display default channel name if not defined (#555)

* displayed other channel data in Channel column #553

* updated changelog #553

* updated changelog

* readme and channel abbreviataions update

* changelog update

Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>

CHANGELOG-Japanese.md

@@ -16,6 +16,7 @@
 - 新しいロゴに変更した。(#536) (@YamatoSecurity)
 - evtxファイルのファイルサイズの合計を出力するようにした。(#540) (@hitenkoku)
 - ロゴの色を変更した (#537) (@hitenkoku)
+- Channelの列にchannel_abbrevations.txtに記載されていないチャンネルも表示するようにした。(#553) (@hitenkoku)
 
 **バグ修正:**
 

CHANGELOG.md

@@ -16,6 +16,7 @@
 - New logo. (#536) (@YamatoSecurity)
 - Display total evtx file size. (#540) (@hitenkoku)
 - Changed logo color. (#537) (@hitenkoku)
+- Display the original `Channel` name when not specified in `channel_abbrevations.txt`. (#553) (@hitenkoku)
 
 **Bug Fixes:**
 

README-Japanese.md

@@ -531,34 +531,34 @@ CSVファイルとして保存する場合、以下の列が追加されます:
 簡潔に出力するためにChannelの表示を以下のように省略しています。
 `config/channel_abbreviations.txt`の設定ファイルで自由に編集できます。
 
-* `Application` : App
+* `App` : `Application`
-* `DNS Server` : DNS-Svr
+* `AppLocker` : `Microsoft-Windows-AppLocker/*`
-* `Microsoft-ServiceBus-Client` : SvcBusCli
+* `BitsCli` : `Microsoft-Windows-Bits-Client/Operational`
-* `Microsoft-Windows-CodeIntegrity/Operational` : CodeInteg
+* `CodeInteg` : `Microsoft-Windows-CodeIntegrity/Operational`
-* `Microsoft-Windows-LDAP-Client/Debug` : LDAP-Cli
+* `Defender` : `Microsoft-Windows-Windows Defender/Operational`
-* `Microsoft-Windows-AppLocker/MSI and Script` : AppLocker
+* `DHCP-Svr` : `Microsoft-Windows-DHCP-Server/Operational`
-* `Microsoft-Windows-AppLocker/EXE and DLL` : AppLocker
+* `DNS-Svr` : `DNS Server`
-* `Microsoft-Windows-AppLocker/Packaged app-Deployment` : AppLocker
+* `DvrFmwk` : `Microsoft-Windows-DriverFrameworks-UserMode/Operational`
-* `Microsoft-Windows-AppLocker/Packaged app-Execution` : AppLocker
+* `Exchange` : `MSExchange Management`
-* `Microsoft-Windows-Bits-Client/Operational` : BitsCli
+* `Firewall` : `Microsoft-Windows-Windows Firewall With Advanced Security/Firewall`
-* `Microsoft-Windows-DHCP-Server/Operational` : DHCP-Svr
+* `KeyMgtSvc` : `Key Management Service`
-* `Microsoft-Windows-DriverFrameworks-UserMode/Operational` : DvrFmwk
+* `LDAP-Cli` : `Microsoft-Windows-LDAP-Client/Debug`
-* `Microsoft-Windows-NTLM/Operational` : NTLM
+* `NTLM` `Microsoft-Windows-NTLM/Operational`
-* `Microsoft-Windows-Security-Mitigations/KernelMode` : SecMitigations
+* `OpenSSH` : `OpenSSH/Operational`
-* `Microsoft-Windows-Security-Mitigations/UserMode` : SecMitigations
+* `PrintAdm` : `Microsoft-Windows-PrintService/Admin`
-* `Microsoft-Windows-SmbClient/Security` : SmbCliSec
+* `PrintOp` : `Microsoft-Windows-PrintService/Operational`
-* `Microsoft-Windows-Sysmon/Operational` : Sysmon
+* `PwSh` : `Microsoft-Windows-PowerShell/Operational`
-* `Microsoft-Windows-TaskScheduler/Operational` : TaskSch
+* `PwShClassic` : `Windows PowerShell`
-* `Microsoft-Windows-PrintService/Admin` : PrintAdm
+* `RDP-Client` : `Microsoft-Windows-TerminalServices-RDPClient/Operational`
-* `Microsoft-Windows-PrintService/Operational` : PrintOp
+* `Sec` : `Security`
-* `Microsoft-Windows-PowerShell/Operational` : PwSh
+* `SecMitig` : `Microsoft-Windows-Security-Mitigations/*`
-* `Microsoft-Windows-Windows Defender/Operational` : Defender
+* `SmbCliSec` : `Microsoft-Windows-SmbClient/Security`
-* `Microsoft-Windows-Windows Firewall With Advanced Security/Firewall` : Firewall
+* `SvcBusCli` : `Microsoft-ServiceBus-Client`
-* `Microsoft-Windows-WMI-Activity/Operational` : WMI
+* `Sys` : `System`
-* `MSExchange Management` : Exchange
+* `Sysmon` : `Microsoft-Windows-Sysmon/Operational`
-* `Security` : Sec
+* `TaskSch` : `Microsoft-Windows-TaskScheduler/Operational`
-* `System` : Sys
+* `WinRM` : `Microsoft-Windows-WinRM/Operational`
-* `Windows PowerShell` : WinPwSh
+* `WMI` : `Microsoft-Windows-WMI-Activity/Operational`
 
