CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

updated cargo, readme, usage

Browse Source
This commit is contained in:
Tanaka Zakku
2022-06-19 10:08:59 +09:00
parent ac246522d4
commit 47c0eee38c
5 changed files with 143 additions and 147 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
Cargo.lock generated
View File

@@ -39,9 +39,9 @@ dependencies = [
[[package]]
name = "anyhow"
version = "1.0.57"
version = "1.0.58"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "08f9b8508dccb7687a1d6c4ce66b2b0ecef467c94667de27d8d7fe1f8d2a9cdc"
checksum = "bb07d2053ccdbe10e2af2995a2f116c1330396493dc1269f6a91d0ae82e19704"
[[package]]
name = "arrayref"
@@ -220,9 +220,9 @@ dependencies = [
[[package]]
name = "clap"
version = "3.2.4"
version = "3.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6d20de3739b4fb45a17837824f40aa1769cc7655d7a83e68739a77fe7b30c87a"
checksum = "d53da17d37dba964b9b3ecb5c5a1f193a2762c700e6829201e645b9381c99dc7"
dependencies = [
"atty",
"bitflags",
@@ -237,9 +237,9 @@ dependencies = [
[[package]]
name = "clap_derive"
version = "3.2.4"
version = "3.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "026baf08b89ffbd332836002ec9378ef0e69648cbfadd68af7cd398ca5bf98f7"
checksum = "c11d40217d16aee8508cc8e5fde8b4ff24639758608e5374e731b53f85749fb9"
dependencies = [
"heck",
"proc-macro-error",
@@ -295,9 +295,9 @@ dependencies = [
[[package]]
name = "crossbeam-channel"
version = "0.5.4"
version = "0.5.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5aaa7bd5fb665c6864b5f963dd9097905c54125909c7aa94c9e18507cdbe6c53"
checksum = "4c02a4d71819009c192cf4872265391563fd6a84c81ff2c0f2a7026ca4c1d85c"
dependencies = [
"cfg-if",
"crossbeam-utils",
@@ -316,26 +316,26 @@ dependencies = [
[[package]]
name = "crossbeam-epoch"
version = "0.9.8"
version = "0.9.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1145cf131a2c6ba0615079ab6a638f7e1973ac9c2634fcbeaaad6114246efe8c"
checksum = "07db9d94cbd326813772c968ccd25999e5f8ae22f4f8d1b11effa37ef6ce281d"
dependencies = [
"autocfg",
"cfg-if",
"crossbeam-utils",
"lazy_static",
"memoffset",
"once_cell",
"scopeguard",
]
[[package]]
name = "crossbeam-utils"
version = "0.8.8"
version = "0.8.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0bf124c720b7686e3c2663cf54062ab0f68a88af2fb6a030e87e30bf721fcb38"
checksum = "8ff1f980957787286a554052d03c7aee98d99cc32e09f6d45f0a814133c87978"
dependencies = [
"cfg-if",
"lazy_static",
"once_cell",
]
[[package]]
@@ -643,9 +643,9 @@ dependencies = [
[[package]]
name = "git2"
version = "0.13.25"
version = "0.14.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f29229cc1b24c0e6062f6e742aa3e256492a5323365e5ed3413599f8a5eff7d6"
checksum = "d0155506aab710a86160ddb504a480d2964d7ab5b9e62419be69e0032bc5931c"
dependencies = [
"bitflags",
"libc",
@@ -662,12 +662,6 @@ version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574"
[[package]]
name = "hashbrown"
version = "0.11.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ab5ef0d4909ef3724cc8cce6ccc8572c5c817592e9285f5464f8e86f8bd3726e"
[[package]]
name = "hashbrown"
version = "0.12.1"
@@ -679,19 +673,19 @@ dependencies = [
[[package]]
name = "hayabusa"
version = "1.4.0"
version = "1.4.0-dev"
dependencies = [
"base64",
"bytesize",
"chrono",
"clap 3.2.4",
"clap 3.2.5",
"crossbeam-utils",
"csv",
"downcast-rs",
"evtx",
"flate2",
"git2",
"hashbrown 0.12.1",
"hashbrown",
"hex",
"hhmmss",
"hyper",
@@ -825,12 +819,12 @@ dependencies = [
[[package]]
name = "indexmap"
version = "1.8.2"
