From 47c0eee38ca4bc414fccc76525cbc6cfe4489787 Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Sun, 19 Jun 2022 10:08:59 +0900 Subject: [PATCH] updated cargo, readme, usage --- Cargo.lock | 68 +++++++++++++++++-------------------- Cargo.toml | 34 +++++++++---------- README-Japanese.md | 69 +++++++++++++++++++------------------- README.md | 49 +++++++++++++-------------- src/detections/configs.rs | 70 +++++++++++++++++++-------------------- 5 files changed, 143 insertions(+), 147 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e307c6f4..f9856a8b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -39,9 +39,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.57" +version = "1.0.58" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08f9b8508dccb7687a1d6c4ce66b2b0ecef467c94667de27d8d7fe1f8d2a9cdc" +checksum = "bb07d2053ccdbe10e2af2995a2f116c1330396493dc1269f6a91d0ae82e19704" [[package]] name = "arrayref" @@ -220,9 +220,9 @@ dependencies = [ [[package]] name = "clap" -version = "3.2.4" +version = "3.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6d20de3739b4fb45a17837824f40aa1769cc7655d7a83e68739a77fe7b30c87a" +checksum = "d53da17d37dba964b9b3ecb5c5a1f193a2762c700e6829201e645b9381c99dc7" dependencies = [ "atty", "bitflags", @@ -237,9 +237,9 @@ dependencies = [ [[package]] name = "clap_derive" -version = "3.2.4" +version = "3.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "026baf08b89ffbd332836002ec9378ef0e69648cbfadd68af7cd398ca5bf98f7" +checksum = "c11d40217d16aee8508cc8e5fde8b4ff24639758608e5374e731b53f85749fb9" dependencies = [ "heck", "proc-macro-error", @@ -295,9 +295,9 @@ dependencies = [ [[package]] name = "crossbeam-channel" -version = "0.5.4" +version = "0.5.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5aaa7bd5fb665c6864b5f963dd9097905c54125909c7aa94c9e18507cdbe6c53" +checksum = "4c02a4d71819009c192cf4872265391563fd6a84c81ff2c0f2a7026ca4c1d85c" dependencies = [ "cfg-if", "crossbeam-utils", @@ -316,26 +316,26 @@ dependencies = [ [[package]] name = "crossbeam-epoch" -version = "0.9.8" +version = "0.9.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1145cf131a2c6ba0615079ab6a638f7e1973ac9c2634fcbeaaad6114246efe8c" +checksum = "07db9d94cbd326813772c968ccd25999e5f8ae22f4f8d1b11effa37ef6ce281d" dependencies = [ "autocfg", "cfg-if", "crossbeam-utils", - "lazy_static", "memoffset", + "once_cell", "scopeguard", ] [[package]] name = "crossbeam-utils" -version = "0.8.8" +version = "0.8.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0bf124c720b7686e3c2663cf54062ab0f68a88af2fb6a030e87e30bf721fcb38" +checksum = "8ff1f980957787286a554052d03c7aee98d99cc32e09f6d45f0a814133c87978" dependencies = [ "cfg-if", - "lazy_static", + "once_cell", ] [[package]] @@ -643,9 +643,9 @@ dependencies = [ [[package]] name = "git2" -version = "0.13.25" +version = "0.14.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f29229cc1b24c0e6062f6e742aa3e256492a5323365e5ed3413599f8a5eff7d6" +checksum = "d0155506aab710a86160ddb504a480d2964d7ab5b9e62419be69e0032bc5931c" dependencies = [ "bitflags", "libc", @@ -662,12 +662,6 @@ version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574" -[[package]] -name = "hashbrown" -version = "0.11.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab5ef0d4909ef3724cc8cce6ccc8572c5c817592e9285f5464f8e86f8bd3726e" - [[package]] name = "hashbrown" version = "0.12.1" @@ -679,19 +673,19 @@ dependencies = [ [[package]] name = "hayabusa" -version = "1.4.0" +version = "1.4.0-dev" dependencies = [ "base64", "bytesize", "chrono", - "clap 3.2.4", + "clap 3.2.5", "crossbeam-utils", "csv", "downcast-rs", "evtx", "flate2", "git2", - "hashbrown 0.12.1", + "hashbrown", "hex", "hhmmss", "hyper", @@ -825,12 +819,12 @@ dependencies = [ [[package]] name = "indexmap" -version = "1.8.2" +version = "1.