display EventRecordID (#549)

* added -R --display-record-id #548 * fixed test data #548 * cargo fmt * added describe of -R --display-record-id option to README #548 * updated changelog #548 * readme update Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
2022-05-27 22:19:40 +09:00
parent 69c41c4859
commit a17d0d4e37
8 changed files with 57 additions and 7 deletions
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -9,7 +9,7 @@ use crate::detections::print::MESSAGES;
 use crate::detections::print::PIVOT_KEYWORD_LIST_FLAG;
 use crate::detections::print::QUIET_ERRORS_FLAG;
 use crate::detections::print::STATISTICS_FLAG;
-use crate::detections::print::{CH_CONFIG, TAGS_CONFIG};
+use crate::detections::print::{CH_CONFIG, IS_DISPLAY_RECORD_ID, TAGS_CONFIG};
 use crate::detections::rule;
 use crate::detections::rule::AggResult;
 use crate::detections::rule::RuleNode;
@@ -231,6 +231,14 @@ impl Detection {
            .record_information
            .as_ref()
            .map(|recinfo| recinfo.to_string());
+        let rec_id = if *IS_DISPLAY_RECORD_ID {
+            Some(
+                get_serde_number_to_string(&record_info.record["Event"]["System"]["EventRecordID"])
+                    .unwrap_or_default(),
+            )
+        } else {
+            None
+        };
        let detect_info = DetectInfo {
            filepath: record_info.evtx_filepath.to_string(),
            rulepath: rule.rulepath.to_string(),
@@ -251,6 +259,7 @@ impl Detection {
            detail: String::default(),
            tag_info: tag_info.join(" | "),
            record_information: recinfo,
+            record_id: rec_id,
        };
        MESSAGES.lock().unwrap().insert(
            &record_info.record,
@@ -274,6 +283,11 @@ impl Detection {
        } else {
            Option::None
        };
+        let rec_id = if *IS_DISPLAY_RECORD_ID {
+            Some(String::default())
+        } else {
+            None
+        };
        let detect_info = DetectInfo {
            filepath: "-".to_owned(),
            rulepath: rule.rulepath.to_owned(),
@@ -285,6 +299,7 @@ impl Detection {
            detail: output,
            record_information: rec_info,
            tag_info: tag_info.join(" : "),
+            record_id: rec_id,
        };

        MESSAGES