version = "1.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6012d540c5baa3589337a98ce73408de9b5a25ec9fc2c6fd6be8f0d39e0ca5a"
checksum = "6c6392766afd7964e2531940894cffe4bd8d7d17dbc3c1c4857040fd4b33bdb3"
dependencies = [
"autocfg",
"hashbrown 0.11.2",
"hashbrown",
]
[[package]]
@@ -920,7 +914,7 @@ dependencies = [
"anyhow",
"atty",
"chrono",
"clap 3.2.4",
"clap 3.2.5",
"file-chunker",
"indicatif",
"memmap2",
@@ -946,9 +940,9 @@ checksum = "349d5a591cd28b49e1d1037471617a32ddcda5731b99419008085f72d5a53836"
[[package]]
name = "libgit2-sys"
version = "0.12.26+1.3.0"
version = "0.13.4+1.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "19e1c899248e606fbfe68dcb31d8b0176ebab833b103824af31bddf4b7457494"
checksum = "d0fa6563431ede25f5cc7f6d803c6afbc1c5d3ad3d4925d12c882bf2b526f5d1"
dependencies = [
"cc",
"libc",
@@ -1320,9 +1314,9 @@ dependencies = [
[[package]]
name = "quote"
version = "1.0.18"
version = "1.0.19"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a1feb54ed693b93a84e14094943b84b7c4eae204c512b7ccb95ab0c66d278ad1"
checksum = "f53dc8cf16a769a6f677e09e7ff2cd4be1ea0f48754aac39520536962011de0d"
dependencies = [
"proc-macro2",
]
@@ -1670,9 +1664,9 @@ checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
[[package]]
name = "syn"
version = "1.0.96"
version = "1.0.98"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0748dd251e24453cb8717f0354206b91557e4ec8703673a4b30208f2abaf1ebf"
checksum = "c50aef8a904de4c23c788f104b7dddc7d6f79c647c7c8ce4cc8f73eb0ca773dd"
dependencies = [
"proc-macro2",
"quote",
@@ -1855,9 +1849,9 @@ dependencies = [
[[package]]
name = "tower-service"
version = "0.3.1"
version = "0.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "360dfd1d6d30e05fda32ace2c8c70e9c0a9da713275777f5a4dbb8a1893930c6"
checksum = "b6bc1c9ce2b5135ac7f93c72918fc37feb872bdc6a5533a8b85eb4b86bfdae52"
[[package]]
name = "tracing"

34
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "hayabusa"
version = "1.4.0"
version = "1.4.0-dev"
authors = ["Yamato Security @SecurityYamato"]
edition = "2021"
@@ -9,38 +9,38 @@ edition = "2021"
[dependencies]
clap = { version = "3.*", features = ["derive", "cargo"]}
evtx = { git = "https://github.com/Yamato-Security/hayabusa-evtx.git" , rev = "158d496" , features = ["fast-alloc"]}
quick-xml = {version = "0.23.0", features = ["serialize"] }
serde = { version = "1.0.*", features = ["derive"] }
quick-xml = {version = "0.*", features = ["serialize"] }
serde = { version = "1.*", features = ["derive"] }
serde_json = { version = "1.0"}
serde_derive = "1.0.*"
serde_derive = "1.*"
regex = "1.5.*"
csv = "1.1.*"
base64 = "*"
flate2 = "1.0.*"
lazy_static = "1.4.0"
chrono = "0.4.19"
flate2 = "1.*"
lazy_static = "1.4.*"
chrono = "0.4.*"
yaml-rust = "0.4.*"
linked-hash-map = "0.5.*"
tokio = { version = "1", features = ["full"] }
num_cpus = "1.13.*"
downcast-rs = "1.2.0"
num_cpus = "1.*"
downcast-rs = "1.*"
hhmmss = "*"
pbr = "*"
hashbrown = "0.12.*"
hex = "0.4.*"
git2 = "0.13"
git2 = "0.*"
termcolor = "*"
prettytable-rs = "0.8"
prettytable-rs = "0.*"
krapslog = "*"
terminal_size = "*"
bytesize = "1.1"
hyper = "0.14.19"
lock_api = "0.4.7"
crossbeam-utils = "0.8.8"
bytesize = "1.*"
hyper = "0.14.*"
lock_api = "0.4.*"
crossbeam-utils = "0.8.*"
[target.'cfg(windows)'.dependencies]
is_elevated = "0.1.2"
static_vcruntime = "2.0"
is_elevated = "0.1.*"
static_vcruntime = "2.*"
[target.'cfg(unix)'.dependencies] #Mac and Linux
openssl = { version = "*", features = ["vendored"] } #vendored is needed to compile statically.