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e6012d540c5baa3589337a98ce73408de9b5a25ec9fc2c6fd6be8f0d39e0ca5a" +checksum = "6c6392766afd7964e2531940894cffe4bd8d7d17dbc3c1c4857040fd4b33bdb3" dependencies = [ "autocfg", - "hashbrown 0.11.2", + "hashbrown", ] [[package]] @@ -920,7 +914,7 @@ dependencies = [ "anyhow", "atty", "chrono", - "clap 3.2.4", + "clap 3.2.5", "file-chunker", "indicatif", "memmap2", @@ -946,9 +940,9 @@ checksum = "349d5a591cd28b49e1d1037471617a32ddcda5731b99419008085f72d5a53836" [[package]] name = "libgit2-sys" -version = "0.12.26+1.3.0" +version = "0.13.4+1.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "19e1c899248e606fbfe68dcb31d8b0176ebab833b103824af31bddf4b7457494" +checksum = "d0fa6563431ede25f5cc7f6d803c6afbc1c5d3ad3d4925d12c882bf2b526f5d1" dependencies = [ "cc", "libc", @@ -1320,9 +1314,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.18" +version = "1.0.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a1feb54ed693b93a84e14094943b84b7c4eae204c512b7ccb95ab0c66d278ad1" +checksum = "f53dc8cf16a769a6f677e09e7ff2cd4be1ea0f48754aac39520536962011de0d" dependencies = [ "proc-macro2", ] @@ -1670,9 +1664,9 @@ checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" [[package]] name = "syn" -version = "1.0.96" +version = "1.0.98" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0748dd251e24453cb8717f0354206b91557e4ec8703673a4b30208f2abaf1ebf" +checksum = "c50aef8a904de4c23c788f104b7dddc7d6f79c647c7c8ce4cc8f73eb0ca773dd" dependencies = [ "proc-macro2", "quote", @@ -1855,9 +1849,9 @@ dependencies = [ [[package]] name = "tower-service" -version = "0.3.1" +version = "0.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "360dfd1d6d30e05fda32ace2c8c70e9c0a9da713275777f5a4dbb8a1893930c6" +checksum = "b6bc1c9ce2b5135ac7f93c72918fc37feb872bdc6a5533a8b85eb4b86bfdae52" [[package]] name = "tracing" diff --git a/Cargo.toml b/Cargo.toml index fdb4dcd4..a99e1da3 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "hayabusa" -version = "1.4.0" +version = "1.4.0-dev" authors = ["Yamato Security @SecurityYamato"] edition = "2021" @@ -9,38 +9,38 @@ edition = "2021" [dependencies] clap = { version = "3.*", features = ["derive", "cargo"]} evtx = { git = "https://github.com/Yamato-Security/hayabusa-evtx.git" , rev = "158d496" , features = ["fast-alloc"]} -quick-xml = {version = "0.23.0", features = ["serialize"] } -serde = { version = "1.0.*", features = ["derive"] } +quick-xml = {version = "0.*", features = ["serialize"] } +serde = { version = "1.*", features = ["derive"] } serde_json = { version = "1.0"} -serde_derive = "1.0.*" +serde_derive = "1.*" regex = "1.5.*" csv = "1.1.*" base64 = "*" -flate2 = "1.0.*" -lazy_static = "1.4.0" -chrono = "0.4.19" +flate2 = "1.*" +lazy_static = "1.4.*" +chrono = "0.4.*" yaml-rust = "0.4.*" linked-hash-map = "0.5.*" tokio = { version = "1", features = ["full"] } -num_cpus = "1.13.*" -downcast-rs = "1.2.0" +num_cpus = "1.*" +downcast-rs = "1.*" hhmmss = "*" pbr = "*" hashbrown = "0.12.*" hex = "0.4.*" -git2 = "0.13" +git2 = "0.*" termcolor = "*" -prettytable-rs = "0.8" +prettytable-rs = "0.*" krapslog = "*" terminal_size = "*" -bytesize = "1.1" -hyper = "0.14.19" -lock_api = "0.4.7" -crossbeam-utils = "0.8.8" +bytesize = "1.*" +hyper = "0.14.*" +lock_api = "0.4.*" +crossbeam-utils = "0.8.*" [target.'cfg(windows)'.dependencies] -is_elevated = "0.1.2" -static_vcruntime = "2.0" +is_elevated = "0.1.*" +static_vcruntime = "2.*" [target.'cfg(unix)'.dependencies] #Mac and Linux openssl = { version = "*", features = ["vendored"] } #vendored is needed to compile statically. diff --git a/README-Japanese.md b/README-Japanese.md index 8216e6c8..a5c62b9e 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -165,6 +165,7 @@ CSVのタイムラインをElastic Stackにインポートする方法は[こち * すべてのエンドポイントでの企業全体のスレットハンティング。 * MITRE ATT&CKのヒートマップ生成機能。 +* [Sigma Correlations](https://github.com/SigmaHQ/sigma/wiki/Specification:-Sigma-Correlations)の対応。 # ダウンロード @@ -321,45 +322,45 @@ macOSの環境設定から「セキュリティとプライバシー」を開き ## コマンドラインオプション -```bash +``` USAGE: hayabusa.exe -f file.evtx [OPTIONS] / hayabusa.exe -d evtx-directory [OPTIONS] OPTIONS: - --European-time ヨーロッパ形式で日付と時刻を出力する。 (例: 22-02-2022 22:00:00.123 +02:00) - --US-military-time 24時間制(ミリタリータイム)のアメリカ形式で日付と時刻を出力する。 (例: 02-22-2022 22:00:00.123 -06:00) - --US-time アメリカ形式で日付と時刻を出力する。 (例: 02-22-2022 10:00:00.123 PM -06:00) - --all-tags 出力したCSVファイルにルール内のタグ情報を全て出力する。 - -c, --config ルールフォルダのコンフィグディレクトリ (デフォルト: .\rules\config) - --contributors コントリビュータの一覧表示。 - -d, --directory .evtxファイルを持つディレクトリのパス。 - -D, --enable-deprecated-rules Deprecatedルールを有効にする。 - --end-timeline 解析対象とするイベントログの終了時刻。(例: "2022-02-22 23:59:59 +09:00") + --European-time ヨーロッパ形式で日付と時刻を出力する (例: 22-02-2022 22:00:00.123 +02:00) + --RFC-2822 RFC 2822形式で日付と時刻を出力する (例: Fri, 22 Feb 2022 22:00:00 -0600) + --RFC-3339 RFC 3339形式で日付と時刻を出力する (例: 2022-02-22 22:00:00.123456-06:00) + --US-military-time 24時間制(ミリタリータイム)のアメリカ形式で日付と時刻を出力する (例: 02-22-2022 22:00:00.123 -06:00) + --US-time アメリカ形式で日付と時刻を出力する (例: 02-22-2022 10:00:00.123 PM -06:00) + --all-tags 出力したCSVファイルにルール内のタグ情報を全て出力する + -c, --config ルールフォルダのコンフィグディレクトリ (デフォルト: ./rules/config) + --contributors コントリビュータの一覧表示 + -d, --directory .evtxファイルを持つディレクトリのパス + -D, --enable-deprecated-rules Deprecatedルールを有効にする + --end-timeline 解析対象とするイベントログの終了時刻 (例: "2022-02-22 23:59:59 +09:00") -f, --filepath 1つの.evtxファイルに対して解析を行う - -F, --full-data 全てのフィールド情報を出力する。 - -h, --help ヘルプ情報を表示する。 - -l, --live-analysis ローカル端末のC:\Windows\System32\winevt\Logsフォルダを解析する。(Windowsのみ。管理者権限が必要。) - -L, --logon-summary 成功と失敗したログオン情報の要約を出力する。 - --level-tuning ルールlevelのチューニング。 (デフォルト: .\rules\config\level_tuning.txt) - -m, --min-level 結果出力をするルールの最低レベル。(デフォルト: informational) - -n, --enable-noisy-rules Noisyルールを有効にする。 - --no_color カラー出力を無効にする。 - -o, --output タイムラインをCSV形式で保存する。(例: results.csv) - -p, --pivot-keywords-list ピボットキーワードの一覧作成。 - -q, --quiet Quietモード。起動バナーを表示しない。 - -Q, --quiet-errors Quiet errorsモード。エラーログを保存しない。 - -r, --rules ルールファイルまたはルールファイルを持つディレクトリ。(デフォルト: .\rules) - -R, --hide-record-id イベントレコードIDを表示しない。 - --rfc-2822 RFC 2822形式で日付と時刻を出力する。(例: Fri, 22 Feb 2022 22:00:00 -0600) - --rfc-3339 RFC 3339形式で日付と時刻を出力する。 (例: 2022-02-22 22:00:00.123456-06:00) - -s, --statistics イベントIDの統計情報を表示する。 - --start-timeline 解析対象とするイベントログの開始時刻。(例: "2020-02-22 00:00:00 +09:00") - -t, --thread-number スレッド数。(デフォルト: パフォーマンスに最適な数値) - -u, --update-rules rulesフォルダをhayabusa-rulesのgithubリポジトリの最新版に更新する。 - -U, --UTC UTC形式で日付と時刻を出力する。(デフォルト: 現地時間) - -v, --verbose 詳細な情報を出力する。 - -V, --visualize-timeline イベント頻度タイムラインを出力する。 - --version バージョン情報を表示する。 + -F, --full-data 全てのフィールド情報を出力する + -h, --help ヘルプ情報を表示する + -l, --live-analysis ローカル端末のC:\Windows\System32\winevt\Logsフォルダを解析する + -L, --logon-summary 成功と失敗したログオン情報の要約を出力する + --level-tuning ルールlevelのチューニング (デフォルト: ./rules/config/level_tuning.txt) + -m, --min-level 結果出力をするルールの最低レベル (デフォルト: informational) + -n, --enable-noisy-rules Noisyルールを有効にする + --no_color カラー出力を無効にする + -o, --output タイムラインをCSV形式で保存する (例: results.csv) + -p, --pivot-keywords-list ピボットキーワードの一覧作成 + -q, --quiet Quietモード: 起動バナーを表示しない + -Q, --quiet-errors Quiet errorsモード: エラーログを保存しない + -r, --rules ルールファイルまたはルールファイルを持つディレクトリ (デフォルト: ./rules) + -R, --hide-record-id イベントレコードIDを表示しない + -s, --statistics イベントIDの統計情報を表示する + --start-timeline 解析対象とするイベントログの開始時刻 (例: "2020-02-22 00:00:00 +09:00") + -t, --thread-number スレッド数 (デフォルト: パフォーマンスに最適な数値) + -u, --update-rules rulesフォルダをhayabusa-rulesのgithubリポジトリの最新版に更新する + -U, --UTC UTC形式で日付と時刻を出力する (デフォルト: 現地時間) + -v, --verbose 詳細な情報を出力する + -V, --visualize-timeline イベント頻度タイムラインを出力する + --version バージョン情報を表示する ``` ## 使用例 diff --git a/README.md b/README.md index 77cfc84b..8b637d4b 100644 --- a/README.md +++ b/README.md @@ -160,6 +160,7 @@ You can learn how to import CSV files into Elastic Stack [here](doc/ElasticStack * Enterprise-wide hunting on all endpoints. * MITRE ATT&CK heatmap generation. +* Support for [Sigma Correlations](https://github.com/SigmaHQ/sigma/wiki/Specification:-Sigma-Correlations). # Downloads @@ -319,42 +320,42 @@ You should now be able to run hayabusa. ## Command Line Options -```bash +``` USAGE: hayabusa.exe -f file.evtx [OPTIONS] / hayabusa.exe -d evtx-directory [OPTIONS] OPTIONS: - --European-time Output timestamp in European time format. (Ex: 22-02-2022 22:00:00.123 +02:00) - --US-military-time Output timestamp in US military time format. (Ex: 02-22-2022 22:00:00.123 -06:00) - --US-time Output timestamp in US time format. (Ex: 02-22-2022 10:00:00.123 PM -06:00) + --European-time Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00) + --RFC-2822 Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600) + --RFC-3339 Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00) + --US-military-time Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00) + --US-time Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00) --all-tags Output all tags when saving to a CSV file - -c, --config Rule config folder. (Default: .\rules\config) - --contributors Prints the list of contributors + -c, --config Specify custom rule config folder (default: ./rules/config) + --contributors Print the list of contributors -d, --directory Directory of multiple .evtx files -D, --enable-deprecated-rules Enable rules marked as deprecated - --end-timeline End time of the event logs to load. (Ex: "2022-02-22 23:59:59 +09:00") + --end-timeline End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00") -f, --filepath File path to one .evtx file -F, --full-data Print all field information -h, --help Print help information - -l, --live-analysis Analyze the local C:\\Windows\\System32\\winevt\\Logs folder. (Windows Only. Administrator privileges required.) - -L, --logon-summary Successful and failed logons summary - --level-tuning Tune alert levels. (Default: .\rules\config\level_tuning.txt) - -m, --min-level Minimum level for rules. (Default: informational) + -l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder + -L, --logon-summary Print a summary of successful and failed logons + --level-tuning Tune alert levels (default: ./rules/config/level_tuning.txt) + -m, --min-level Minimum level for rules (default: informational) -n, --enable-noisy-rules Enable rules marked as noisy - --no_color Disable color output - -o, --output Save the timeline in CSV format. (Ex: results.csv) + --no-color Disable color output + -o, --output Save the timeline in CSV format (ex: results.csv) -p, --pivot-keywords-list Create a list of pivot keywords - -q, --quiet Quiet mode. Do not display the launch banner - -Q, --quiet-errors Quiet errors mode. Do not save error logs - -r, --rules Specify rule directory or file. (Default: .\rules) - -R, --hide-record-id Do not display EventRecordID numbers - --rfc-2822 Output timestamp in RFC 2822 format. (Ex: Fri, 22 Feb 2022 22:00:00 -0600) - --rfc-3339 Output timestamp in RFC 3339 format. (Ex: 2022-02-22 22:00:00.123456-06:00) - -s, --statistics Prints statistics of event IDs - --start-timeline Start time of the event logs to load. (Ex: "2020-02-22 00:00:00 +09:00") - -t, --thread-number Thread number. (Default: Optimal number for performance.) + -q, --quiet Quiet mode: do not display the launch banner + -Q, --quiet-errors Quiet errors mode: do not save error logs + -r, --rules Specify a rule directory or file (default: ./rules) + -R, --hide-record-ID Do not display EventRecordID numbers + -s, --statistics Print statistics of event IDs + --start-timeline Start time of the event logs to load (ex: "2020-02-22 00:00:00 +09:00") + -t, --thread-number Thread number (default: optimal number for performance) -u, --update-rules Update to the latest rules in the hayabusa-rules github repository - -U, --UTC Output time in UTC format. (Default: local time) + -U, --UTC Output time in UTC format (default: local time) -v, --verbose Output verbose information -V, --visualize-timeline Output event frequency timeline --version Print version information @@ -632,7 +633,7 @@ Please check out the current rules to use as a template in creating new ones or ## Hayabusa v.s. Converted Sigma Rules Sigma rules need to first be converted to hayabusa rule format explained [here](https://github.com/Yamato-Security/hayabusa-rules/blob/main/tools/sigmac/README.md). -Most rules are compatible with the sigma format so you can use them just like sigma rules to convert to other SIEM formats. +Almost all hayabusa rules are compatible with the sigma format so you can use them just like sigma rules to convert to other SIEM formats. Hayabusa rules are designed solely for Windows event log analysis and have the following benefits: 1. An extra `details` field to display additional information taken from only the useful fields in the log. diff --git a/src/detections/configs.rs b/src/detections/configs.rs index b3120ed9..3da13610 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -55,19 +55,19 @@ impl Default for ConfigReader<'_> { term_width = 400 )] pub struct Config { - /// Directory of multiple .evtx files. + /// Directory of multiple .evtx files #[clap(short = 'd', long, value_name = "DIRECTORY")] pub directory: Option, - /// File path to one .evtx file. + /// File path to one .evtx file #[clap(short = 'f', long, value_name = "FILE_PATH")] pub filepath: Option, - /// Print all field information. + /// Print all field information #[clap(short = 'F', long = "full-data")] pub full_data: bool, - /// Specify rule directory or file. (Default: .\rules) + /// Specify a rule directory or file (default: ./rules) #[clap( short = 'r', long, @@ -77,7 +77,7 @@ pub struct Config { )] pub rules: PathBuf, - /// Rule config folder. (Default: .\rules\config) + /// Specify custom rule config folder (default: ./rules/config) #[clap( short = 'c', long, @@ -87,39 +87,39 @@ pub struct Config { )] pub config: PathBuf, - /// Save the timeline in CSV format. (Ex: results.csv) + /// Save the timeline in CSV format (ex: results.csv) #[clap(short = 'o', long, value_name = "CSV_TIMELINE")] pub output: Option, - /// Output all tags when saving to a CSV file. + /// Output all tags when saving to a CSV file #[clap(long = "all-tags")] pub all_tags: bool, - /// Do not display EventRecordID numbers. + /// Do not display EventRecordID numbers #[clap(short = 'R', long = "hide-record-id")] pub hide_record_id: bool, - /// Output verbose information. + /// Output verbose information #[clap(short = 'v', long)] pub verbose: bool, - /// Output event frequency timeline. + /// Output event frequency timeline #[clap(short = 'V', long = "visualize-timeline")] pub visualize_timeline: bool, - /// Enable rules marked as deprecated. + /// Enable rules marked as deprecated #[clap(short = 'D', long = "enable-deprecated-rules")] pub enable_deprecated_rules: bool, - /// Enable rules marked as noisy. + /// Enable rules marked as noisy #[clap(short = 'n', long = "enable-noisy-rules")] pub enable_noisy_rules: bool, - /// Update to the latest rules in the hayabusa-rules github repository. + /// Update to the latest rules in the hayabusa-rules