37ebb046fa
* Feature/call error message struct#66 (#69) * change way to use write trait #66 * change call error message struct #66 * erase finished TODO #66 * erase comment in error message format test #66 * resolve conflict #66 * Feature/call error message struct#66 (#71) * change ERROR writeln struct #66 * under constructing * add statistics template * fix * add comment * add condition impl #93 * fix erased get_descendants and remove unnecessaly struct #93 * erased finished TODO comment * erased finished TODO comment * Revert "fix erased get_descendants and remove unnecessaly struct #93" This reverts commit82e905e045. Revert "add condition impl #93" This reverts commit19ecc87377. * add doc comment to rule function * fix and add test doc commet * add doc to AggregaationParseInfo * add struct count in aggregation condition. #93 * add evaluate aggregation condition func provisional architecture. #93 * add countup function #93 * fix key to count hashmap #93 * add judge aggregation condition function #93 * fix error #93 * fix test #93 * share compile error ver * fix detection.rs compile error * fix timeframe parse * add countup process in select * fix select argument * add test countup * add test count judge #93 * add SIGMA windows count field and by keyword #93 * fix reference record in countup/judgecount #93 * add timedata in countup schema #93 * Refact: split code for matcher from rule.rs * Reafact: combine multiple declared functions * Refact: split code for SelectionNode from rule.rs * Refact: mv test code for SelectionNode from rule.rs * Refact: mv condition's code from rule.rs * add count to detection #93 * fix compile error * fix source to test ng. #93 * erase unused variable #93 * fix count architecture #93 * fix comment and compile error * erase dust (response to review) * erase dust (response to review) * reduce calling Rulenode function (response to review) * add aggregation output func * erase dust(response to review) and add agg condition String func * change error output * reduce call RuleNode function(response to review) * To reduce call RuleNode function * fix test name * fix coflicted resolve miss * add code comment in timeframe count. * add sort record timedata in timeframe(response to review) * fix unnecesasry result in ArgResult * add no field and by value count test * create count test no field and by with timeframe * erase duplicated timeframe data in RuleNode * fix test error no field and no by count with timeframe * fix test name * add test case of exist field and by count. * fix by count test and add test count othervalue in timeframe * add test * fix judge_timeframe logic when indexout * fix test name and add count test field and by with timeframe * adjust #120 * move associated count function from rulenode * fix error when resolve conflict * adjust T1197_bitsjob_started * fix no output bug if exist output * add alias to adapt SIGMA Rules #124 * add rule to bitsjob #130 * decilde sha1 is excepted #124 * prepare merge main Co-authored-by: HajimeTakai <takai.wa.hajime@gmail.com> Co-authored-by: itiB <is0312vx@ed.ritsumei.ac.jp>
173 lines
7.1 KiB
Plaintext
173 lines
7.1 KiB
Plaintext
alias,event_key
|
|
EventID,Event.System.EventID
|
|
Channel,Event.System.Channel
|
|
CommandLine,Event.EventData.CommandLine
|
|
ParentProcessName,Event.EventData.ParentProcessName
|
|
Signed,Event.EventData.Signed
|
|
ProcessName,Event.EventData.ProcessName
|
|
AccessMask,Event.EventData.AccessMask
|
|
TargetUserName,Event.EventData.TargetUserName
|
|
param1,Event.EventData.param1
|
|
param2,Event.EventData.param2
|
|
ServiceName,Event.EventData.ServiceName
|
|