69
README-Japanese.md
View File

@@ -165,6 +165,7 @@ CSVのタイムラインをElastic Stackにインポートする方法は[こち
* すべてのエンドポイントでの企業全体のスレットハンティング。
* MITRE ATT&CKのヒートマップ生成機能。
* [Sigma Correlations](https://github.com/SigmaHQ/sigma/wiki/Specification:-Sigma-Correlations)の対応。
# ダウンロード
@@ -321,45 +322,45 @@ macOSの環境設定から「セキュリティとプライバシー」を開き
## コマンドラインオプション
```bash
```
USAGE:
hayabusa.exe -f file.evtx [OPTIONS] / hayabusa.exe -d evtx-directory [OPTIONS]
OPTIONS:
--European-time ヨーロッパ形式で日付と時刻を出力する(例: 22-02-2022 22:00:00.123 +02:00)
--US-military-time 24時間制(ミリタリータイム)のアメリカ形式で日付と時刻を出力する。 (例: 02-22-2022 22:00:00.123 -06:00)
--US-time アメリカ形式で日付と時刻を出力する(例: 02-22-2022 10:00:00.123 PM -06:00)
--all-tags 出力したCSVファイルにルール内のタグ情報を全て出力する。
-c, --config <RULE_CONFIG_DIRECTORY> ルールフォルダのコンフィグディレクトリ (デフォルト: .\rules\config)
--contributors コントリビュータの一覧表示。
-d, --directory <DIRECTORY> .evtxファイルを持つディレクトリのパス。
-D, --enable-deprecated-rules Deprecatedルールを有効にする。
--end-timeline <END_TIMELINE> 解析対象とするイベントログの終了時刻。(例: "2022-02-22 23:59:59 +09:00")
--European-time ヨーロッパ形式で日付と時刻を出力する (例: 22-02-2022 22:00:00.123 +02:00)
--RFC-2822 RFC 2822形式で日付と時刻を出力する (例: Fri, 22 Feb 2022 22:00:00 -0600)
--RFC-3339 RFC 3339形式で日付と時刻を出力する (例: 2022-02-22 22:00:00.123456-06:00)
--US-military-time 24時間制(ミリタリータイム)のアメリカ形式で日付と時刻を出力する (例: 02-22-2022 22:00:00.123 -06:00)
--US-time アメリカ形式で日付と時刻を出力する (例: 02-22-2022 10:00:00.123 PM -06:00)
--all-tags 出力したCSVファイルにルール内のタグ情報を全て出力する
-c, --config <RULE_CONFIG_DIRECTORY> ルールフォルダのコンフィグディレクトリ (デフォルト: ./rules/config)
--contributors コントリビュータの一覧表示
-d, --directory <DIRECTORY> .evtxファイルを持つディレクトリのパス
-D, --enable-deprecated-rules Deprecatedルールを有効にする
--end-timeline <END_TIMELINE> 解析対象とするイベントログの終了時刻 (例: "2022-02-22 23:59:59 +09:00")
-f, --filepath <FILE_PATH> 1つの.evtxファイルに対して解析を行う
-F, --full-data 全てのフィールド情報を出力する
-h, --help ヘルプ情報を表示する
-l, --live-analysis ローカル端末のC:\Windows\System32\winevt\Logsフォルダを解析する(Windowsのみ。管理者権限が必要。)
-L, --logon-summary 成功と失敗したログオン情報の要約を出力する
--level-tuning <LEVEL_TUNING_FILE> ルールlevelのチューニング(デフォルト: .\rules\config\level_tuning.txt)
-m, --min-level <LEVEL> 結果出力をするルールの最低レベル(デフォルト: informational)
-n, --enable-noisy-rules Noisyルールを有効にする
