refactor

src/detections/application.rs

@@ -17,12 +17,14 @@ impl Application {
         system: &event::System,
         event_data: HashMap<String, String>,
     ) {
-        if event_id == "2" {
+        self.emet(&event_id, system);
-            &self.emet(system);
-        }
     }
 
-    fn emet(&mut self, system: &event::System) {
+    fn emet(&mut self, event_id: &String, system: &event::System) {
+        if event_id != "2" {
+            return;
+        }
+
         match &system.provider.name {
             Some(name) => {
                 if name != "EMET" {

src/detections/common.rs

@@ -24,7 +24,7 @@ impl Common {
     }
 
     pub fn detection(&mut self, system: &event::System, event_data: &HashMap<String, String>) {
-        &self.check_record_id(system);
+        self.check_record_id(system);
     }
 
     //

src/detections/powershell.rs

@@ -17,15 +17,14 @@ impl PowerShell {
         _system: &event::System,
         event_data: HashMap<String, String>,
     ) {
-        if event_id == "4103" {
+        self.execute_pipeline(&event_id, &event_data);
-            &self.execute_pipeline(&event_data);
+        self.execute_remote_command(&event_id, &event_data);
-        } else if event_id == "4104" {
-            &self.execute_remote_command(&event_data);
-        }
     }
 
-    fn execute_pipeline(&mut self, event_data: &HashMap<String, String>) {
+    fn execute_pipeline(&mut self, event_id: &String, event_data: &HashMap<String, String>) {
-        // パイプライン実行をしています
+        if event_id != "4103" {
+            return;
+        }
         let default = String::from("");
         let commandline = event_data.get("ContextInfo").unwrap_or(&default);
 
@@ -45,8 +44,10 @@ impl PowerShell {
         }
     }
 
-    fn execute_remote_command(&mut self, event_data: &HashMap<String, String>) {
+    fn execute_remote_command(&mut self, event_id: &String, event_data: &HashMap<String, String>) {
-        // リモートコマンドを実行します
+        if event_id != "4104" {
+            return;
+        }
         let default = String::from("");
         let path = event_data.get("Path").unwrap().to_string();
         if path == "".to_string() {

src/detections/system.rs

@@ -14,19 +14,24 @@ impl System {
         system: &event::System,
         event_data: HashMap<String, String>,
     ) {
-        if event_id == "104" {
+        self.system_log_clear(&event_id);
-            &self.system_log_clear();
+        self.windows_event_log(&event_id, event_data);
-        } else if event_id == "7040" {
-            &self.windows_event_log(event_data);
-        }
     }
 
-    fn system_log_clear(&mut self) {
+    fn system_log_clear(&mut self, event_id: &String) {
+        if event_id != "104" {
+            return;
+        }
+
         println!("Message : System Log Clear");
         println!("Results : The System log was cleared.");
     }
 
-    fn windows_event_log(&mut self, event_data: HashMap<String, String>) {
+    fn windows_event_log(&mut self, event_id: &String, event_data: HashMap<String, String>) {
+        if event_id != "7040" {
+            return;
+        }
+
         if let Some(_param1) = event_data.get("param1") {
             if _param1 == "Windows Event Log" {
                 println!("Service name : {}", _param1);