Add: default output when no details are defined #606

2022-06-29 20:36:44 +09:00
parent c5feae8bb1
commit 742465164a
1 changed files with 5 additions and 4 deletions
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -243,10 +243,11 @@ impl Detection {
        .unwrap_or_default();
        let eid = get_serde_number_to_string(&record_info.record["Event"]["System"]["EventID"])
            .unwrap_or_else(|| "-".to_owned());
-        let default_output = DEFAULT_DETAILS
-            .get(&format!("{}_{}", provider, &eid))
-            .unwrap_or(&"-".to_string())
-            .to_string();
+        let default_output =  match DEFAULT_DETAILS
+            .get(&format!("{}_{}", provider, &eid)) {
+                Some(str) => str.to_owned(),
+                None => recinfo.as_ref().unwrap_or(&"-".to_string()).to_string(),
+        };
        let detect_info = DetectInfo {
            filepath: record_info.evtx_filepath.to_string(),
            rulepath: rule.rulepath.to_string(),