--no_color カラー出力を無効にする
-o, --output <CSV_TIMELINE> タイムラインをCSV形式で保存する(例: results.csv)
-p, --pivot-keywords-list ピボットキーワードの一覧作成
-q, --quiet Quietモード起動バナーを表示しない
-Q, --quiet-errors Quiet errorsモードエラーログを保存しない
-r, --rules <RULE_DIRECTORY/RULE_FILE> ルールファイルまたはルールファイルを持つディレクトリ(デフォルト: .\rules)
-R, --hide-record-id イベントレコードIDを表示しない
--rfc-2822 RFC 2822形式で日付と時刻を出力する。(例: Fri, 22 Feb 2022 22:00:00 -0600)
--rfc-3339 RFC 3339形式で日付と時刻を出力する。 (例: 2022-02-22 22:00:00.123456-06:00)
-s, --statistics イベントIDの統計情報を表示する。
--start-timeline <START_TIMELINE> 解析対象とするイベントログの開始時刻。(例: "2020-02-22 00:00:00 +09:00")
-t, --thread-number <NUMBER> スレッド数。(デフォルト: パフォーマンスに最適な数値)
-u, --update-rules rulesフォルダをhayabusa-rulesのgithubリポジトリの最新版に更新する
-U, --UTC UTC形式で日付と時刻を出力する。(デフォルト: 現地時間)
-v, --verbose 詳細な情報を出力する
-V, --visualize-timeline イベント頻度タイムラインを出力する。
--version バージョン情報を表示する。
-F, --full-data 全てのフィールド情報を出力する
-h, --help ヘルプ情報を表示する
-l, --live-analysis ローカル端末のC:\Windows\System32\winevt\Logsフォルダを解析する
-L, --logon-summary 成功と失敗したログオン情報の要約を出力する
--level-tuning <LEVEL_TUNING_FILE> ルールlevelのチューニング (デフォルト: ./rules/config/level_tuning.txt)
-m, --min-level <LEVEL> 結果出力をするルールの最低レベル (デフォルト: informational)
-n, --enable-noisy-rules Noisyルールを有効にする
--no_color カラー出力を無効にする
-o, --output <CSV_TIMELINE> タイムラインをCSV形式で保存する (例: results.csv)
-p, --pivot-keywords-list ピボットキーワードの一覧作成
-q, --quiet Quietモード: 起動バナーを表示しない
-Q, --quiet-errors Quiet errorsモード: エラーログを保存しない
-r, --rules <RULE_DIRECTORY/RULE_FILE> ルールファイルまたはルールファイルを持つディレクトリ (デフォルト: ./rules)
-R, --hide-record-id イベントレコードIDを表示しない
-s, --statistics イベントIDの統計情報を表示する
--start-timeline <START_TIMELINE> 解析対象とするイベントログの開始時刻 (例: "2020-02-22 00:00:00 +09:00")
-t, --thread-number <NUMBER> スレッド数 (デフォルト: パフォーマンスに最適な数値)
-u, --update-rules rulesフォルダをhayabusa-rulesのgithubリポジトリの最新版に更新する
-U, --UTC UTC形式で日付と時刻を出力する (デフォルト: 現地時間)
-v, --verbose 詳細な情報を出力する
-V, --visualize-timeline イベント頻度タイムラインを出力する
--version バージョン情報を表示する
```
## 使用例

49
README.md
View File

@@ -160,6 +160,7 @@ You can learn how to import CSV files into Elastic Stack [here](doc/ElasticStack
* Enterprise-wide hunting on all endpoints.
