From d468739c4b4d0f32cf79096619e531365526bb04 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sat, 22 Oct 2022 13:09:19 +0900 Subject: [PATCH] replaced %RecordInformation% to %AllFieldInfo% #750 --- src/afterfact.rs | 4 ++-- src/detections/detection.rs | 12 ++++++------ src/detections/message.rs | 2 +- src/options/profile.rs | 6 +++--- test_files/config/default_profile.yaml | 2 +- test_files/config/profiles.yaml | 2 +- 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 750ab228e..f1538023e 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -1027,7 +1027,7 @@ fn output_json_str( if vec_data.is_empty() { let tmp_val: Vec<&str> = v.split(": ").collect(); let output_val = - _convert_valid_json_str(&tmp_val, output_value_fmt.contains("%RecordInformation%")); + _convert_valid_json_str(&tmp_val, output_value_fmt.contains("%AllFieldInfo%")); target.push(_create_json_output_format( k, &output_val, @@ -1337,7 +1337,7 @@ mod tests { ("%MitreAttack%".to_owned(), test_attack.to_string()), ("%RecordID%".to_owned(), test_record_id.to_string()), ("%RuleTitle%".to_owned(), test_title.to_owned()), - ("%RecordInformation%".to_owned(), test_recinfo.to_owned()), + ("%AllFieldInfo%".to_owned(), test_recinfo.to_owned()), ("%RuleFile%".to_owned(), test_rulepath.to_string()), ("%EvtxFile%".to_owned(), test_filepath.to_string()), ("%Tags%".to_owned(), test_attack.to_string()), diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 71d3efe93..50761c3d4 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -229,7 +229,7 @@ impl Detection { Some(str) => str.to_owned(), None => recinfo.as_ref().unwrap_or(&"-".to_string()).to_string(), }; - let opt_record_info = if LOAEDED_PROFILE_ALIAS.contains("%RecordInformation%") { + let opt_record_info = if LOAEDED_PROFILE_ALIAS.contains("%AllFieldInfo%") { recinfo } else { None @@ -286,9 +286,9 @@ impl Detection { rule.yaml["title"].as_str().unwrap_or("").to_string(), ); } - "%RecordInformation%" => { + "%AllFieldInfo%" => { profile_converter.insert( - "%RecordInformation%".to_string(), + "%AllFieldInfo%".to_string(), opt_record_info .as_ref() .unwrap_or(&"-".to_string()) @@ -419,7 +419,7 @@ impl Detection { fn insert_agg_message(rule: &RuleNode, agg_result: AggResult) { let tag_info: &Vec = &Detection::get_tag_info(rule); let output = Detection::create_count_output(rule, &agg_result); - let rec_info = if LOAEDED_PROFILE_ALIAS.contains("%RecordInformation%") { + let rec_info = if LOAEDED_PROFILE_ALIAS.contains("%AllFieldInfo%") { Option::Some(String::default()) } else { Option::None @@ -462,8 +462,8 @@ impl Detection { rule.yaml["title"].as_str().unwrap_or("").to_string(), ); } - "%RecordInformation%" => { - profile_converter.insert("%RecordInformation%".to_string(), "-".to_owned()); + "%AllFieldInfo%" => { + profile_converter.insert("%AllFieldInfo%".to_string(), "-".to_owned()); } "%RuleFile%" => { profile_converter.insert( diff --git a/src/detections/message.rs b/src/detections/message.rs index d5e906030..28c0166b3 100644 --- a/src/detections/message.rs +++ b/src/detections/message.rs @@ -147,7 +147,7 @@ pub fn insert( let mut tmp_converted_info: LinkedHashMap = LinkedHashMap::new(); for (k, v) in &detect_info.ext_field { let converted_reserve_info = convert_profile_reserved_info(v, profile_converter); - if v.contains("%RecordInformation%") || v.contains("%Details%") { + if v.contains("%AllFieldInfo%") || v.contains("%Details%") { tmp_converted_info.insert(k.to_owned(), converted_reserve_info); } else { tmp_converted_info.insert( diff --git a/src/options/profile.rs b/src/options/profile.rs index b9904f9c8..ae65e1b14 100644 --- a/src/options/profile.rs +++ b/src/options/profile.rs @@ -45,7 +45,7 @@ lazy_static! { "%EventID%", "%RecordID%", "%RuleTitle%", - "%RecordInformation%", + "%AllFieldInfo%", "%RuleFile%", "%EvtxFile%", "%MitreTactics%", @@ -283,7 +283,7 @@ mod tests { expect.insert("Details".to_owned(), "%Details%".to_owned()); expect.insert( "RecordInformation".to_owned(), - "%RecordInformation%".to_owned(), + "%AllFieldInfo%".to_owned(), ); expect.insert("RuleFile".to_owned(), "%RuleFile%".to_owned()); expect.insert("EvtxFile".to_owned(), "%EvtxFile%".to_owned()); @@ -358,7 +358,7 @@ mod tests { ], vec!["standard", "%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %MitreAttack%, %RecordID%, %RuleTitle%, %Details%"], vec!["verbose-1", "%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %MitreAttack%, %RecordID%, %RuleTitle%, %Details%, %RuleFile%, %EvtxFile%"], - vec!["verbose-2", "%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %MitreAttack%, %RecordID%, %RuleTitle%, %Details%, %RecordInformation%"], + vec!["verbose-2", "%Timestamp%, %Computer%, %Channel%, %EventID%, %Level%, %MitreAttack%, %RecordID%, %RuleTitle%, %Details%, %AllFieldInfo%"], ]; assert_eq!(expect, get_profile_list("test_files/config/profiles.yaml")); } diff --git a/test_files/config/default_profile.yaml b/test_files/config/default_profile.yaml index a643554a8..8385adeb1 100644 --- a/test_files/config/default_profile.yaml +++ b/test_files/config/default_profile.yaml @@ -7,7 +7,7 @@ MitreAttack: "%MitreAttack%" RecordID: "%RecordID%" RuleTitle: "%RuleTitle%" Details: "%Details%" -RecordInformation: "%RecordInformation%" +RecordInformation: "%AllFieldInfo%" RuleFile: "%RuleFile%" EvtxFile: "%EvtxFile%" Tags: "%MitreAttack%" diff --git a/test_files/config/profiles.yaml b/test_files/config/profiles.yaml index 78348ee23..7ab667922 100644 --- a/test_files/config/profiles.yaml +++ b/test_files/config/profiles.yaml @@ -41,4 +41,4 @@ verbose-2: RecordID: "%RecordID%" RuleTitle: "%RuleTitle%" Details: "%Details%" - AllFieldInfo: "%RecordInformation%" \ No newline at end of file + AllFieldInfo: "%AllFieldInfo%" \ No newline at end of file