CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fixed rulepath and evtxpath to adjust #625 change #165

Browse Source
This commit is contained in:
DastInDark
2022-07-31 13:30:56 +09:00
parent 3a8b58d048
commit c36e4e8e6f
4 changed files with 32 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -508,7 +508,7 @@ When hayabusa output is being displayed to the screen (the default), it can disp
* `Details`: This comes from the `details` field in the YML detection rule, however, only hayabusa rules have this field. This field gives extra information about the alert or event and can extract useful data from the fields in event logs. For example, usernames, command line information, process information, etc... When a placeholder points to a field that does not exist or there is an incorrect alias mapping, it will be outputted as `n/a` (not available). If the `details` field is not specified (i.e. sigma rules), default `details` messages to extract fields defined in `./rules/config/default_details.txt` will be outputted. You can add more default `details` messages by adding the `Provider Name`, `EventID` and `details` message you want to output in `default_details.txt`. When no `details` field is defined in a rule nor in `default_details.txt`, all fields will be outputted to the `details` column. * `Details`: This comes from the `details` field in the YML detection rule, however, only hayabusa rules have this field. This field gives extra information about the alert or event and can extract useful data from the fields in event logs. For example, usernames, command line information, process information, etc... When a placeholder points to a field that does not exist or there is an incorrect alias mapping, it will be outputted as `n/a` (not available). If the `details` field is not specified (i.e. sigma rules), default `details` messages to extract fields defined in `./rules/config/default_details.txt` will be outputted. You can add more default `details` messages by adding the `Provider Name`, `EventID` and `details` message you want to output in `default_details.txt`. When no `details` field is defined in a rule nor in `default_details.txt`, all fields will be outputted to the `details` column.
* `MitreAttack`: MITRE ATT&CK tactics. * `MitreAttack`: MITRE ATT&CK tactics.
* `RuleFile`: The filename of the detection rule that generated the alert or event. * `RuleFile`: The filename of the detection rule that generated the alert or event.
* `EvtxFile`: The path to the evtx file that caused the alert or event. * `EvtxFile`: The evtx filename that caused the alert or event.
* `RecordInformation`: All field information. * `RecordInformation`: All field information.
## Output customize by profile ## Output customize by profile

4
config/profiles.yaml
View File

@@ -28,8 +28,8 @@ verbose-1:
RecordID: "%RecordID%" RecordID: "%RecordID%"
RuleTitle: "%RuleTitle%" RuleTitle: "%RuleTitle%"
Details: "%Details%" Details: "%Details%"
RulePath: "%RulePath%" RuleFile: "%RuleFile%"
FilePath: "%FilePath%" EvtxFile: "%EvtxFile%"
verbose-2: verbose-2:
Timestamp: "%Timestamp%" Timestamp: "%Timestamp%"

31
src/detections/detection.rs
View File

@@ -299,11 +299,26 @@ impl Detection {
); );
} }
"%RuleFile%" => { "%RuleFile%" => {
profile_converter.insert(format!("%{}%", k), (&rule.rulepath).to_owned()); profile_converter.insert(
format!("%{}%", k),
Path::new(&rule.rulepath)
.file_name()
.unwrap_or_default()
.to_str()
.unwrap_or_default()
.to_string(),
);
} }
"%EvtxFile%" => { "%EvtxFile%" => {
profile_converter profile_converter.insert(
.insert(format!("%{}%", k), record_info.evtx_filepath.to_string()); format!("%{}%", k),
Path::new(&record_info.evtx_filepath)
.file_name()
.unwrap_or_default()
.to_str()
.unwrap_or_default()
.to_string(),
);
} }
_ => {} _ => {}
} }
@@ -388,7 +403,15 @@ impl Detection {
profile_converter.insert(format!("%{}%", k), "-".to_owned()); profile_converter.insert(format!("%{}%", k), "-".to_owned());
} }
"%RuleFile%" => { "%RuleFile%" => {
profile_converter.insert(format!("%{}%", k), (&rule.rulepath).to_owned()); profile_converter.insert(
format!("%{}%", k),
Path::new(&rule.rulepath)
.file_name()
.unwrap_or_default()
.to_str()
.unwrap_or_default()
.to_string(),
);
} }
"%EvtxFile%" => { "%EvtxFile%" => {
profile_converter.insert(format!("%{}%", k), "-".to_owned()); profile_converter.insert(format!("%{}%", k), "-".to_owned());

4
test_files/config/profiles.yaml
View File

@@ -28,8 +28,8 @@ verbose-1:
RecordID: "%RecordID%" RecordID: "%RecordID%"
RuleTitle: "%RuleTitle%" RuleTitle: "%RuleTitle%"
Details: "%Details%" Details: "%Details%"
RulePath: "%RulePath%" RuleFile: "%RuleFile%"
FilePath: "%FilePath%" EvtxFile: "%EvtxFile%"
verbose-2: verbose-2:
Timestamp: "%Timestamp%" Timestamp: "%Timestamp%"