* MITRE ATT&CK heatmap generation.
* Support for [Sigma Correlations](https://github.com/SigmaHQ/sigma/wiki/Specification:-Sigma-Correlations).
# Downloads
@@ -319,42 +320,42 @@ You should now be able to run hayabusa.
## Command Line Options
```bash
```
USAGE:
hayabusa.exe -f file.evtx [OPTIONS] / hayabusa.exe -d evtx-directory [OPTIONS]
OPTIONS:
--European-time Output timestamp in European time format. (Ex: 22-02-2022 22:00:00.123 +02:00)
--US-military-time Output timestamp in US military time format. (Ex: 02-22-2022 22:00:00.123 -06:00)
--US-time Output timestamp in US time format. (Ex: 02-22-2022 10:00:00.123 PM -06:00)
--European-time Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00)
--RFC-2822 Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600)
--RFC-3339 Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)
--US-military-time Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
--US-time Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)
--all-tags Output all tags when saving to a CSV file
-c, --config <RULE_CONFIG_DIRECTORY> Rule config folder. (Default: .\rules\config)
--contributors Prints the list of contributors
-c, --config <RULE_CONFIG_DIRECTORY> Specify custom rule config folder (default: ./rules/config)
--contributors Print the list of contributors
-d, --directory <DIRECTORY> Directory of multiple .evtx files
-D, --enable-deprecated-rules Enable rules marked as deprecated
--end-timeline <END_TIMELINE> End time of the event logs to load. (Ex: "2022-02-22 23:59:59 +09:00")
--end-timeline <END_TIMELINE> End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00")
-f, --filepath <FILE_PATH> File path to one .evtx file
-F, --full-data Print all field information
-h, --help Print help information
-l, --live-analysis Analyze the local C:\\Windows\\System32\\winevt\\Logs folder. (Windows Only. Administrator privileges required.)
-L, --logon-summary Successful and failed logons summary
--level-tuning <LEVEL_TUNING_FILE> Tune alert levels. (Default: .\rules\config\level_tuning.txt)
-m, --min-level <LEVEL> Minimum level for rules. (Default: informational)
-l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder
-L, --logon-summary Print a summary of successful and failed logons
--level-tuning <LEVEL_TUNING_FILE> Tune alert levels (default: ./rules/config/level_tuning.txt)
-m, --min-level <LEVEL> Minimum level for rules (default: informational)
-n, --enable-noisy-rules Enable rules marked as noisy
--no_color Disable color output
-o, --output <CSV_TIMELINE> Save the timeline in CSV format. (Ex: results.csv)
--no-color Disable color output
-o, --output <CSV_TIMELINE> Save the timeline in CSV format (ex: results.csv)
-p, --pivot-keywords-list Create a list of pivot keywords
-q, --quiet Quiet mode. Do not display the launch banner
-Q, --quiet-errors Quiet errors mode. Do not save error logs
-r, --rules <RULE_DIRECTORY/RULE_FILE> Specify rule directory or file. (Default: .\rules)
-R, --hide-record-id Do not display EventRecordID numbers
--rfc-2822 Output timestamp in RFC 2822 format. (Ex: Fri, 22 Feb 2022 22:00:00 -0600)
--rfc-3339 Output timestamp in RFC 3339 format. (Ex: 2022-02-22 22:00:00.123456-06:00)
-s, --statistics Prints statistics of event IDs
--start-timeline <START_TIMELINE> Start time of the event logs to load. (Ex: "2020-02-22 00:00:00 +09:00")
-t, --thread-number <NUMBER> Thread number. (Default: Optimal number for performance.)
