From cdfdd62a5c167ca98f53933f4dc77e49d386db62 Mon Sep 17 00:00:00 2001
From: DastInDark <2350416+hitenkoku@users.noreply.github.com>
Date: Wed, 28 Sep 2022 22:48:52 +0900
Subject: [PATCH] Unified output one table with -s and -d option #707

            - 1. [x] Unified output one table with -s and -d option
            - 2. [] add channel column to table output
            - 3. [] Remove First Timestamp and Last Timestamp with -d option
            - 4. [] Output csv with -o and  -s option
            - 5. [x] Separete two column Count and Percent
            - 6. [x] change table format output crate from prettytable-rs to comfy_table.
---
 src/main.rs               | 20 ++++++++++++--------
 src/timeline/metrics.rs   |  2 +-
 src/timeline/timelines.rs |  2 +-
 3 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index b08f2659..c50d3fa9 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -656,15 +656,22 @@ impl App {
         self.rule_keys = self.get_all_keys(&rule_files);
         let mut detection = detection::Detection::new(rule_files);
         let mut total_records: usize = 0;
+        let mut tl = Timeline::new();
         for evtx_file in evtx_files {
             if configs::CONFIG.read().unwrap().args.verbose {
                 println!("Checking target evtx FilePath: {:?}", &evtx_file);
             }
             let cnt_tmp: usize;
-            (detection, cnt_tmp) = self.analysis_file(evtx_file, detection, time_filter);
+            (detection, cnt_tmp, tl) = self.analysis_file(evtx_file, detection, time_filter, tl.clone());
             total_records += cnt_tmp;
             pb.inc();
         }
+        if *METRICS_FLAG {
+            tl.tm_stats_dsp_msg();
+        } 
+        if *LOGONSUMMARY_FLAG {
+            tl.tm_logon_stats_dsp_msg();
+        }
         if configs::CONFIG.read().unwrap().args.output.is_some() {
             println!();
             println!();
@@ -683,15 +690,15 @@ impl App {
         evtx_filepath: PathBuf,
         mut detection: detection::Detection,
         time_filter: &TargetEventTime,
-    ) -> (detection::Detection, usize) {
+        mut tl: Timeline
+    ) -> (detection::Detection, usize, Timeline) {
         let path = evtx_filepath.display();
         let parser = self.evtx_to_jsons(evtx_filepath.clone());
         let mut record_cnt = 0;
         if parser.is_none() {
-            return (detection, record_cnt);
+            return (detection, record_cnt, tl);
         }
 
-        let mut tl = Timeline::new();
         let mut parser = parser.unwrap();
         let mut records = parser.records_json_value();
 
@@ -760,10 +767,7 @@ impl App {
             }
         }
 
-        tl.tm_stats_dsp_msg();
-        tl.tm_logon_stats_dsp_msg();
-
-        (detection, record_cnt)
+        (detection, record_cnt, tl)
     }
 
     async fn create_rec_infos(
diff --git a/src/timeline/metrics.rs b/src/timeline/metrics.rs
index 065e7802..fe756572 100644
--- a/src/timeline/metrics.rs
+++ b/src/timeline/metrics.rs
@@ -2,7 +2,7 @@ use crate::detections::message::{LOGONSUMMARY_FLAG, METRICS_FLAG};
 use crate::detections::{detection::EvtxRecordInfo, utils};
 use hashbrown::HashMap;
 
-#[derive(Debug)]
+#[derive(Debug, Clone)]
 pub struct EventMetrics {
     pub total: usize,
     pub filepath: String,
diff --git a/src/timeline/timelines.rs b/src/timeline/timelines.rs
index 7a67b00b..fd27612b 100644
--- a/src/timeline/timelines.rs
+++ b/src/timeline/timelines.rs
@@ -7,7 +7,7 @@ use comfy_table::presets::UTF8_FULL;
 use super::metrics::EventMetrics;
 use hashbrown::HashMap;
 
-#[derive(Debug)]
+#[derive(Debug, Clone)]
 pub struct Timeline {
     pub stats: EventMetrics,
 }