ImagePath,Event.EventData.ImagePath
|
|
ContextInfo,Event.EventData.ContextInfo
|
|
Path,Event.EventData.Path
|
|
ScriptBlockText,Event.EventData.ScriptBlockText
|
|
MemberName,Event.EventData.MemberName
|
|
MemberSid,Event.EventData.MemberSid
|
|
TargetSid,Event.EventData.TargetSid
|
|
LogFileCleared,Event.UserData.LogFileCleared.SubjectUserName
|
|
LogFileClearedSubjectUserName,Event.UserData.SubjectUserName
|
|
SubjectUserName,Event.EventData.SubjectUserName
|
|
SubjectUserSid,Event.EventData.SubjectUserSid
|
|
DomainName,Event.EventData.SubjectDomainName
|
|
TicketEncryptionType,Event.EventData.TicketEncryptionType
|
|
PreAuthType,Event.EventData.PreAuthType
|
|
TaskName,Event.EventData.TaskName
|
|
WorkStationName,Event.EventData.WorkStationName
|
|
Workstation,Event.EventData.WorkStation
|
|
UserName,Event.EventData.UserName
|
|
ServiceFileName,Event.EventData.ServiceFileName
|
|
ComputerName,Event.System.Computer
|
|
Account_Name,Event.EventData.Account_Name
|
|
Source_Network_Address,Event.EventData.Source_Network_Address
|
|
Caller_Process_Name,Event.EventData.Caller_Process_Name
|
|
Computer,Event.System.Computer
|
|
Client_Address,Event.EventData.Client_Address
|
|
Logon_Account,Event.EventData.Logon_Account
|
|
Source_WorkStation,Event.EventData.Source_WorkStation
|
|
SourceAddress,Event.EventData.SourceAddress
|
|
SubjectLogonId,Event.EventData.SubjectLogonId
|
|
Image,Event.EventData.Image
|
|
ParentImage,Event.EventData.ParentImage
|
|
MachineName,Event.EventData.MachineName
|
|
QueryName,Event.EventData.QueryName
|
|
Accesses,Event.EventData.Accesses
|
|
AccessList,Event.EventData.AccessList
|
|
AccessMask,Event.EventData.AccessMask
|
|
AccountName,Event.EventData.AccountName
|
|
AllowedToDelegateTo,Event.EventData.AllowedToDelegateTo
|
|
AttributeLDAPDisplayName,Event.EventData.AttributeLDAPDisplayName
|
|
AttributeValue,Event.EventData.AttributeValue
|
|
AuditPolicyChanges,Event.EventData.AuditPolicyChanges
|
|
AuditSourceName,Event.EventData.AuditSourceName
|
|
AuthenticationPackageName,Event.EventData.AuthenticationPackageName
|
|
AuthenticationPackageName,Event.EventData.AuthenticationPackageName
|
|
CallingProcessName,Event.EventData.CallingProcessName
|
|
CallTrace,Event.EventData.CallTrace
|
|
CommandLine,Event.EventData.CommandLine
|
|
Company,Event.EventData.Company
|
|
ContextInfo,Event.EventData.ContextInfo
|
|
CurrentDirectory,Event.EventData.CurrentDirectory
|
|
Description,Event.EventData.Description
|
|
Destination,Event.EventData.Destination
|
|
DestinationAddress,Event.EventData.DestinationAddress
|
|
DestinationHostname,Event.EventData.DestinationHostname
|
|
DestinationIp,Event.EventData.DestinationIp
|
|
DestinationIsIpv6,Event.EventData.DestinationIsIpv6
|
|
DestinationPort,Event.EventData.DestinationPort
|
|
DestPort,Event.EventData.DestPort
|
|
Details,Event.EventData.Details
|
|
DetectionSource,Event.EventData.DetectionSource
|
|
Device,Event.EventData.Device
|
|
DeviceClassName,Event.EventData.DeviceClassName
|
|
DeviceDescription,Event.EventData.DeviceDescription
|
|
DeviceName,Event.EventData.DeviceName
|
|
EngineVersion,Event.EventData.EngineVersion
|
|
EventID,Event.System.EventID
|
|
EventType,Event.EventData.EventType
|
|
FailureCode,Event.EventData.FailureCode
|
|
FileVersion,Event.EventData.FileVersion
|
|
GrantedAccess,Event.EventData.GrantedAccess
|
|
GroupName,Event.EventData.GroupName
|
|
GroupSid,Event.EventData.GroupSid
|
|
Hashes,Event.EventData.Hashes
|
|
HiveName,Event.EventData.HiveName
|
|
HostApplication,Event.EventData.HostApplication
|
|
HostName,Event.EventData.HostName
|
|
HostVersion,Event.EventData.HostVersion
|
|
