diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 5c7e8fcc..9dd8b065 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -276,12 +276,12 @@ impl Detection { profile_converter.insert("%EventID%".to_string(), eid.to_owned()); } "%MitreAttack%" => { - profile_converter.insert("%MitreAttack%".to_string(), tag_info.join(" | ")); + profile_converter.insert("%MitreAttack%".to_string(), tag_info.join(" : ")); } "%RecordID%" => { profile_converter.insert( "%RecordID%".to_string(), - rec_id.as_ref().unwrap_or(&"-".to_string()).to_owned(), + rec_id.as_ref().unwrap_or(&"".to_string()).to_owned(), ); } "%RuleTitle%" => { @@ -387,10 +387,10 @@ impl Detection { profile_converter.insert("%EventID%".to_string(), "-".to_owned()); } "%MitreAttack%" => { - profile_converter.insert("%MitreAttack%".to_owned(), tag_info.join(" | ")); + profile_converter.insert("%MitreAttack%".to_owned(), tag_info.join(" : ")); } "%RecordID%" => { - profile_converter.insert("%RecordID%".to_string(), "-".to_owned()); + profile_converter.insert("%RecordID%".to_string(), "".to_owned()); } "%RuleTitle%" => { profile_converter.insert( diff --git a/src/detections/message.rs b/src/detections/message.rs index 1aef2ce7..fd2cfb8b 100644 --- a/src/detections/message.rs +++ b/src/detections/message.rs @@ -164,7 +164,7 @@ pub fn insert( let mut tmp_converted_info: LinkedHashMap = LinkedHashMap::new(); for (k, v) in &detect_info.ext_field { let converted_reserve_info = convert_profile_reserved_info(v, profile_converter); - if v == "%RecordInformation%" { + if v.contains("%RecordInformation%") || v.contains("%Details%") { tmp_converted_info.insert(k.to_owned(), converted_reserve_info); } else { tmp_converted_info.insert(