From f2445ae09327e80826b428a7658345ec939c3f28 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Thu, 23 Dec 2021 08:59:41 +0900 Subject: [PATCH] changed output field to details field in yaml data oftest case --- src/detections/rule/condition_parser.rs | 82 ++++++++++++------------- src/detections/rule/count.rs | 18 +++--- src/detections/rule/matchers.rs | 60 +++++++++--------- src/detections/rule/mod.rs | 26 ++++---- src/detections/rule/selectionnodes.rs | 10 +-- 5 files changed, 98 insertions(+), 98 deletions(-) diff --git a/src/detections/rule/condition_parser.rs b/src/detections/rule/condition_parser.rs index 984a9fca..d6f02e03 100644 --- a/src/detections/rule/condition_parser.rs +++ b/src/detections/rule/condition_parser.rs @@ -556,7 +556,7 @@ mod tests { Channel: 'System' EventID: 7040 param1: 'Windows Event Log' - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let record_json_str = r#" @@ -600,7 +600,7 @@ mod tests { Channel: 'System' EventID: 7041 param1: 'Windows Event Log' - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let record_json_str = r#" @@ -646,7 +646,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 and selection2 and selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -666,7 +666,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 and selection2 and selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -686,7 +686,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 and selection2 and selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -706,7 +706,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection1 and selection2 and selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -726,7 +726,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection1 and selection2 and selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -746,7 +746,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection1 and selection2 and selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -765,7 +765,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 or selection2 or selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -784,7 +784,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 or selection2 or selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -803,7 +803,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 or selection2 or selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -822,7 +822,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection1 or selection2 or selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -841,7 +841,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 or selection2 or selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -860,7 +860,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection1 or selection2 or selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -879,7 +879,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection1 or selection2 or selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -898,7 +898,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection1 or selection2 or selection3 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -913,7 +913,7 @@ mod tests { selection1: Channel: 'Systemn' condition: not selection1 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -928,7 +928,7 @@ mod tests { selection1: Channel: 'System' condition: not selection1 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -947,7 +947,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection2 and (selection2 or selection3) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -966,7 +966,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection2 and (selection2 and selection3) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -985,7 +985,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection2 and (((selection2 or selection3))) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -1004,7 +1004,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: selection2 and ((((selection2 and selection3)))) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -1023,7 +1023,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: (selection2 and selection1) and not ((selection2 and selection3)) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -1042,7 +1042,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: (selection2 and selection1) and not (not(selection2 and selection3)) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -1061,7 +1061,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: (selection2 and selection1) and (selection2 or selection3) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -1080,7 +1080,7 @@ mod tests { selection3: param1: 'Windows Event Logn' condition: (selection2 and selection1) and (selection2 and selection3) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -1101,7 +1101,7 @@ mod tests { selection4: param2: 'auto start' condition: (selection1 and (selection2 and ( selection3 and selection4 ))) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -1122,7 +1122,7 @@ mod tests { selection4: param2: 'auto start' condition: (selection1 and (selection2 and ( selection3 and selection4 ))) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -1143,7 +1143,7 @@ mod tests { selection4: param2: 'auto start' condition: (selection1 and (selection2 and ( selection3 or selection4 ))) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, true); @@ -1164,7 +1164,7 @@ mod tests { selection4: param2: 'auto startn' condition: (selection1 and (selection2 and ( selection3 or selection4 ))) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_select(rule_str, SIMPLE_RECORD_STR, false); @@ -1181,7 +1181,7 @@ mod tests { EventID: 7041 selection2: param1: 'Windows Event Log' - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter(); @@ -1207,7 +1207,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection-1 and selection2 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error( @@ -1230,7 +1230,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection1 and ((selection2) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error( @@ -1253,7 +1253,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection1 and (selection2)) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error( @@ -1276,7 +1276,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection1 and )selection2( - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error( @@ -1299,7 +1299,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection1 selection2 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error(rule_str,vec!