From c36e4e8e6f9db67a80c5033bc3e173491ade29bb Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sun, 31 Jul 2022 13:30:56 +0900 Subject: [PATCH] fixed rulepath and evtxpath to adjust #625 change #165 --- README.md | 2 +- config/profiles.yaml | 4 ++-- src/detections/detection.rs | 31 +++++++++++++++++++++++++++---- test_files/config/profiles.yaml | 4 ++-- 4 files changed, 32 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index cf0179ef..6d3e2d7a 100644 --- a/README.md +++ b/README.md @@ -508,7 +508,7 @@ When hayabusa output is being displayed to the screen (the default), it can disp * `Details`: This comes from the `details` field in the YML detection rule, however, only hayabusa rules have this field. This field gives extra information about the alert or event and can extract useful data from the fields in event logs. For example, usernames, command line information, process information, etc... When a placeholder points to a field that does not exist or there is an incorrect alias mapping, it will be outputted as `n/a` (not available). If the `details` field is not specified (i.e. sigma rules), default `details` messages to extract fields defined in `./rules/config/default_details.txt` will be outputted. You can add more default `details` messages by adding the `Provider Name`, `EventID` and `details` message you want to output in `default_details.txt`. When no `details` field is defined in a rule nor in `default_details.txt`, all fields will be outputted to the `details` column. * `MitreAttack`: MITRE ATT&CK tactics. * `RuleFile`: The filename of the detection rule that generated the alert or event. -* `EvtxFile`: The path to the evtx file that caused the alert or event. +* `EvtxFile`: The evtx filename that caused the alert or event. * `RecordInformation`: All field information. ## Output customize by profile diff --git a/config/profiles.yaml b/config/profiles.yaml index 3a5103d0..78348ee2 100644 --- a/config/profiles.yaml +++ b/config/profiles.yaml @@ -28,8 +28,8 @@ verbose-1: RecordID: "%RecordID%" RuleTitle: "%RuleTitle%" Details: "%Details%" - RulePath: "%RulePath%" - FilePath: "%FilePath%" + RuleFile: "%RuleFile%" + EvtxFile: "%EvtxFile%" verbose-2: Timestamp: "%Timestamp%" diff --git a/src/detections/detection.rs b/src/detections/detection.rs index c8505e2e..67beeb5e 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -299,11 +299,26 @@ impl Detection { ); } "%RuleFile%" => { - profile_converter.insert(format!("%{}%", k), (&rule.rulepath).to_owned()); + profile_converter.insert( + format!("%{}%", k), + Path::new(&rule.rulepath) + .file_name() + .unwrap_or_default() + .to_str() + .unwrap_or_default() + .to_string(), + ); } "%EvtxFile%" => { - profile_converter - .insert(format!("%{}%", k), record_info.evtx_filepath.to_string()); + profile_converter.insert( + format!("%{}%", k), + Path::new(&record_info.evtx_filepath) + .file_name() + .unwrap_or_default() + .to_str() + .unwrap_or_default() + .to_string(), + ); } _ => {} } @@ -388,7 +403,15 @@ impl Detection { profile_converter.insert(format!("%{}%", k), "-".to_owned()); } "%RuleFile%" => { - profile_converter.insert(format!("%{}%", k), (&rule.rulepath).to_owned()); + profile_converter.insert( + format!("%{}%", k), + Path::new(&rule.rulepath) + .file_name() + .unwrap_or_default() + .to_str() + .unwrap_or_default() + .to_string(), + ); } "%EvtxFile%" => { profile_converter.insert(format!("%{}%", k), "-".to_owned()); diff --git a/test_files/config/profiles.yaml b/test_files/config/profiles.yaml index 3a5103d0..78348ee2 100644 --- a/test_files/config/profiles.yaml +++ b/test_files/config/profiles.yaml @@ -28,8 +28,8 @@ verbose-1: RecordID: "%RecordID%" RuleTitle: "%RuleTitle%" Details: "%Details%" - RulePath: "%RulePath%" - FilePath: "%FilePath%" + RuleFile: "%RuleFile%" + EvtxFile: "%EvtxFile%" verbose-2: Timestamp: "%Timestamp%"