-q, --quiet Quiet mode: do not display the launch banner
-Q, --quiet-errors Quiet errors mode: do not save error logs
-r, --rules <RULE_DIRECTORY/RULE_FILE> Specify a rule directory or file (default: ./rules)
-R, --hide-record-ID Do not display EventRecordID numbers
-s, --statistics Print statistics of event IDs
--start-timeline <START_TIMELINE> Start time of the event logs to load (ex: "2020-02-22 00:00:00 +09:00")
-t, --thread-number <NUMBER> Thread number (default: optimal number for performance)
-u, --update-rules Update to the latest rules in the hayabusa-rules github repository
-U, --UTC Output time in UTC format. (Default: local time)
-U, --UTC Output time in UTC format (default: local time)
-v, --verbose Output verbose information
-V, --visualize-timeline Output event frequency timeline
--version Print version information
@@ -632,7 +633,7 @@ Please check out the current rules to use as a template in creating new ones or
## Hayabusa v.s. Converted Sigma Rules
Sigma rules need to first be converted to hayabusa rule format explained [here](https://github.com/Yamato-Security/hayabusa-rules/blob/main/tools/sigmac/README.md).
Most rules are compatible with the sigma format so you can use them just like sigma rules to convert to other SIEM formats.
Almost all hayabusa rules are compatible with the sigma format so you can use them just like sigma rules to convert to other SIEM formats.
Hayabusa rules are designed solely for Windows event log analysis and have the following benefits:
1. An extra `details` field to display additional information taken from only the useful fields in the log.

70
src/detections/configs.rs
View File

@@ -55,19 +55,19 @@ impl Default for ConfigReader<'_> {
term_width = 400
)]
pub struct Config {
/// Directory of multiple .evtx files.
/// Directory of multiple .evtx files
#[clap(short = 'd', long, value_name = "DIRECTORY")]
pub directory: Option<PathBuf>,
/// File path to one .evtx file.
/// File path to one .evtx file
#[clap(short = 'f', long, value_name = "FILE_PATH")]
pub filepath: Option<PathBuf>,
/// Print all field information.
/// Print all field information
#[clap(short = 'F', long = "full-data")]
pub full_data: bool,
/// Specify rule directory or file. (Default: .\rules)
/// Specify a rule directory or file (default: ./rules)
#[clap(
short = 'r',
long,
@@ -77,7 +77,7 @@ pub struct Config {
)]
pub rules: PathBuf,
/// Rule config folder. (Default: .\rules\config)
/// Specify custom rule config folder (default: ./rules/config)
#[clap(
short = 'c',
long,
@@ -87,39 +87,39 @@ pub struct Config {
)]
pub config: PathBuf,
/// Save the timeline in CSV format. (Ex: results.csv)
/// Save the timeline in CSV format (ex: results.csv)
#[clap(short = 'o', long, value_name = "CSV_TIMELINE")]
pub output: Option<PathBuf>,
/// Output all tags when saving to a CSV file.
/// Output all tags when saving to a CSV file
#[clap(long = "all-tags")]
pub all_tags: bool,
/// Do not display EventRecordID numbers.
/// Do not display EventRecordID numbers
#[clap(short = 'R', long = "hide-record-id")]
pub hide_record_id: bool,
/// Output verbose information.
/// Output verbose information
#[clap(short = 'v', long)]
pub verbose: bool,
/// Output event frequency timeline.
/// Output event frequency timeline
#[clap(short = 'V', long = "visualize-timeline")]
pub visualize_timeline: bool,
/// Enable rules marked as deprecated.
/// Enable rules marked as deprecated
#[clap(short = 'D', long = "enable-deprecated-rules")]
pub enable_deprecated_rules: bool,
/// Enable rules marked as noisy.
/// Enable rules marked as noisy
#[clap(short = 'n', long = "enable-noisy-rules")]
pub enable_noisy_rules: bool,
/// Update to the latest rules in the hayabusa-rules github repository.
