Feature/bits job#130 (#131)

* Feature/call error message struct#66 (#69)

* change  way to use write trait #66

* change call error message struct #66

* erase finished TODO #66

* erase comment in error message format test #66

* resolve conflict #66

* Feature/call error message struct#66 (#71)

* change ERROR writeln struct #66

* under constructing

* add statistics template

* fix

* add comment

* add condition impl #93

* fix erased get_descendants and remove unnecessaly struct #93

* erased finished TODO comment

* erased finished TODO comment

* Revert "fix erased get_descendants and remove unnecessaly struct #93"

This reverts commit 82e905e045.

Revert "add condition impl #93"

This reverts commit 19ecc87377.

* add doc comment to rule function

* fix and add test doc commet

* add doc to AggregaationParseInfo

* add struct count in aggregation condition. #93

* add evaluate aggregation condition func provisional architecture. #93

* add countup function #93

* fix key to count hashmap #93

* add judge aggregation condition function #93

* fix  error #93

* fix test #93

* share compile error ver

* fix detection.rs compile error

* fix timeframe parse

* add countup process in select

* fix select argument

* add test countup

* add test count judge #93

* add SIGMA windows count field and by keyword #93

* fix reference record in countup/judgecount #93

* add timedata in countup schema #93

* Refact: split code for matcher from rule.rs

* Reafact: combine multiple declared functions

* Refact: split code for SelectionNode from rule.rs

* Refact: mv test code for SelectionNode from rule.rs

* Refact: mv condition's code from rule.rs

* add count to detection #93

* fix compile error

* fix source to test ng. #93

* erase unused variable #93

* fix count architecture #93

* fix comment and compile error

* erase dust (response  to review)

* erase dust (response to review)

* reduce calling Rulenode function (response to review)

* add aggregation output func

* erase dust(response to review) and add agg condition String func

* change error output

* reduce call RuleNode function(response to review)

* To reduce call RuleNode function

* fix test name

* fix coflicted resolve miss

* add code comment in timeframe count.

* add sort record timedata in timeframe(response to review)

* fix unnecesasry result in ArgResult

* add no field and by value count test

* create count test no field and by with timeframe

* erase duplicated timeframe data in RuleNode

* fix test error no field and no by count with timeframe

* fix test name

* add test case of exist field and by count.

* fix by count test and add test count othervalue in timeframe

* add test

* fix judge_timeframe logic when indexout

* fix test name and add count test field and by with timeframe

* adjust #120

* move associated count function from rulenode

* fix error when resolve conflict

* adjust T1197_bitsjob_started

* fix no output bug if exist output

* add rule to bitsjob #130

Co-authored-by: HajimeTakai <takai.wa.hajime@gmail.com>
Co-authored-by: itiB <is0312vx@ed.ritsumei.ac.jp>

config/eventkey_alias.txt

@@ -42,4 +42,6 @@ SubjectLogonId,Event.EventData.SubjectLogonId
 Image,Event.EventData.Image
 ParentImage,Event.EventData.ParentImage
 MachineName,Event.EventData.MachineName
-QueryName,Event.EventData.QueryName
+QueryName,Event.EventData.QueryName
+JobTitle,Event.EventData.name
+Url,Event.EventData.url

rules/bitsjobs/1197_bitsjob.yaml

@@ -0,0 +1,16 @@
+title: BitsJob
+description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Microsoft-Windows-Bits-Client/Operational
+        EventID: 59
+falsepositives:
+    - unknown
+level: medium
+output: 'Started bits job created. JobTitle:%JobTitle% URL:%Url%'
+creation_date: 2021/7/15
+updated_date: 2021/7/15