From 9ee89e20d51ed813aed81f8018760bbc5f58084f Mon Sep 17 00:00:00 2001 From: garigariganzy Date: Thu, 23 Jun 2022 01:20:18 +0900 Subject: [PATCH] WIP:statistics add channel #463 --- rules | 2 +- src/timeline/statistics.rs | 25 ++++++++++++++++++++++--- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/rules b/rules index 4d5b76a3..8c14d12b 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 4d5b76a37db4b2f225968c71fdce196564857cb7 +Subproject commit 8c14d12be3f2d08721eee6db7238058fdaca3ce6 diff --git a/src/timeline/statistics.rs b/src/timeline/statistics.rs index 3ae81b9a..d487a0a4 100644 --- a/src/timeline/statistics.rs +++ b/src/timeline/statistics.rs @@ -2,6 +2,18 @@ use crate::detections::print::{LOGONSUMMARY_FLAG, STATISTICS_FLAG}; use crate::detections::{detection::EvtxRecordInfo, utils}; use hashbrown::HashMap; +#[derive(Debug)] +pub struct LogEventInfo { + pub channel: String, + pub eventid: String, +} + +impl LogEventInfo { + pub fn new(channel: String, eventid: String) -> LogEventInfo { + LogEventInfo { channel, eventid } + } +} + #[derive(Debug)] pub struct EventStatistics { pub total: usize, @@ -92,13 +104,20 @@ impl EventStatistics { fn stats_eventid(&mut self, records: &[EvtxRecordInfo]) { // let mut evtstat_map = HashMap::new(); for record in records.iter() { + let channel = utils::get_event_value("Channel", &record.record); let evtid = utils::get_event_value("EventID", &record.record); + if channel.is_none() { + continue; + } if evtid.is_none() { continue; } - - let idnum = evtid.unwrap(); - let count: &mut usize = self.stats_list.entry(idnum.to_string()).or_insert(0); + let ch = channel.unwrap().to_string(); + let id = evtid.unwrap().to_string(); + let chandid = ch + "," + &id; + //let logdata = LogEventInfo::new(ch , id); + //println!("{:?},{:?}", logdata.channel, logdata.eventid); + let count: &mut usize = self.stats_list.entry(chandid).or_insert(0); *count += 1; } // return evtstat_map;