
 use comfy_table::modifiers::UTF8_ROUND_CORNERS;
@@ -55,7 +55,7 @@ impl Timeline {
         
         let mut stats_tb = Table::new();
         stats_tb.load_preset(UTF8_FULL).apply_modifier(UTF8_ROUND_CORNERS);
-        stats_tb.set_header(vec!["Count", "Percent", "ID", "Event"]);
+        stats_tb.set_header(vec!["Count", "Percent", "Channel", "ID", "Event"]);
 
 
         // 集計件数でソート
@@ -92,10 +92,10 @@ impl Timeline {
     }
 
     // イベントID毎の出力メッセージ生成
-    fn tm_stats_set_msg(&self, mapsorted: Vec<(&std::string::String, &usize)>) -> Vec<Vec<String>> {
+    fn tm_stats_set_msg(&self, mapsorted: Vec<(&(std::string::String, std::string::String), &usize)>) -> Vec<Vec<String>> {
         let mut msges: Vec<Vec<String>> = Vec::new();
 
-        for (event_id, event_cnt) in mapsorted.iter() {
+        for ((event_id, channel), event_cnt) in mapsorted.iter() {
             // 件数の割合を算出
             let rate: f32 = **event_cnt as f32 / self.stats.total as f32;
 
@@ -104,20 +104,23 @@ impl Timeline {
                 .read()
                 .unwrap()
                 .event_timeline_config
-                .get_event_id(*event_id)
+                .get_event_id(event_id)
                 .is_some();
             // event_id_info.txtに登録あるものは情報設定
             // 出力メッセージ1行作成
+            let fmted_channel = channel.replace('\"', "");
+            let ch = CH_CONFIG.get(fmted_channel.to_lowercase().as_str()).unwrap_or(&fmted_channel).to_string();
             if conf {
                 msges.push(vec!
                     [event_cnt.to_string(),
                     format!("{:.1}%", (rate * 1000.0).round() / 10.0),
+                    ch,
                     event_id.to_string(),
                     CONFIG
                         .read()
                         .unwrap()
                         .event_timeline_config
-                        .get_event_id(*event_id)
+                        .get_event_id(event_id)
                         .unwrap()
                         .evttitle.to_string(),
                     ]
@@ -127,7 +130,8 @@ impl Timeline {
                     vec![
                     event_cnt.to_string(),
                     format!("{:.1}%", (rate * 1000.0).round() / 10.0),
-                    event_id.to_string(),
+                    ch,
+                    event_id.replace('\"', ""),
                     "Unknown".to_string(),
                 ]);
             }
@@ -157,8 +161,6 @@ impl Timeline {
 
             for (key, values) in &mapsorted {
                 let mut username: String = key.to_string();
-                //key.to_string().retain(|c| c != '\"');
-                //key.to_string().pop();
                 username.pop();
                 username.remove(0);
                 logins_stats_tb.add_row(vec![