 ## プログレスバー
 

README.md

@@ -530,34 +530,34 @@ If you want to output all the tags defined in a rule, please specify the `--all-
 In order to save space, we use the following abbreviations when displaying Channel.
 You can freely edit these abbreviations in the `config/channel_abbreviations.txt` configuration file.
 
-* `Application` : App
+* `App` : `Application`
-* `DNS Server` : DNS-Svr
+* `AppLocker` : `Microsoft-Windows-AppLocker/*`
-* `Microsoft-ServiceBus-Client` : SvcBusCli
+* `BitsCli` : `Microsoft-Windows-Bits-Client/Operational`
-* `Microsoft-Windows-CodeIntegrity/Operational` : CodeInteg
+* `CodeInteg` : `Microsoft-Windows-CodeIntegrity/Operational`
-* `Microsoft-Windows-LDAP-Client/Debug` : LDAP-Cli
+* `Defender` : `Microsoft-Windows-Windows Defender/Operational`
-* `Microsoft-Windows-AppLocker/MSI and Script` : AppLocker
+* `DHCP-Svr` : `Microsoft-Windows-DHCP-Server/Operational`
-* `Microsoft-Windows-AppLocker/EXE and DLL` : AppLocker
+* `DNS-Svr` : `DNS Server`
-* `Microsoft-Windows-AppLocker/Packaged app-Deployment` : AppLocker
+* `DvrFmwk` : `Microsoft-Windows-DriverFrameworks-UserMode/Operational`
-* `Microsoft-Windows-AppLocker/Packaged app-Execution` : AppLocker
+* `Exchange` : `MSExchange Management`
-* `Microsoft-Windows-Bits-Client/Operational` : BitsCli
+* `Firewall` : `Microsoft-Windows-Windows Firewall With Advanced Security/Firewall`
-* `Microsoft-Windows-DHCP-Server/Operational` : DHCP-Svr
+* `KeyMgtSvc` : `Key Management Service`
-* `Microsoft-Windows-DriverFrameworks-UserMode/Operational` : DvrFmwk
+* `LDAP-Cli` : `Microsoft-Windows-LDAP-Client/Debug`
-* `Microsoft-Windows-NTLM/Operational` : NTLM
+* `NTLM` `Microsoft-Windows-NTLM/Operational`
-* `Microsoft-Windows-Security-Mitigations/KernelMode` : SecMitigations
+* `OpenSSH` : `OpenSSH/Operational`
-* `Microsoft-Windows-Security-Mitigations/UserMode` : SecMitigations
+* `PrintAdm` : `Microsoft-Windows-PrintService/Admin`
-* `Microsoft-Windows-SmbClient/Security` : SmbCliSec
+* `PrintOp` : `Microsoft-Windows-PrintService/Operational`
-* `Microsoft-Windows-Sysmon/Operational` : Sysmon
+* `PwSh` : `Microsoft-Windows-PowerShell/Operational`
-* `Microsoft-Windows-TaskScheduler/Operational` : TaskSch
+* `PwShClassic` : `Windows PowerShell`
-* `Microsoft-Windows-PrintService/Admin` : PrintAdm
+* `RDP-Client` : `Microsoft-Windows-TerminalServices-RDPClient/Operational`
-* `Microsoft-Windows-PrintService/Operational` : PrintOp
+* `Sec` : `Security`
-* `Microsoft-Windows-PowerShell/Operational` : PwSh
+* `SecMitig` : `Microsoft-Windows-Security-Mitigations/*`
-* `Microsoft-Windows-Windows Defender/Operational` : Defender
+* `SmbCliSec` : `Microsoft-Windows-SmbClient/Security`
-* `Microsoft-Windows-Windows Firewall With Advanced Security/Firewall` : Firewall
+* `SvcBusCli` : `Microsoft-ServiceBus-Client`
-* `Microsoft-Windows-WMI-Activity/Operational` : WMI
+* `Sys` : `System`
-* `MSExchange Management` : Exchange
+* `Sysmon` : `Microsoft-Windows-Sysmon/Operational`
-* `Security` : Sec
+* `TaskSch` : `Microsoft-Windows-TaskScheduler/Operational`
-* `System` : Sys
+* `WinRM` : `Microsoft-Windows-WinRM/Operational`
-* `Windows PowerShell` : WinPwSh
+* `WMI` : `Microsoft-Windows-WMI-Activity/Operational`
 
