diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 9a3417d2..c6d8682e 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -6,7 +6,7 @@ use crate::detections::print::AlertMessage; use crate::detections::print::DetectInfo; use crate::detections::print::ERROR_LOG_STACK; use crate::detections::print::MESSAGES; -use crate::detections::print::{CH_CONFIG, IS_HIDE_RECORD_ID, TAGS_CONFIG}; +use crate::detections::print::{CH_CONFIG, IS_HIDE_RECORD_ID, TAGS_CONFIG, DEFAULT_DETAILS}; use crate::detections::print::{ LOGONSUMMARY_FLAG, PIVOT_KEYWORD_LIST_FLAG, QUIET_ERRORS_FLAG, STATISTICS_FLAG, }; @@ -236,6 +236,8 @@ impl Detection { }; let ch_str = &get_serde_number_to_string(&record_info.record["Event"]["System"]["Channel"]) .unwrap_or_default(); + let eid = get_serde_number_to_string(&record_info.record["Event"]["System"]["EventID"]).unwrap_or_else(|| "-".to_owned()); + let default_output = DEFAULT_DETAILS.get(&format!("{}_{}",ch_str, &eid)).unwrap_or(&"-".to_string()).to_string(); let detect_info = DetectInfo { filepath: record_info.evtx_filepath.to_string(), rulepath: rule.rulepath.to_string(), @@ -243,8 +245,7 @@ impl Detection { computername: record_info.record["Event"]["System"]["Computer"] .to_string() .replace('\"', ""), - eventid: get_serde_number_to_string(&record_info.record["Event"]["System"]["EventID"]) - .unwrap_or_else(|| "-".to_owned()), + eventid: eid, channel: CH_CONFIG.get(ch_str).unwrap_or(ch_str).to_string(), alert: rule.yaml["title"].as_str().unwrap_or("").to_string(), detail: String::default(), @@ -254,7 +255,7 @@ impl Detection { }; MESSAGES.lock().unwrap().insert( &record_info.record, - rule.yaml["details"].as_str().unwrap_or("").to_string(), + rule.yaml["details"].as_str().unwrap_or(&default_output).to_string(), detect_info, ); } diff --git a/src/detections/print.rs b/src/detections/print.rs index 4733b3c9..9bd9c221 100644 --- a/src/detections/print.rs +++ b/src/detections/print.rs @@ -65,6 +65,7 @@ lazy_static! { pub static ref PIVOT_KEYWORD_LIST_FLAG: bool = configs::CONFIG.read().unwrap().args.pivot_keywords_list; pub static ref IS_HIDE_RECORD_ID: bool = configs::CONFIG.read().unwrap().args.hide_record_id; + pub static ref DEFAULT_DETAILS: HashMap = Message::get_default_details(); } impl Default for Message { @@ -224,6 +225,42 @@ impl Message { pub fn clear(&mut self) { self.map.clear(); } + + /// detailsのdefault値をファイルから読み取る関数 + pub fn get_default_details() -> HashMap { + let read_result = utils::read_csv(&format!("{}/default_details.txt", configs::CONFIG.read().unwrap().args.config.as_path().display())); + match read_result { + Err(_e) => { + AlertMessage::alert(&_e).ok(); + HashMap::new() + }, + Ok(lines) => { + let mut ret:HashMap = HashMap::new(); + lines.into_iter().try_for_each(|line| -> Result<(), String> { + let provider = match line.get(0) { + Some(_provider) => _provider.trim(), + _ => return Result::Err("Failed to read provider in default_details.txt.".to_string()) + }; + let eid = match line.get(1) { + Some(eid_str) => { + match eid_str.trim().parse::() { + Ok(_eid) => _eid, + _ => return Result::Err("Parse Error EventID in default_details.txt.".to_string()) + } + }, + _ => return Result::Err("Failed to read EventID in default_details.txt.".to_string()) + }; + let details = match line.get(2) { + Some(detail) => detail.trim(), + _ => return Result::Err("Failed to read details in default_details.txt.".to_string()) + }; + ret.insert(format!("{}_{}", provider, eid), details.to_string()); + Ok(()) + }).ok(); + ret + } + } + } } impl AlertMessage {