diff --git a/src/afterfact.rs b/src/afterfact.rs index 618f37b4..4c68e983 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -673,6 +673,7 @@ mod tests { }, expect_time, &mut profile_converter, + false, ); } let expect = diff --git a/src/detections/detection.rs b/src/detections/detection.rs index e8bb7d91..be6046c3 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -330,6 +330,7 @@ impl Detection { detect_info, time, &mut profile_converter, + false, ); } @@ -398,7 +399,6 @@ impl Detection { } let detect_info = DetectInfo { - // filepath: "-".to_owned(), rulepath: (&rule.rulepath).to_owned(), level: rule.yaml["level"].as_str().unwrap_or("").to_owned(), computername: "-".to_owned(), @@ -414,6 +414,7 @@ impl Detection { detect_info, agg_result.start_timedate, &mut profile_converter, + true, ) } diff --git a/src/detections/message.rs b/src/detections/message.rs index d0aaaf9d..f99348e8 100644 --- a/src/detections/message.rs +++ b/src/detections/message.rs @@ -133,17 +133,19 @@ pub fn insert( mut detect_info: DetectInfo, time: DateTime, profile_converter: &mut HashMap, + is_agg: bool, ) { - let parsed_detail = parse_message(event_record, &output) - .chars() - .filter(|&c| !c.is_control()) - .collect::(); - - detect_info.detail = if parsed_detail.is_empty() { - "-".to_string() - } else { - parsed_detail - }; + if !is_agg { + let parsed_detail = parse_message(event_record, &output) + .chars() + .filter(|&c| !c.is_control()) + .collect::(); + detect_info.detail = if parsed_detail.is_empty() { + "-".to_string() + } else { + parsed_detail + }; + } let mut exist_detail = false; PROFILES.as_ref().unwrap().iter().for_each(|(_k, v)| { if v.contains("%Details%") {