 ## Progress Bar
 

config/channel_abbreviations.txt

@@ -1,6 +1,7 @@
 Channel,Abbreviation
 Application,App
 DNS Server,DNS-Svr
+Key Management Service,KeyMgtSvc
 Microsoft-ServiceBus-Client,SvcBusCli
 Microsoft-Windows-CodeIntegrity/Operational,CodeInteg
 Microsoft-Windows-LDAP-Client/Debug,LDAP-Cli
@@ -12,18 +13,21 @@ Microsoft-Windows-Bits-Client/Operational,BitsCli
 Microsoft-Windows-DHCP-Server/Operational,DHCP-Svr
 Microsoft-Windows-DriverFrameworks-UserMode/Operational,DvrFmwk
 Microsoft-Windows-NTLM/Operational,NTLM
-Microsoft-Windows-Security-Mitigations/KernelMode,SecMitigations
+Microsoft-Windows-Security-Mitigations/KernelMode,SecMitig
-Microsoft-Windows-Security-Mitigations/UserMode,SecMitigations
+Microsoft-Windows-Security-Mitigations/UserMode,SecMitig
 Microsoft-Windows-SmbClient/Security,SmbCliSec
 Microsoft-Windows-Sysmon/Operational,Sysmon
 Microsoft-Windows-TaskScheduler/Operational,TaskSch
+Microsoft-Windows-TerminalServices-RDPClient/Operational,RDP-Client
 Microsoft-Windows-PrintService/Admin,PrintAdm
 Microsoft-Windows-PrintService/Operational,PrintOp
 Microsoft-Windows-PowerShell/Operational,PwSh
 Microsoft-Windows-Windows Defender/Operational,Defender
 Microsoft-Windows-Windows Firewall With Advanced Security/Firewall,Firewall
+Microsoft-Windows-WinRM/Operational,WinRM
 Microsoft-Windows-WMI-Activity/Operational,WMI
 MSExchange Management,Exchange
+OpenSSH/Operational,OpenSSH
 Security,Sec
 System,Sys
-Windows PowerShell,WinPwSh
+Windows PowerShell,PwShClassic

src/detections/detection.rs

@@ -238,6 +238,8 @@ impl Detection {
         } else {
             None
         };
+        let ch_str = &get_serde_number_to_string(&record_info.record["Event"]["System"]["Channel"])
+            .unwrap_or_default();
         let detect_info = DetectInfo {
             filepath: record_info.evtx_filepath.to_string(),
             rulepath: rule.rulepath.to_string(),
@@ -247,13 +249,7 @@ impl Detection {
                 .replace('\"', ""),
             eventid: get_serde_number_to_string(&record_info.record["Event"]["System"]["EventID"])
                 .unwrap_or_else(|| "-".to_owned()),
-            channel: CH_CONFIG
+            channel: CH_CONFIG.get(ch_str).unwrap_or(ch_str).to_string(),
-                .get(
-                    &get_serde_number_to_string(&record_info.record["Event"]["System"]["Channel"])
-                        .unwrap_or_default(),
-                )
-                .unwrap_or(&String::default())
-                .to_string(),
             alert: rule.yaml["title"].as_str().unwrap_or("").to_string(),
             detail: String::default(),
             tag_info: tag_info.join(" | "),

src/detections/print.rs

@@ -97,7 +97,7 @@ impl Message {
         Message { map: messages }
     }
 
-    /// ファイルパスで記載されたtagでのフル名、表示の際に置き換えられる文字列のHashMapを作成する関数。tagではこのHashMapのキーに対応しない出力は出力しないものとする
+    /// ファイルパスで記載されたtagでのフル名、表示の際に置き換えられる文字列のHashMapを作成する関数。
     /// ex. attack.impact,Impact
     pub fn create_output_filter_config(
         path: &str,