add sysmon

2020-10-02 00:10:38 +09:00
parent d883def462
commit 42f8483485
3 changed files with 42 additions and 0 deletions
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -4,6 +4,7 @@ use crate::detections::application;
 use crate::detections::common;
 use crate::detections::security;
 use crate::detections::system;
+use crate::detections::sysmon;
 use crate::models::event;
 use evtx::EvtxParser;
 use quick_xml::de::DeError;
@@ -26,6 +27,7 @@ impl Detection {
        let mut security = security::Security::new();
        let mut system = system::System::new();
        let mut application = application::Application::new();
+        let mut sysmon = sysmon::Sysmon::new();

        for record in parser.records() {
            match record {
@@ -43,6 +45,8 @@ impl Detection {
                        &system.detection(event_id, &event.system, event_data);
                    } else if channel == "Application" {
                        &application.detection(event_id, &event.system, event_data);
+                    } else if channel == "Microsoft-Windows-Sysmon/Operational" {
+                        &sysmon.detection(event_id, &event.system, event_data);
                    } else {
                        //&other.detection();
                    }
--- a/src/detections/mod.rs
+++ b/src/detections/mod.rs
@@ -3,3 +3,4 @@ mod common;
 pub mod detection;
 mod security;
 mod system;
+mod sysmon;
--- a/src/detections/sysmon.rs
+++ b/src/detections/sysmon.rs
@@ -0,0 +1,37 @@
+use crate::models::event;
+use std::collections::HashMap;
+
+pub struct Sysmon {}
+
+impl Sysmon {
+    pub fn new() -> Sysmon {
+        Sysmon {}
+    }
+
+    pub fn detection(
+        &mut self,
+        event_id: String,
+        system: &event::System,
+        event_data: HashMap<String, String>,
+    ) {
+        if event_id == "1" {
+            &self.sysmon_event_1(event_data);
+        } else if event_id == "7" {
+            &self.sysmon_event_7(event_data);
+        }
+    }
+
+    fn sysmon_event_1(&mut self, event_data: HashMap<String, String>) {
+        println!("Message : Sysmon event 1");
+        if let Some(_image) = event_data.get("Image") {
+            println!("_image : {}",_image);
+        }
+        if let Some(_command_line) = event_data.get("CommandLine") {
+            println!("_command_line : {}",_command_line);
+        }
+    }
+
+    fn sysmon_event_7(&mut self, event_data: HashMap<String, String>) {
+        println!("Message : Sysmon event 7");
+    }
+}