From 3e1c4a2942bb114b396fdd65f5eb5f3afa3afa96 Mon Sep 17 00:00:00 2001
From: ichiichi11 <takai.wa.hajime@gmail.com>
Date: Thu, 25 Feb 2021 23:04:12 +0900
Subject: [PATCH 1/4] fix issue#57

---
 src/detections/detection.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/detections/detection.rs b/src/detections/detection.rs
index d67eb96c..7cf59828 100644
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -5,7 +5,7 @@ use crate::detections::rule;
 use crate::detections::rule::RuleNode;
 use crate::yaml::ParseYaml;
 use evtx::err;
-use evtx::{EvtxParser, SerializedEvtxRecord};
+use evtx::{EvtxParser, SerializedEvtxRecord, ParserSettings};
 use serde_json::{Error, Value};
 use std::path::PathBuf;
 
@@ -66,6 +66,9 @@ impl Detection {
                 }
             })
             .map(|mut cur| {
+                let mut parse_config = ParserSettings::default();
+                parse_config = parse_config.separate_json_attributes(true);
+                cur = cur.with_configuration(parse_config);
                 let ret: Vec<err::Result<SerializedEvtxRecord<String>>> =
                     cur.records_json().collect();
                 return ret;

From af2331e6ad0678840bc0f35d6cd492a6c9f1fb0d Mon Sep 17 00:00:00 2001
From: ichiichi11 <takai.wa.hajime@gmail.com>
Date: Thu, 25 Feb 2021 23:23:43 +0900
Subject: [PATCH 2/4] format

---
 src/detections/detection.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/detections/detection.rs b/src/detections/detection.rs
index 7cf59828..8976bfe5 100644
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -5,7 +5,7 @@ use crate::detections::rule;
 use crate::detections::rule::RuleNode;
 use crate::yaml::ParseYaml;
 use evtx::err;
-use evtx::{EvtxParser, SerializedEvtxRecord, ParserSettings};
+use evtx::{EvtxParser, ParserSettings, SerializedEvtxRecord};
 use serde_json::{Error, Value};
 use std::path::PathBuf;
 

From 185acd83cd9f9d220c5f392bb85c2bcf5fa920e0 Mon Sep 17 00:00:00 2001
From: ichiichi11 <takai.wa.hajime@gmail.com>
Date: Fri, 26 Feb 2021 20:37:24 +0900
Subject: [PATCH 3/4] =?UTF-8?q?issue57=E3=81=AB=E4=BC=B4=E3=81=86=E3=83=87?=
 =?UTF-8?q?=E3=82=B0=E3=83=AC=E3=81=AE=E4=BF=AE=E6=AD=A3=E3=80=82=E6=A4=9C?=
 =?UTF-8?q?=E7=9F=A5=E3=81=97=E3=81=9F=E3=83=AD=E3=82=B0=E3=81=AE=E6=99=82?=
 =?UTF-8?q?=E9=96=93=E3=81=8C=E5=8F=96=E5=BE=97=E3=81=A7=E3=81=8D=E3=81=AA?=
 =?UTF-8?q?=E3=81=8F=E3=81=AA=E3=81=A3=E3=81=9F=E5=95=8F=E9=A1=8C=E3=81=AE?=
 =?UTF-8?q?=E4=BF=AE=E6=AD=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/detections/print.rs | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/detections/print.rs b/src/detections/print.rs
index 5bfc235d..211b039a 100644
--- a/src/detections/print.rs
+++ b/src/detections/print.rs
@@ -120,8 +120,7 @@ impl Message {
     }
 
     fn get_event_time(event_record: &Value) -> Option<DateTime<Utc>> {
-        let system_time =
-            &event_record["Event"]["System"]["TimeCreated"]["#attributes"]["SystemTime"];
+        let system_time = &event_record["Event"]["System"]["TimeCreated_attributes"]["SystemTime"];
         let system_time_str = system_time.as_str().unwrap_or("");
         if system_time_str.is_empty() {
             return Option::None;

From 4f42e21529956843bed24dace3976422d485862b Mon Sep 17 00:00:00 2001
From: ichiichi11 <takai.wa.hajime@gmail.com>
Date: Fri, 26 Feb 2021 20:44:55 +0900
Subject: [PATCH 4/4] =?UTF-8?q?testcase=20=E4=BF=AE=E6=AD=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/afterfact.rs        |  6 ++----
 src/detections/print.rs | 18 ++++++------------
 2 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/src/afterfact.rs b/src/afterfact.rs
index ddfd183a..51c49bb3 100644
--- a/src/afterfact.rs
+++ b/src/afterfact.rs
@@ -85,10 +85,8 @@ fn test_emit_csv() {
                     "CommandLine": "hoge"
                 },
                 "System": {
-                    "TimeCreated": {
-                        "#attributes":{
-                            "SystemTime": "1996-02-27T01:05:01Z"
-                        }
+                    "TimeCreated_attributes": {
+                        "SystemTime": "1996-02-27T01:05:01Z"
                     }
                 }
             }
diff --git a/src/detections/print.rs b/src/detections/print.rs
index 211b039a..0f570e30 100644
--- a/src/detections/print.rs
+++ b/src/detections/print.rs
@@ -156,10 +156,8 @@ mod tests {
                     "CommandLine": "hoge"
                 },
                 "System": {
-                    "TimeCreated": {
-                        "#attributes":{
-                            "SystemTime": "1996-02-27T01:05:01Z"
-                        }
+                    "TimeCreated_attributes": {
+                        "SystemTime": "1996-02-27T01:05:01Z"
                     }
                 }
             }
@@ -179,10 +177,8 @@ mod tests {
                 "CommandLine": "hoge"
             },
             "System": {
-                "TimeCreated": {
-                    "#attributes":{
-                        "SystemTime": "1996-02-27T01:05:01Z"
-                    }
+                "TimeCreated_attributes": {
+                    "SystemTime": "1996-02-27T01:05:01Z"
                 }
             }
         }
@@ -202,10 +198,8 @@ mod tests {
                 "CommandLine": "hoge"
             },
             "System": {
-                "TimeCreated": {
-                    "#attributes":{
-                        "SystemTime": "2000-01-21T09:06:01Z"
-                    }
+                "TimeCreated_attributes": {
+                    "SystemTime": "2000-01-21T09:06:01Z"
                 }
             }
         }