diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index ca040e634..1f7fd19f8 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -16,6 +16,10 @@ - `metrics`と`logon-summary`コマンドのレコード数の表示が`csv-timeline`のコマンドでのレコード数の表示と異なっている状態を修正した。 (#1105) (@hitenkoku) +**その他:** + +- ルールのIDベースでユニークな検出数をカウントするように修正した。 (#1111) (@hitenkoku) + ## 2.6.0 [2023/06/16] "Ajisai Release" **新機能:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f13f5746..c7b5e2463 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,10 @@ - The total number of records being displayed in the `metrics` and `logon-summary` commands differed from the `csv-timeline` command. (#1105) (@hitenkoku) +**Other:** + +- The total counts of unique detections are now based on rule ID instead of rule file paths. (#1111) (@hitenkoku) + ## 2.6.0 [2023/06/16] "Ajisai Release" **New Features:** diff --git a/src/afterfact.rs b/src/afterfact.rs index eb3e19d80..11d0098a9 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -276,6 +276,7 @@ fn emit_csv( let mut total_detect_counts_by_level: Vec = vec![0; 6]; let mut unique_detect_counts_by_level: Vec = vec![0; 6]; let mut detected_rule_files: HashSet = HashSet::new(); + let mut detected_rule_ids: HashSet = HashSet::new(); let mut detected_computer_and_rule_names: HashSet = HashSet::new(); let mut detect_counts_by_date_and_level: HashMap> = HashMap::new(); @@ -474,6 +475,9 @@ fn emit_csv( .entry(CompactString::from(author)) .or_insert(0) += 1; } + } + if !detected_rule_ids.contains(&detect_info.ruleid) { + detected_rule_ids.insert(detect_info.ruleid.to_owned()); unique_detect_counts_by_level[level_suffix] += 1; } @@ -920,7 +924,7 @@ fn _print_unique_results( .ok(); let mut total_detect_md = vec!["- Total detections:".to_string()]; - let mut unique_detect_md = vec!["- Unique detecions:".to_string()]; + let mut unique_detect_md = vec!["- Unique detections:".to_string()]; for (i, level_name) in level_abbr.iter().enumerate() { if "undefined" == level_name[0] { @@ -1748,6 +1752,7 @@ mod tests { ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; + let test_rule_id: &str = "00000000-0000-0000-0000-000000000000"; let test_title = "test_title"; let test_level = "high"; let test_computername = "testcomputer"; @@ -1920,6 +1925,7 @@ mod tests { CompactString::new(output), DetectInfo { rulepath: CompactString::from(test_rulepath), + ruleid: test_rule_id.into(), ruletitle: CompactString::from(test_title), level: CompactString::from(test_level), computername: CompactString::from(test_computername2), @@ -1941,6 +1947,7 @@ mod tests { CompactString::new(output), DetectInfo { rulepath: CompactString::from(test_rulepath), + ruleid: test_rule_id.into(), ruletitle: CompactString::from(test_title), level: CompactString::from(test_level), computername: CompactString::from(test_computername), @@ -2044,6 +2051,7 @@ mod tests { ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; + let test_rule_id: &str = "00000000-0000-0000-0000-000000000000"; let test_title = "test_title"; let test_level = "high"; let test_computername = "testcomputer"; @@ -2215,6 +2223,7 @@ mod tests { CompactString::new(output), DetectInfo { rulepath: CompactString::from(test_rulepath), + ruleid: test_rule_id.into(), ruletitle: CompactString::from(test_title), level: CompactString::from(test_level), computername: CompactString::from(test_computername2), @@ -2236,6 +2245,7 @@ mod tests { CompactString::new(output), DetectInfo { rulepath: CompactString::from(test_rulepath), + ruleid: test_rule_id.into(), ruletitle: CompactString::from(test_title), level: CompactString::from(test_level), computername: CompactString::from(test_computername), @@ -2328,6 +2338,7 @@ mod tests { ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; + let test_rule_id: &str = "00000000-0000-0000-0000-000000000000"; let test_title = "test_title"; let test_level = "high"; let test_computername = "testcomputer"; @@ -2500,6 +2511,7 @@ mod tests { CompactString::new(output), DetectInfo { rulepath: CompactString::from(test_rulepath), + ruleid: test_rule_id.into(), ruletitle: CompactString::from(test_title), level: CompactString::from(test_level), computername: CompactString::from(test_computername2), @@ -2521,6 +2533,7 @@ mod tests { CompactString::new(output), DetectInfo { rulepath: CompactString::from(test_rulepath), + ruleid: test_rule_id.into(), ruletitle: CompactString::from(test_title), level: CompactString::from(test_level), computername: CompactString::from(test_computername), @@ -2758,6 +2771,7 @@ mod tests { ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; + let test_rule_id: &str = "00000000-0000-0000-0000-000000000000"; let test_title = "test_title"; let test_level = "high"; let test_computername = "testcomputer"; @@ -2929,6 +2943,7 @@ mod tests { CompactString::new(output), DetectInfo { rulepath: CompactString::from(test_rulepath), + ruleid: test_rule_id.into(), ruletitle: CompactString::from(test_title), level: CompactString::from(test_level), computername: CompactString::from(test_computername2), @@ -2990,6 +3005,7 @@ mod tests { ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; + let test_rule_id: &str = "00000000-0000-0000-0000-000000000000"; let test_title = "test_title"; let test_level = "high"; let test_computername = "testcomputer"; @@ -3161,6 +3177,7 @@ mod tests { CompactString::new(output), DetectInfo { rulepath: CompactString::from(test_rulepath), + ruleid: test_rule_id.into(), ruletitle: CompactString::from(test_title), level: CompactString::from(test_level), computername: CompactString::from(test_computername2), diff --git a/src/detections/detection.rs b/src/detections/detection.rs index f74c737ea..fa84fe587 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -656,6 +656,7 @@ impl Detection { let detect_info = DetectInfo { rulepath: CompactString::from(&rule.rulepath), + ruleid: CompactString::from(rule.yaml["id"].as_str().unwrap_or("-")), ruletitle: CompactString::from(rule.yaml["title"].as_str().unwrap_or("-")), level: CompactString::from( LEVEL_ABBR_MAP @@ -871,6 +872,7 @@ impl Detection { let str_level = level.as_str(); let detect_info = DetectInfo { rulepath: CompactString::from(&rule.rulepath), + ruleid: CompactString::from(rule.yaml["id"].as_str().unwrap_or("-")), ruletitle: CompactString::from(rule.yaml["title"].as_str().unwrap_or("-")), level: CompactString::from( LEVEL_ABBR_MAP diff --git a/src/detections/message.rs b/src/detections/message.rs index cd16dc4a8..73488d59a 100644 --- a/src/detections/message.rs +++ b/src/detections/message.rs @@ -28,6 +28,7 @@ use super::configs::EventKeyAliasConfig; #[derive(Debug, Clone)] pub struct DetectInfo { pub rulepath: CompactString, + pub ruleid: CompactString, pub ruletitle: CompactString, pub level: CompactString, pub computername: CompactString, @@ -749,6 +750,7 @@ mod tests { for i in 1..2001 { let detect_info = DetectInfo { rulepath: CompactString::default(), + ruleid: CompactString::default(), ruletitle: CompactString::default(), level: CompactString::default(), computername: CompactString::default(),