Image,Event.EventData.Image
|
|
ImageLoaded,Event.EventData.ImageLoaded
|
|
ImagePath,Event.EventData.ImagePath
|
|
Imphash,Event.EventData.Hashes
|
|
Initiated,Event.EventData.Initiated
|
|
IntegrityLevel,Event.EventData.IntegrityLevel
|
|
IpAddress,Event.EventData.IpAddress
|
|
KeyLength,Event.EventData.KeyLength
|
|
Keywords,Event.System.Keywords
|
|
keywords,Event.System.Keywords
|
|
LayerRTID,Event.EventData.LayerRTID
|
|
LDAPDisplayName,Event.EventData.LDAPDisplayName
|
|
Level,Event.System.Level
|
|
LogonId,Event.EventData.LogonId
|
|
LogonProcessName,Event.EventData.LogonProcessName
|
|
LogonType,Event.EventData.LogonType
|
|
Message,Event.EventData
|
|
NewName,Event.EventData.NewName
|
|
NewValue,Event.EventData.NewValue
|
|
ObjectClass,Event.EventData.ObjectClass
|
|
ObjectName,Event.EventData.ObjectName
|
|
ObjectServer,Event.EventData.ObjectServer
|
|
ObjectType,Event.EventData.ObjectType
|
|
ObjectValueName,Event.EventData.ObjectValueName
|
|
Origin,Event.EventData.Origin
|
|
OriginalFilename,Event.EventData.OriginalFileName
|
|
OriginalFileName,Event.EventData.OriginalFileName
|
|
ParentCommandLine,Event.EventData.ParentCommandLine
|
|
ParentImage,Event.EventData.ParentImage
|
|
ParentIntegrityLevel,Event.EventData.ParentIntegrityLevel
|
|
ParentUser,Event.EventData.ParentUser
|
|
PasswordLastSet,Event.EventData.PasswordLastSet
|
|
Path,Event.EventData.Path
|
|
Payload,Event.EventData.Payload
|
|
PipeName,Event.EventData.PipeName
|
|
PrivilegeList,Event.EventData.PrivilegeList
|
|
ProcessCommandLine,Event.EventData.ProcessCommandLine
|
|
ProcessName,Event.EventData.ProcessName
|
|
Product,Event.EventData.Product
|
|
Properties,Event.EventData.Properties
|
|
QNAME,Event.EventData.QNAME
|
|
QueryName,Event.EventData.QueryName
|
|
QueryResults,Event.EventData.QueryResults
|
|
QueryStatus,Event.EventData.QueryStatus
|
|
RelativeTargetName,Event.EventData.RelativeTargetName
|
|
SAMAccountName,Event.EventData.SamAccountName
|
|
ScriptBlockText,Event.EventData.ScriptBlockText
|
|
service,Event.EventData.Service
|
|
Service,Event.EventData.Service
|
|
ServiceFileName,Event.EventData.ServiceFileName
|
|
ServiceName,Event.EventData.ServiceName
|
|
ServicePrincipalNames,Event.EventData.ServicePrincipalNames
|
|
ShareName,Event.EventData.ShareName
|
|
SidHistory,Event.EventData.SidHistory
|
|
Signature,Event.EventData.Signature
|
|
Signed,Event.EventData.Signed
|
|
Source,Event.System.Provider_Name
|
|
SourceAddress,Event.EventData.SourceAddress
|
|
SourceImage,Event.EventData.SourceImage
|
|
SourceNetworkAddress,Event.EventData.SourceNetworkAddress
|
|
SourcePort,Event.EventData.SourcePort
|
|
StartFunction,Event.EventData.StartFunction
|
|
StartModule,Event.EventData.StartModule
|
|
Status,Event.EventData.Status
|
|
SubjectDomainName,Event.EventData.SubjectDomainName
|
|
SubjectLogonId,Event.EventData.SubjectLogonId
|
|
SubjectUserName,Event.EventData.SubjectUserName
|
|
SubjectUserSid,Event.EventData.SubjectUserSid
|
|
TargetFilename,Event.EventData.TargetFilename
|
|
TargetImage,Event.EventData.TargetImage
|
|
TargetLogonId,Event.EventData.TargetLogonId
|
|
TargetName,Event.EventData.TargetServerName
|
|
TargetObject,Event.EventData.TargetObject
|
|
TargetProcessAddress,Event.EventData.TargetProcessAddress
|
|
TargetUserName,Event.EventData.TargetUserName
|
|
TaskName,Event.EventData.TaskName
|
|
TicketEncryptionType,Event.EventData.TicketEncryptionType
|
|
TicketOptions,Event.EventData.TicketOptions
|
|
User,Event.EventData.User
|
|
Workstation,Event.EventData.Workstation
|
|
WorkstationName,Event.EventData.WorkstationName
|
|
JobTitle,Event.EventData.name
|
|
Url,Event.EventData.url
|