["A condition parse error has occured. Unknown error. Maybe it is because there are multiple names of selection nodes.".to_string()]); @@ -1317,7 +1317,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: and selection1 or selection2 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error( @@ -1341,7 +1341,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection1 or selection2 or - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error( @@ -1365,7 +1365,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection1 or or selection2 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error(rule_str,vec!["A condition parse error has occured. The use of a logical operator(and, or) was wrong.".to_string()]); @@ -1383,7 +1383,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection1 or ( not ) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error( @@ -1404,7 +1404,7 @@ mod tests { selection2: param1: 'Windows Event Log' condition: selection1 or ( not not ) - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; check_rule_parse_error( diff --git a/src/detections/rule/count.rs b/src/detections/rule/count.rs index a2226c37..3956acc6 100644 --- a/src/detections/rule/count.rs +++ b/src/detections/rule/count.rs @@ -590,7 +590,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 and selection2 and selection3 | count() >= 1 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let mut expected_count = HashMap::new(); expected_count.insert("_".to_owned(), 2); @@ -642,7 +642,7 @@ mod tests { param1: 'Windows Event Log' condition: selection1 and selection2 and selection3 | count() >= 1 timeframe: 15m - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let mut expected_count = HashMap::new(); expected_count.insert("_".to_owned(), 2); @@ -682,7 +682,7 @@ mod tests { selection3: param1: 'Windows Event Log' condition: selection1 and selection2 and selection3 | count(Channel) >= 1 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let mut expected_count = HashMap::new(); expected_count.insert("_".to_owned(), 1); @@ -729,7 +729,7 @@ mod tests { selection1: param1: 'Windows Event Log' condition: selection1 | count(EventID) by Channel >= 1 - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let mut expected_count = HashMap::new(); @@ -787,7 +787,7 @@ mod tests { Channel: 'System' condition: selection1 | count(EventID) by param1 >= 1 timeframe: 1h - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let mut expected_count = HashMap::new(); expected_count.insert("Windows Event Log".to_owned(), 1); @@ -840,7 +840,7 @@ mod tests { Channel: 'System' condition: selection1 | count(EventID) >= 2 timeframe: 1h - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter(); let test = rule_yaml.next().unwrap(); @@ -897,7 +897,7 @@ mod tests { param1: 'Windows Event Log' condition: selection1 | count(EventID) by Channel >= 2 timeframe: 30m - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let mut expected_count = HashMap::new(); @@ -947,7 +947,7 @@ mod tests { param1: 'Windows Event Log' condition: selection1 | count(EventID) by Channel >= 1 timeframe: 1h - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0); @@ -1584,7 +1584,7 @@ mod tests { param1: 'Windows Event Log' condition: selection1 | ${COUNT} timeframe: ${TIME_FRAME} - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; return template .replace("${COUNT}", count) diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index aacf3672..ba4801cf 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -509,7 +509,7 @@ mod tests { falsepositives: - unknown level: medium - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' creation_date: 2020/11/8 updated_date: 2020/11/8 "#; @@ -692,7 +692,7 @@ mod tests { detection: selection: EventID: 4103 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -723,7 +723,7 @@ mod tests { detection: selection: EventID: 4103 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -753,7 +753,7 @@ mod tests { detection: selection: EventID: 4103 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -784,7 +784,7 @@ mod tests { detection: selection: Channel: Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -815,7 +815,7 @@ mod tests { detection: selection: Channel: Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -845,7 +845,7 @@ mod tests { detection: selection: Channel: Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -875,7 +875,7 @@ mod tests { detection: selection: Channel: Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -906,7 +906,7 @@ mod tests { selection: Channel: min_length: 10 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -937,7 +937,7 @@ mod tests { selection: Channel: min_length: 10 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -968,7 +968,7 @@ mod tests { selection: Channel: min_length: 10 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -999,7 +999,7 @@ mod tests { selection: Channel: min_length: 10 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1030,7 +1030,7 @@ mod tests { selection: Channel: min_length: 11 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1060,7 +1060,7 @@ mod tests { detection: selection: Channel|re: ^Program$ - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1093,7 +1093,7 @@ mod tests { EventID: 4103 Channel: - allowlist: ./config/regex/allowlist_legitimate_services.txt - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; // JSONで値としてダブルクオートを使う場合、\でエスケープが必要なのに注意 @@ -1127,7 +1127,7 @@ mod tests { EventID: 4103 Channel: - allowlist: ./config/regex/allowlist_legitimate_services.txt - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; // JSONで値としてダブルクオートを使う場合、\でエスケープが必要なのに注意 @@ -1161,7 +1161,7 @@ mod tests { EventID: 4103 Channel: - allowlist: ./config/regex/allowlist_legitimate_services.txt - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1193,7 +1193,7 @@ mod tests { Channel: Security EventID: 4732 TargetUserName|startswith: "Administrators" - output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' + details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' "#; let record_json_str = r#" @@ -1235,7 +1235,7 @@ mod tests { Channel: Security EventID: 4732 TargetUserName|startswith: "Administrators" - output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' + details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' "#; let record_json_str = r#" @@ -1277,7 +1277,7 @@ mod tests { Channel: Security EventID: 4732 TargetUserName|endswith: "Administrators" - output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' + details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' "#; let record_json_str = r#" @@ -1319,7 +1319,7 @@ mod tests { Channel: Security EventID: 4732 TargetUserName|endswith: "Administrators" - output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' + details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' "#; let record_json_str = r#" @@ -1361,7 +1361,7 @@ mod tests { Channel: Security EventID: 4732 TargetUserName|contains: "Administrators" - output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' + details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' "#; let record_json_str = r#" @@ -1403,7 +1403,7 @@ mod tests { Channel: Security EventID: 4732 TargetUserName|contains: "Administrators" - output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' + details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%' "#; let record_json_str = r#" @@ -1443,7 +1443,7 @@ mod tests { detection: selection: Channel: ホストアプリケーション - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1473,7 +1473,7 @@ mod tests { detection: selection: Channel: ホスとアプリケーション - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1503,7 +1503,7 @@ mod tests { detection: selection: Channel: Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1591,7 +1591,7 @@ mod tests { detection: selection: - 4103 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1621,7 +1621,7 @@ mod tests { detection: selection: - 4104 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1653,7 +1653,7 @@ mod tests { selection: Channel: value: Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -1685,7 +1685,7 @@ mod tests { selection: Channel: value: Securiteen - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" diff --git a/src/detections/rule/mod.rs b/src/detections/rule/mod.rs index b4911d87..3c7b328b 100644 --- a/src/detections/rule/mod.rs +++ b/src/detections/rule/mod.rs @@ -356,7 +356,7 @@ mod tests { detection: selection: Event.System.Computer: DESKTOP-ICHIICHI - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -386,7 +386,7 @@ mod tests { detection: selection: Event.System.Computer: DESKTOP-ICHIICHIN - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -416,7 +416,7 @@ mod tests { detection: selection: Channel: NOTDETECT - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -471,7 +471,7 @@ mod tests { selection: EventID: 4797 Event.System.Provider_attributes.Guid: 54849625-5478-4994-A5BA-3E3B0328C30D - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -530,7 +530,7 @@ mod tests { selection: EventID: 4797 Event.System.Provider_attributes.Guid: 54849625-5478-4994-A5BA-3E3B0328C30DSS - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -610,7 +610,7 @@ mod tests { selection: Event.EventData.Workstation: 'TEST WorkStation' Event.EventData.TargetUserName: ichiichi11 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -654,7 +654,7 @@ mod tests { selection: EventID: 4103 TargetUserName: ichiichi11 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -699,7 +699,7 @@ mod tests { selection: EventID: 4103 TargetUserName: ichiichi12 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -746,7 +746,7 @@ mod tests { selection: EventID: 403 EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*' - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -810,7 +810,7 @@ mod tests { selection: EventID: 403 EventData: '[\s\S]*EngineVersion=3.0[\s\S]*' - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -876,7 +876,7 @@ mod tests { param2|startswith: - "disa" - "aut" - output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' + details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; let record_json_str = r#" @@ -918,7 +918,7 @@ mod tests { selection: Channel|failed: Security EventID: 0 - output: 'Rule parse test' + details: 'Rule parse test' "#; let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter(); let mut rule_node = create_rule("testpath".to_string(), rule_yaml.next().unwrap()); @@ -938,7 +938,7 @@ mod tests { let rule_str = r#" enabled: true detection: - output: 'Rule parse test' + details: 'Rule parse test' "#; let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter(); let mut rule_node = create_rule("testpath".to_string(), rule_yaml.next().unwrap()); diff --git a/src/detections/rule/selectionnodes.rs b/src/detections/rule/selectionnodes.rs index 4d88bedd..18945dcc 100644 --- a/src/detections/rule/selectionnodes.rs +++ b/src/detections/rule/selectionnodes.rs @@ -418,7 +418,7 @@ mod tests { selection: Channel: Security EventID: 4103 - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -451,7 +451,7 @@ mod tests { Channel: Security EventID: 4103 Computer: DESKTOP-ICHIICHIN - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -483,7 +483,7 @@ mod tests { Channel: - PowerShell - Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -515,7 +515,7 @@ mod tests { Channel: - PowerShell - Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#" @@ -547,7 +547,7 @@ mod tests { Channel: - PowerShell - Security - output: 'command=%CommandLine%' + details: 'command=%CommandLine%' "#; let record_json_str = r#"