feat(detection/pivot): added include and exclude by computer name in …

…pivot-keywords-list #1117
Yamato-Security · Jul 7, 2023 · 0c3068b · 0c3068b
1 parent 4294159
commit 0c3068b
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 5 deletions.
diff --git a/src/detections/detection.rs b/src/detections/detection.rs
@@ -25,7 +25,7 @@ use crate::filter;
 use crate::options::htmlreport;
 use crate::options::pivot::insert_pivot_keyword;
 use crate::yaml::ParseYaml;
-use hashbrown::{HashMap, HashSet};
+use hashbrown::HashMap;
 use serde_json::Value;
 use std::fmt::Write;
 use std::path::Path;
@@ -217,7 +217,14 @@ impl Detection {
             }
 
             if stored_static.pivot_keyword_list_flag {
-                insert_pivot_keyword(&record_info.record, &stored_static.eventkey_alias);
+                insert_pivot_keyword(
+                    &record_info.record,
+                    &stored_static.eventkey_alias,
+                    (
+                        &stored_static.include_computer,
+                        &stored_static.exclude_computer,
+                    ),
+                );
                 continue;
             }
 

diff --git a/src/options/pivot.rs b/src/options/pivot.rs
@@ -1,3 +1,5 @@
+use compact_str::CompactString;
+use hashbrown::HashSet;
 use indexmap::{IndexMap, IndexSet};
 use lazy_static::lazy_static;
 use serde_json::Value;
@@ -6,7 +8,7 @@ use std::sync::RwLock;
 use termcolor::{BufferWriter, Color, ColorChoice};
 
 use crate::detections::utils::{
-    get_serde_number_to_string, get_writable_color, write_color_buffer,
+    get_serde_number_to_string, get_writable_color, write_color_buffer, is_filtered_by_computer_name, get_event_value,
 };
 
 use crate::detections::configs::{EventKeyAliasConfig, StoredStatic};
@@ -39,8 +41,11 @@ impl PivotKeyword {
 
 ///levelがlowより大きいレコードの場合、keywordがrecord内にみつかれば、
 ///それをPIVOT_KEYWORD.keywordsに入れる。
-pub fn insert_pivot_keyword(event_record: &Value, eventkey_alias: &EventKeyAliasConfig) {
-    //levelがlow以上なら続ける
+pub fn insert_pivot_keyword(
+    event_record: &Value,
+    eventkey_alias: &EventKeyAliasConfig,
+    (include_computer, exclude_computer): (&HashSet<CompactString>, &HashSet<CompactString>),
+) {
     let mut is_exist_event_key = false;
     let mut tmp_event_record: &Value = event_record;
     for s in ["Event", "System", "Level"] {
@@ -59,6 +64,13 @@ pub fn insert_pivot_keyword(event_record: &Value, eventkey_alias: &EventKeyAlias
                 return;
             }
         }
+        if is_filtered_by_computer_name(
+            get_event_value("Event.System.Computer", event_record, eventkey_alias),
+            (include_computer, exclude_computer),
+        ) {
+            // include_computerで指定されたものに合致しないまたはexclude_computerで指定されたものに合致した場合は、検知対象外とする
+            return;
+        }
     } else {
         return;
     }