added count by rule titles variable

2022-08-21 02:28:38 +09:00
parent e498007ea6
commit fd653f24fc
3 changed files with 22 additions and 0 deletions
--- a/src/afterfact.rs
+++ b/src/afterfact.rs
@@ -184,12 +184,15 @@ fn emit_csv<W: std::io::Write>(
        HashMap::new();
    let mut detect_counts_by_computer_and_level: HashMap<String, HashMap<String, i128>> =
        HashMap::new();
+    let mut detect_counts_by_rule_and_level: HashMap<String, HashMap<String, i128>> =
+        HashMap::new();

    let levels = Vec::from(["crit", "high", "med ", "low ", "info", "undefined"]);
    // レベル別、日ごとの集計用変数の初期化
    for level_init in levels {
        detect_counts_by_date_and_level.insert(level_init.to_string(), HashMap::new());
        detect_counts_by_computer_and_level.insert(level_init.to_string(), HashMap::new());
+        detect_counts_by_rule_and_level.insert(level_init.to_string(), HashMap::new());
    }
    if displayflag {
        println!();
@@ -277,6 +280,20 @@ fn emit_csv<W: std::io::Write>(
                    .insert(detect_info.level.to_lowercase(), detect_counts_by_computer);
            }

+            let mut detect_counts_by_rules = detect_counts_by_rule_and_level
+                .get(&detect_info.level.to_lowercase())
+                .unwrap_or_else(|| {
+                    detect_counts_by_computer_and_level
+                        .get("undefined")
+                        .unwrap()
+                })
+                .clone();
+            *detect_counts_by_rules
+                .entry(Clone::clone(&detect_info.ruletitle))
+                .or_insert(0) += 1;
+            detect_counts_by_rule_and_level
+                .insert(detect_info.level.to_lowercase(), detect_counts_by_rules);
+
            total_detect_counts_by_level[level_suffix] += 1;
            detect_counts_by_date_and_level
                .insert(detect_info.level.to_lowercase(), detect_counts_by_date);
@@ -663,6 +680,7 @@ mod tests {
                output.to_string(),
                DetectInfo {
                    rulepath: test_rulepath.to_string(),
+                    ruletitle: test_title.to_string(),
                    level: test_level.to_string(),
                    computername: test_computername.to_string(),
                    eventid: test_eventid.to_string(),
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -362,6 +362,7 @@ impl Detection {

        let detect_info = DetectInfo {
            rulepath: (&rule.rulepath).to_owned(),
+            ruletitle: rule.yaml["title"].as_str().unwrap_or("-").to_string(),
            level: LEVEL_ABBR.get(&level).unwrap_or(&level).to_string(),
            computername: record_info.record["Event"]["System"]["Computer"]
                .to_string()
@@ -492,6 +493,7 @@ impl Detection {

        let detect_info = DetectInfo {
            rulepath: (&rule.rulepath).to_owned(),
+            ruletitle: rule.yaml["title"].as_str().unwrap_or("-").to_string(),
            level: LEVEL_ABBR.get(&level).unwrap_or(&level).to_string(),
            computername: "-".to_owned(),
            eventid: "-".to_owned(),
--- a/src/detections/message.rs
+++ b/src/detections/message.rs
@@ -24,6 +24,7 @@ use termcolor::{BufferWriter, ColorChoice};
 #[derive(Debug, Clone)]
 pub struct DetectInfo {
    pub rulepath: String,
+    pub ruletitle: String,
    pub level: String,
    pub computername: String,
    pub eventid: String,
@@ -634,6 +635,7 @@ mod tests {
        for i in 1..2001 {
            let detect_info = DetectInfo {
                rulepath: "".to_string(),
+                ruletitle: "".to_string(),
                level: "".to_string(),
                computername: "".to_string(),
                eventid: i.to_string(),