Merge pull request #59 from YamatoSecurity/feature/issue#57
Feature/issue#57
This commit is contained in:
ichiichi
GitHub
@@ -85,10 +85,8 @@ fn test_emit_csv() {
|
|||||||
"CommandLine": "hoge"
|
"CommandLine": "hoge"
|
||||||
},
|
},
|
||||||
"System": {
|
"System": {
|
||||||
"TimeCreated": {
|
"TimeCreated_attributes": {
|
||||||
"#attributes":{
|
"SystemTime": "1996-02-27T01:05:01Z"
|
||||||
"SystemTime": "1996-02-27T01:05:01Z"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -5,7 +5,7 @@ use crate::detections::rule;
|
|||||||
use crate::detections::rule::RuleNode;
|
use crate::detections::rule::RuleNode;
|
||||||
use crate::yaml::ParseYaml;
|
use crate::yaml::ParseYaml;
|
||||||
use evtx::err;
|
use evtx::err;
|
||||||
use evtx::{EvtxParser, SerializedEvtxRecord};
|
use evtx::{EvtxParser, ParserSettings, SerializedEvtxRecord};
|
||||||
use serde_json::{Error, Value};
|
use serde_json::{Error, Value};
|
||||||
use std::path::PathBuf;
|
use std::path::PathBuf;
|
||||||
|
|
||||||
@@ -66,6 +66,9 @@ impl Detection {
|
|||||||
}
|
}
|
||||||
})
|
})
|
||||||
.map(|mut cur| {
|
.map(|mut cur| {
|
||||||
|
let mut parse_config = ParserSettings::default();
|
||||||
|
parse_config = parse_config.separate_json_attributes(true);
|
||||||
|
cur = cur.with_configuration(parse_config);
|
||||||
let ret: Vec<err::Result<SerializedEvtxRecord<String>>> =
|
let ret: Vec<err::Result<SerializedEvtxRecord<String>>> =
|
||||||
cur.records_json().collect();
|
cur.records_json().collect();
|
||||||
return ret;
|
return ret;
|
||||||
|
|||||||
@@ -120,8 +120,7 @@ impl Message {
|
|||||||
}
|
}
|
||||||
|
|
||||||
fn get_event_time(event_record: &Value) -> Option<DateTime<Utc>> {
|
fn get_event_time(event_record: &Value) -> Option<DateTime<Utc>> {
|
||||||
let system_time =
|
let system_time = &event_record["Event"]["System"]["TimeCreated_attributes"]["SystemTime"];
|
||||||
&event_record["Event"]["System"]["TimeCreated"]["#attributes"]["SystemTime"];
|
|
||||||
let system_time_str = system_time.as_str().unwrap_or("");
|
let system_time_str = system_time.as_str().unwrap_or("");
|
||||||
if system_time_str.is_empty() {
|
if system_time_str.is_empty() {
|
||||||
return Option::None;
|
return Option::None;
|
||||||
@@ -157,10 +156,8 @@ mod tests {
|
|||||||
"CommandLine": "hoge"
|
"CommandLine": "hoge"
|
||||||
},
|
},
|
||||||
"System": {
|
"System": {
|
||||||
"TimeCreated": {
|
"TimeCreated_attributes": {
|
||||||
"#attributes":{
|
"SystemTime": "1996-02-27T01:05:01Z"
|
||||||
"SystemTime": "1996-02-27T01:05:01Z"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -180,10 +177,8 @@ mod tests {
|
|||||||
"CommandLine": "hoge"
|
"CommandLine": "hoge"
|
||||||
},
|
},
|
||||||
"System": {
|
"System": {
|
||||||
"TimeCreated": {
|
"TimeCreated_attributes": {
|
||||||
"#attributes":{
|
"SystemTime": "1996-02-27T01:05:01Z"
|
||||||
"SystemTime": "1996-02-27T01:05:01Z"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -203,10 +198,8 @@ mod tests {
|
|||||||
"CommandLine": "hoge"
|
"CommandLine": "hoge"
|
||||||
},
|
},
|
||||||
"System": {
|
"System": {
|
||||||
"TimeCreated": {
|
"TimeCreated_attributes": {
|
||||||
"#attributes":{
|
"SystemTime": "2000-01-21T09:06:01Z"
|
||||||
"SystemTime": "2000-01-21T09:06:01Z"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user