github repository #[clap(short = 'u', long = "update-rules")] pub update_rules: bool, - /// Minimum level for rules. (Default: informational) + /// Minimum level for rules (default: informational) #[clap( short = 'm', long = "min-level", @@ -129,59 +129,59 @@ pub struct Config { )] pub min_level: String, - /// Analyze the local C:\\Windows\\System32\\winevt\\Logs folder. (Windows Only. Administrator privileges required.) + /// Analyze the local C:\Windows\System32\winevt\Logs folder #[clap(short = 'l', long = "live-analysis")] pub live_analysis: bool, - /// Start time of the event logs to load. (Ex: "2020-02-22 00:00:00 +09:00") + /// Start time of the event logs to load (ex: "2020-02-22 00:00:00 +09:00") #[clap(long = "start-timeline", value_name = "START_TIMELINE")] pub start_timeline: Option, - /// End time of the event logs to load. (Ex: "2022-02-22 23:59:59 +09:00") + /// End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00") #[clap(long = "end-timeline", value_name = "END_TIMELINE")] pub end_timeline: Option, - /// Output timestamp in RFC 2822 format. (Ex: Fri, 22 Feb 2022 22:00:00 -0600) - #[clap(long = "rfc-2822")] + /// Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600) + #[clap(long = "RFC-2822")] pub rfc_2822: bool, - /// Output timestamp in RFC 3339 format. (Ex: 2022-02-22 22:00:00.123456-06:00) - #[clap(long = "rfc-3339")] + /// Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00) + #[clap(long = "RFC-3339")] pub rfc_3339: bool, - /// Output timestamp in US time format. (Ex: 02-22-2022 10:00:00.123 PM -06:00) + /// Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00) #[clap(long = "US-time")] pub us_time: bool, - /// Output timestamp in US military time format. (Ex: 02-22-2022 22:00:00.123 -06:00) + /// Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00) #[clap(long = "US-military-time")] pub us_military_time: bool, - /// Output timestamp in European time format. (Ex: 22-02-2022 22:00:00.123 +02:00) + /// Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00) #[clap(long = "European-time")] pub european_time: bool, - /// Output time in UTC format. (Default: local time) + /// Output time in UTC format (default: local time) #[clap(short = 'U', long = "UTC")] pub utc: bool, - /// Disable color output. - #[clap(long = "no_color")] + /// Disable color output + #[clap(long = "no-color")] pub no_color: bool, - /// Thread number. (Default: Optimal number for performance.) + /// Thread number (default: optimal number for performance) #[clap(short, long = "thread-number", value_name = "NUMBER")] pub thread_number: Option, - /// Prints statistics of event IDs. + /// Print statistics of event IDs #[clap(short, long)] pub statistics: bool, - /// Successful and failed logons summary. + /// Print a summary of successful and failed logons #[clap(short = 'L', long = "logon-summary")] pub logon_summary: bool, - /// Tune alert levels. (Default: .\rules\config\level_tuning.txt) + /// Tune alert levels (default: ./rules/config/level_tuning.txt) #[clap( long = "level-tuning", default_value = "./rules/config/level_tuning.txt", @@ -190,19 +190,19 @@ pub struct Config { )] pub level_tuning: PathBuf, - /// Quiet mode. Do not display the launch banner. + /// Quiet mode: do not display the launch banner #[clap(short, long)] pub quiet: bool, - /// Quiet errors mode. Do not save error logs. + /// Quiet errors mode: do not save error logs #[clap(short = 'Q', long = "quiet-errors")] pub quiet_errors: bool, - /// Create a list of pivot keywords. + /// Create a list of pivot keywords #[clap(short = 'p', long = "pivot-keywords-list")] pub pivot_keywords_list: bool, - /// Prints the list of contributors. + /// Print the list of contributors #[clap(long)] pub contributors: bool, }