replaced %RecordInformation% to %AllFieldInfo% #750

src/afterfact.rs

@@ -1027,7 +1027,7 @@ fn output_json_str(
         if vec_data.is_empty() {
             let tmp_val: Vec<&str> = v.split(": ").collect();
             let output_val =
-                _convert_valid_json_str(&tmp_val, output_value_fmt.contains("%RecordInformation%"));
+                _convert_valid_json_str(&tmp_val, output_value_fmt.contains("%AllFieldInfo%"));
             target.push(_create_json_output_format(
                 k,
                 &output_val,
@@ -1337,7 +1337,7 @@ mod tests {
                 ("%MitreAttack%".to_owned(), test_attack.to_string()),
                 ("%RecordID%".to_owned(), test_record_id.to_string()),
                 ("%RuleTitle%".to_owned(), test_title.to_owned()),
-                ("%RecordInformation%".to_owned(), test_recinfo.to_owned()),
+                ("%AllFieldInfo%".to_owned(), test_recinfo.to_owned()),
                 ("%RuleFile%".to_owned(), test_rulepath.to_string()),
                 ("%EvtxFile%".to_owned(), test_filepath.to_string()),
                 ("%Tags%".to_owned(), test_attack.to_string()),

src/detections/detection.rs

@@ -229,7 +229,7 @@ impl Detection {
             Some(str) => str.to_owned(),
             None => recinfo.as_ref().unwrap_or(&"-".to_string()).to_string(),
         };
-        let opt_record_info = if LOAEDED_PROFILE_ALIAS.contains("%RecordInformation%") {
+        let opt_record_info = if LOAEDED_PROFILE_ALIAS.contains("%AllFieldInfo%") {
             recinfo
         } else {
             None
@@ -286,9 +286,9 @@ impl Detection {
                             rule.yaml["title"].as_str().unwrap_or("").to_string(),
                         );
                     }
-                    "%RecordInformation%" => {
+                    "%AllFieldInfo%" => {
                         profile_converter.insert(
-                            "%RecordInformation%".to_string(),
+                            "%AllFieldInfo%".to_string(),
                             opt_record_info
                                 .as_ref()
                                 .unwrap_or(&"-".to_string())
@@ -419,7 +419,7 @@ impl Detection {
     fn insert_agg_message(rule: &RuleNode, agg_result: AggResult) {
         let tag_info: &Vec<String> = &Detection::get_tag_info(rule);
         let output = Detection::create_count_output(rule, &agg_result);
-        let rec_info = if LOAEDED_PROFILE_ALIAS.contains("%RecordInformation%") {
+        let rec_info = if LOAEDED_PROFILE_ALIAS.contains("%AllFieldInfo%") {
             Option::Some(String::default())
         } else {
             Option::None
@@ -462,8 +462,8 @@ impl Detection {
                             rule.yaml["title"].as_str().unwrap_or("").to_string(),
                         );
                     }
-                    "%RecordInformation%" => {
-                        profile_converter.insert("%RecordInformation%".to_string(), "-".to_owned());
+                    "%AllFieldInfo%" => {
+                        profile_converter.insert("%AllFieldInfo%".to_string(), "-".to_owned());
                     }
                     "%RuleFile%" => {
                         profile_converter.insert(

src/detections/message.rs

@@ -147,7 +147,7 @@ pub fn insert(
     let mut tmp_converted_info: LinkedHashMap<String, String> = LinkedHashMap::new();
     for (k, v) in &detect_info.ext_field {
         let converted_reserve_info = convert_profile_reserved_info(v, profile_converter);
-        if v.contains("%RecordInformation%") || v.contains("%Details%") {
+        if v.contains("%AllFieldInfo%") || v.contains("%Details%") {
             tmp_converted_info.insert(k.to_owned(), converted_reserve_info);
         } else {
             tmp_converted_info.insert(

src/options/profile.rs

@@ -45,7 +45,7 @@ lazy_static! {
         "%EventID%",
         "%RecordID%",
         "%RuleTitle%",
-        "%RecordInformation%",
+        "%AllFieldInfo%",
         "%RuleFile%",
         "%EvtxFile%",
         "%MitreTactics%",
@@ -283,7 +283,7 @@ mod tests {
         expect.insert("Details".to_owned(), "%Details%".to_owned());
         expect.insert(
             "RecordInformation".to_owned(),
-            "%RecordInformation%".to_owned(),
+            "%AllFieldInfo%".to_owned(),
         );
         expect.insert("RuleFile".to_owned(), "%RuleFile%".to_owned());
         expect.insert("EvtxFile".to_owned(), "%EvtxFile%".to_owned());
@@ -358,7 +358,7 @@ mod tests {
          ],
          vec!["standard", "%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %MitreAttack%, %RecordID%, %RuleTitle%, %Details%"],
          vec!["verbose-1", "%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %MitreAttack%, %RecordID%, %RuleTitle%, %Details%, %RuleFile%, %EvtxFile%"],
-         vec!["verbose-2", "%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %MitreAttack%, %RecordID%, %RuleTitle%, %Details%, %RecordInformation%"],
+         vec!["verbose-2", "%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %MitreAttack%, %RecordID%, %RuleTitle%, %Details%, %AllFieldInfo%"],
          ];
         assert_eq!(expect, get_profile_list("test_files/config/profiles.yaml"));
     }

test_files/config/default_profile.yaml

@@ -7,7 +7,7 @@ MitreAttack: "%MitreAttack%"
 RecordID: "%RecordID%"
 RuleTitle: "%RuleTitle%"
 Details: "%Details%"
-RecordInformation: "%RecordInformation%"
+RecordInformation: "%AllFieldInfo%"
 RuleFile: "%RuleFile%"
 EvtxFile: "%EvtxFile%"
 Tags: "%MitreAttack%"

test_files/config/profiles.yaml

@@ -41,4 +41,4 @@ verbose-2:
     RecordID: "%RecordID%"
     RuleTitle: "%RuleTitle%"
     Details: "%Details%"
-    AllFieldInfo: "%RecordInformation%"
+    AllFieldInfo: "%AllFieldInfo%"