logon summary (#523)

* logon summary #110

* logon summary #110

* english update

* add sort #110

* add sort #110

* Formatting the output string

* Fixed the check process.

* added document #110

* Fixed login failure eventID.

* Fixed clipy err

* prevent rule load output with logon-summary option #110

* fixed bug of  level-tuning execute when option is -s or -L only #110

Co-authored-by: garigariganzy <tosada31@hotmail.co.jp>
Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>

src/detections/configs.rs

@@ -90,6 +90,7 @@ fn build_app<'a>() -> ArgMatches<'a> {
     -U --utc 'Output time in UTC format. (Default: local time)'
     -t --thread-number=[NUMBER] 'Thread number. (Default: Optimal number for performance.)'
     -s --statistics 'Prints statistics of event IDs.'
+    -L --logon-summary 'User logon and failed logon summary'
     -q --quiet 'Quiet mode. Do not display the launch banner.'
     -Q --quiet-errors 'Quiet errors mode. Do not save error logs.'
     -p --pivot-keywords-list 'Create a list of pivot keywords.'

src/detections/detection.rs

@@ -121,11 +121,18 @@ impl Detection {
             .map(|rule_file_tuple| rule::create_rule(rule_file_tuple.0, rule_file_tuple.1))
             .filter_map(return_if_success)
             .collect();
-        Detection::print_rule_load_info(
-            &rulefile_loader.rulecounter,
-            &parseerror_count,
-            &rulefile_loader.ignorerule_count,
-        );
+        if !configs::CONFIG
+            .read()
+            .unwrap()
+            .args
+            .is_present("logon-summary")
+        {
+            Detection::print_rule_load_info(
+                &rulefile_loader.rulecounter,
+                &parseerror_count,
+                &rulefile_loader.ignorerule_count,
+            );
+        }
         ret
     }
 

src/detections/print.rs

@@ -55,6 +55,11 @@ lazy_static! {
         .unwrap()
         .args
         .is_present("statistics");
+    pub static ref LOGONSUMMARY_FLAG: bool = configs::CONFIG
+        .read()
+        .unwrap()
+        .args
+        .is_present("logon-summary");
     pub static ref TAGS_CONFIG: HashMap<String, String> =
         Message::create_output_filter_config("config/output_tag.txt");
     pub static ref CH_CONFIG: HashMap<String, String> =