display EventRecordID (#549)

* added -R --display-record-id #548

* fixed test data #548

* cargo fmt

* added describe of -R --display-record-id option to README #548

* updated changelog #548

* readme update

Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>

src/detections/configs.rs

@@ -77,6 +77,7 @@ fn build_app<'a>() -> ArgMatches<'a> {
     -C --config=[RULECONFIGDIRECTORY] 'Rule config folder. (Default: ./rules/config)'
     -o --output=[CSV_TIMELINE] 'Save the timeline in CSV format. (Example: results.csv)'
     --all-tags 'Output all tags when saving to a CSV file.'
+    -R --display-record-id 'Display EventRecordID.'
     -v --verbose 'Output verbose information.'
     -D --enable-deprecated-rules 'Enable rules marked as deprecated.'
     -n --enable-noisy-rules 'Enable rules marked as noisy.'

src/detections/detection.rs

@@ -9,7 +9,7 @@ use crate::detections::print::MESSAGES;
 use crate::detections::print::PIVOT_KEYWORD_LIST_FLAG;
 use crate::detections::print::QUIET_ERRORS_FLAG;
 use crate::detections::print::STATISTICS_FLAG;
-use crate::detections::print::{CH_CONFIG, TAGS_CONFIG};
+use crate::detections::print::{CH_CONFIG, IS_DISPLAY_RECORD_ID, TAGS_CONFIG};
 use crate::detections::rule;
 use crate::detections::rule::AggResult;
 use crate::detections::rule::RuleNode;
@@ -231,6 +231,14 @@ impl Detection {
             .record_information
             .as_ref()
             .map(|recinfo| recinfo.to_string());
+        let rec_id = if *IS_DISPLAY_RECORD_ID {
+            Some(
+                get_serde_number_to_string(&record_info.record["Event"]["System"]["EventRecordID"])
+                    .unwrap_or_default(),
+            )
+        } else {
+            None
+        };
         let detect_info = DetectInfo {
             filepath: record_info.evtx_filepath.to_string(),
             rulepath: rule.rulepath.to_string(),
@@ -251,6 +259,7 @@ impl Detection {
             detail: String::default(),
             tag_info: tag_info.join(" | "),
             record_information: recinfo,
+            record_id: rec_id,
         };
         MESSAGES.lock().unwrap().insert(
             &record_info.record,
@@ -274,6 +283,11 @@ impl Detection {
         } else {
             Option::None
         };
+        let rec_id = if *IS_DISPLAY_RECORD_ID {
+            Some(String::default())
+        } else {
+            None
+        };
         let detect_info = DetectInfo {
             filepath: "-".to_owned(),
             rulepath: rule.rulepath.to_owned(),
@@ -285,6 +299,7 @@ impl Detection {
             detail: output,
             record_information: rec_info,
             tag_info: tag_info.join(" : "),
+            record_id: rec_id,
         };
 
         MESSAGES

src/detections/print.rs

@@ -33,6 +33,7 @@ pub struct DetectInfo {
     pub detail: String,
     pub tag_info: String,
     pub record_information: Option<String>,
+    pub record_id: Option<String>,
 }
 
 pub struct AlertMessage {}
@@ -75,6 +76,11 @@ lazy_static! {
         .unwrap()
         .args
         .is_present("pivot-keywords-list");
+    pub static ref IS_DISPLAY_RECORD_ID: bool = configs::CONFIG
+        .read()
+        .unwrap()
+        .args
+        .is_present("display-record-id");
 }
 
 impl Default for Message {
@@ -309,6 +315,7 @@ mod tests {
                 detail: String::default(),
                 tag_info: "txxx.001".to_string(),
                 record_information: Option::Some("record_information1".to_string()),
+                record_id: Option::Some("11111".to_string()),
             },
         );
 
@@ -341,6 +348,7 @@ mod tests {
                 detail: String::default(),
                 tag_info: "txxx.002".to_string(),
                 record_information: Option::Some("record_information2".to_string()),
+                record_id: Option::Some("22222".to_string()),
             },
         );
 
@@ -373,6 +381,7 @@ mod tests {
                 detail: String::default(),
                 tag_info: "txxx.003".to_string(),
                 record_information: Option::Some("record_information3".to_string()),
+                record_id: Option::Some("33333".to_string()),
             },
         );
 
@@ -400,12 +409,13 @@ mod tests {
                 detail: String::default(),
                 tag_info: "txxx.004".to_string(),
                 record_information: Option::Some("record_information4".to_string()),
+                record_id: Option::None,
             },
         );
 
         let display = format!("{}", format_args!("{:?}", message));
         println!("display::::{}", display);
-        let expect = "Message { map: {1970-01-01T00:00:00Z: [DetectInfo { filepath: \"a\", rulepath: \"test_rule4\", level: \"medium\", computername: \"testcomputer4\", eventid: \"4\", channel: \"\", alert: \"test4\", detail: \"CommandLine4: hoge\", tag_info: \"txxx.004\", record_information: Some(\"record_information4\") }], 1996-02-27T01:05:01Z: [DetectInfo { filepath: \"a\", rulepath: \"test_rule\", level: \"high\", computername: \"testcomputer1\", eventid: \"1\", channel: \"\", alert: \"test1\", detail: \"CommandLine1: hoge\", tag_info: \"txxx.001\", record_information: Some(\"record_information1\") }, DetectInfo { filepath: \"a\", rulepath: \"test_rule2\", level: \"high\", computername: \"testcomputer2\", eventid: \"2\", channel: \"\", alert: \"test2\", detail: \"CommandLine2: hoge\", tag_info: \"txxx.002\", record_information: Some(\"record_information2\") }], 2000-01-21T09:06:01Z: [DetectInfo { filepath: \"a\", rulepath: \"test_rule3\", level: \"high\", computername: \"testcomputer3\", eventid: \"3\", channel: \"\", alert: \"test3\", detail: \"CommandLine3: hoge\", tag_info: \"txxx.003\", record_information: Some(\"record_information3\") }]} }";
+        let expect = "Message { map: {1970-01-01T00:00:00Z: [DetectInfo { filepath: \"a\", rulepath: \"test_rule4\", level: \"medium\", computername: \"testcomputer4\", eventid: \"4\", channel: \"\", alert: \"test4\", detail: \"CommandLine4: hoge\", tag_info: \"txxx.004\", record_information: Some(\"record_information4\"), record_id: None }], 1996-02-27T01:05:01Z: [DetectInfo { filepath: \"a\", rulepath: \"test_rule\", level: \"high\", computername: \"testcomputer1\", eventid: \"1\", channel: \"\", alert: \"test1\", detail: \"CommandLine1: hoge\", tag_info: \"txxx.001\", record_information: Some(\"record_information1\"), record_id: Some(\"11111\") }, DetectInfo { filepath: \"a\", rulepath: \"test_rule2\", level: \"high\", computername: \"testcomputer2\", eventid: \"2\", channel: \"\", alert: \"test2\", detail: \"CommandLine2: hoge\", tag_info: \"txxx.002\", record_information: Some(\"record_information2\"), record_id: Some(\"22222\") }], 2000-01-21T09:06:01Z: [DetectInfo { filepath: \"a\", rulepath: \"test_rule3\", level: \"high\", computername: \"testcomputer3\", eventid: \"3\", channel: \"\", alert: \"test3\", detail: \"CommandLine3: hoge\", tag_info: \"txxx.003\", record_information: Some(\"record_information3\"), record_id: Some(\"33333\") }]} }";
         assert_eq!(display, expect);
     }