/// Update to the latest rules in the hayabusa-rules github repository
#[clap(short = 'u', long = "update-rules")]
pub update_rules: bool,
/// Minimum level for rules. (Default: informational)
/// Minimum level for rules (default: informational)
#[clap(
short = 'm',
long = "min-level",
@@ -129,59 +129,59 @@ pub struct Config {
)]
pub min_level: String,
/// Analyze the local C:\\Windows\\System32\\winevt\\Logs folder. (Windows Only. Administrator privileges required.)
/// Analyze the local C:\Windows\System32\winevt\Logs folder
#[clap(short = 'l', long = "live-analysis")]
pub live_analysis: bool,
/// Start time of the event logs to load. (Ex: "2020-02-22 00:00:00 +09:00")
/// Start time of the event logs to load (ex: "2020-02-22 00:00:00 +09:00")
#[clap(long = "start-timeline", value_name = "START_TIMELINE")]
pub start_timeline: Option<String>,
/// End time of the event logs to load. (Ex: "2022-02-22 23:59:59 +09:00")
/// End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00")
#[clap(long = "end-timeline", value_name = "END_TIMELINE")]
pub end_timeline: Option<String>,
/// Output timestamp in RFC 2822 format. (Ex: Fri, 22 Feb 2022 22:00:00 -0600)
#[clap(long = "rfc-2822")]
/// Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600)
#[clap(long = "RFC-2822")]
pub rfc_2822: bool,
/// Output timestamp in RFC 3339 format. (Ex: 2022-02-22 22:00:00.123456-06:00)
#[clap(long = "rfc-3339")]
/// Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)
#[clap(long = "RFC-3339")]
pub rfc_3339: bool,
/// Output timestamp in US time format. (Ex: 02-22-2022 10:00:00.123 PM -06:00)
/// Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)
#[clap(long = "US-time")]
pub us_time: bool,
/// Output timestamp in US military time format. (Ex: 02-22-2022 22:00:00.123 -06:00)
/// Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
#[clap(long = "US-military-time")]
pub us_military_time: bool,
/// Output timestamp in European time format. (Ex: 22-02-2022 22:00:00.123 +02:00)
/// Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00)
#[clap(long = "European-time")]
pub european_time: bool,
/// Output time in UTC format. (Default: local time)
/// Output time in UTC format (default: local time)
#[clap(short = 'U', long = "UTC")]
pub utc: bool,
/// Disable color output.
#[clap(long = "no_color")]
/// Disable color output
#[clap(long = "no-color")]
pub no_color: bool,
/// Thread number. (Default: Optimal number for performance.)
/// Thread number (default: optimal number for performance)
#[clap(short, long = "thread-number", value_name = "NUMBER")]
pub thread_number: Option<usize>,
/// Prints statistics of event IDs.
/// Print statistics of event IDs
#[clap(short, long)]
pub statistics: bool,
/// Successful and failed logons summary.
/// Print a summary of successful and failed logons
#[clap(short = 'L', long = "logon-summary")]
pub logon_summary: bool,
/// Tune alert levels. (Default: .\rules\config\level_tuning.txt)
/// Tune alert levels (default: ./rules/config/level_tuning.txt)
#[clap(
long = "level-tuning",
default_value = "./rules/config/level_tuning.txt",
@@ -190,19 +190,19 @@ pub struct Config {
)]
pub level_tuning: PathBuf,
/// Quiet mode. Do not display the launch banner.
/// Quiet mode: do not display the launch banner
#[clap(short, long)]
pub quiet: bool,
/// Quiet errors mode. Do not save error logs.
/// Quiet errors mode: do not save error logs
#[clap(short = 'Q', long = "quiet-errors")]
pub quiet_errors: bool,
/// Create a list of pivot keywords.
/// Create a list of pivot keywords
#[clap(short = 'p', long = "pivot-keywords-list")]
pub pivot_keywords_list: bool,
/// Prints the list of contributors.
/// Print the list of contributors
#[clap(long)]
pub contributors: bool,
}