From 0aeeffb0e885fd1bce54be925563eb8d595956a8 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sat, 1 Jul 2023 13:19:48 +0900 Subject: [PATCH 1/6] fix(afterfact/detection/message): replaced unique detections count by filename with ruleid #1111 --- src/afterfact.rs | 4 ++++ src/detections/detection.rs | 2 ++ src/detections/message.rs | 1 + 3 files changed, 7 insertions(+) diff --git a/src/afterfact.rs b/src/afterfact.rs index eb3e19d80..5160d3139 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -276,6 +276,7 @@ fn emit_csv( let mut total_detect_counts_by_level: Vec = vec![0; 6]; let mut unique_detect_counts_by_level: Vec = vec![0; 6]; let mut detected_rule_files: HashSet = HashSet::new(); + let mut detected_rule_ids: HashSet = HashSet::new(); let mut detected_computer_and_rule_names: HashSet = HashSet::new(); let mut detect_counts_by_date_and_level: HashMap> = HashMap::new(); @@ -474,6 +475,9 @@ fn emit_csv( .entry(CompactString::from(author)) .or_insert(0) += 1; } + } + if !detected_rule_ids.contains(&detect_info.ruleid) { + detected_rule_ids.insert(detect_info.ruleid.to_owned()); unique_detect_counts_by_level[level_suffix] += 1; } diff --git a/src/detections/detection.rs b/src/detections/detection.rs index f74c737ea..fa84fe587 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -656,6 +656,7 @@ impl Detection { let detect_info = DetectInfo { rulepath: CompactString::from(&rule.rulepath), + ruleid: CompactString::from(rule.yaml["id"].as_str().unwrap_or("-")), ruletitle: CompactString::from(rule.yaml["title"].as_str().unwrap_or("-")), level: CompactString::from( LEVEL_ABBR_MAP @@ -871,6 +872,7 @@ impl Detection { let str_level = level.as_str(); let detect_info = DetectInfo { rulepath: CompactString::from(&rule.rulepath), + ruleid: CompactString::from(rule.yaml["id"].as_str().unwrap_or("-")), ruletitle: CompactString::from(rule.yaml["title"].as_str().unwrap_or("-")), level: CompactString::from( LEVEL_ABBR_MAP diff --git a/src/detections/message.rs b/src/detections/message.rs index cd16dc4a8..f8033ae39 100644 --- a/src/detections/message.rs +++ b/src/detections/message.rs @@ -28,6 +28,7 @@ use super::configs::EventKeyAliasConfig; #[derive(Debug, Clone)] pub struct DetectInfo { pub rulepath: CompactString, + pub ruleid: CompactString, pub ruletitle: CompactString, pub level: CompactString, pub computername: CompactString, From e240672585bb307a290657fb56b5557b7fd6c282 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sat, 1 Jul 2023 13:21:03 +0900 Subject: [PATCH 2/6] test: adjusted test by add field in DetectInfo #1111 --- src/afterfact.rs | 13 +++++++++++++ src/detections/message.rs | 1 + 2 files changed, 14 insertions(+) diff --git a/src/afterfact.rs b/src/afterfact.rs index 5160d3139..787c189c5 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -1752,6 +1752,7 @@ mod tests { ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; + let test_rule_id: &str = "00000000-0000-0000-0000-000000000000"; let test_title = "test_title"; let test_level = "high"; let test_computername = "testcomputer"; @@ -1924,6 +1925,7 @@ mod tests { CompactString::new(output), DetectInfo { rulepath: CompactString::from(test_rulepath), + ruleid: test_rule_id.into(), ruletitle: CompactString::from(test_title), level: CompactString::from(test_level), computername: CompactString::from(test_computername2), @@ -1945,6 +1947,7 @@ mod tests { CompactString::new(output), DetectInfo { rulepath: CompactString::from(test_rulepath), + ruleid: test_rule_id.into(), ruletitle: CompactString::from(test_title), level: CompactString::from(test_level), computername: CompactString::from(test_computername), @@ -2048,6 +2051,7 @@ mod tests { ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; + let test_rule_id: &str = "00000000-0000-0000-0000-000000000000"; let test_title = "test_title"; let test_level = "high"; let test_computername = "testcomputer"; @@ -2219,6 +2223,7 @@ mod tests { CompactString::new(output), DetectInfo { rulepath: CompactString::from(test_rulepath), + ruleid: test_rule_id.into(), ruletitle: CompactString::from(test_title), level: CompactString::from(test_level), computername: CompactString::from(test_computername2), @@ -2240,6 +2245,7 @@ mod tests { CompactString::new(output), DetectInfo { rulepath: CompactString::from(test_rulepath), + ruleid: test_rule_id.into(), ruletitle: CompactString::from(test_title), level: CompactString::from(test_level), computername: CompactString::from(test_computername), @@ -2332,6 +2338,7 @@ mod tests { ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; + let test_rule_id: &str = "00000000-0000-0000-0000-000000000000"; let test_title = "test_title"; let test_level = "high"; let test_computername = "testcomputer"; @@ -2504,6 +2511,7 @@ mod tests { CompactString::new(output), DetectInfo { rulepath: CompactString::from(test_rulepath), + ruleid: test_rule_id.into(), ruletitle: CompactString::from(test_title), level: CompactString::from(test_level), computername: CompactString::from(test_computername2), @@ -2525,6 +2533,7 @@ mod tests { CompactString::new(output), DetectInfo { rulepath: CompactString::from(test_rulepath), + ruleid: test_rule_id.into(), ruletitle: CompactString::from(test_title), level: CompactString::from(test_level), computername: CompactString::from(test_computername), @@ -2762,6 +2771,7 @@ mod tests { ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; + let test_rule_id: &str = "00000000-0000-0000-0000-000000000000"; let test_title = "test_title"; let test_level = "high"; let test_computername = "testcomputer"; @@ -2933,6 +2943,7 @@ mod tests { CompactString::new(output), DetectInfo { rulepath: CompactString::from(test_rulepath), + ruleid: test_rule_id.into(), ruletitle: CompactString::from(test_title), level: CompactString::from(test_level), computername: CompactString::from(test_computername2), @@ -2994,6 +3005,7 @@ mod tests { ); let test_filepath: &str = "test.evtx"; let test_rulepath: &str = "test-rule.yml"; + let test_rule_id: &str = "00000000-0000-0000-0000-000000000000"; let test_title = "test_title"; let test_level = "high"; let test_computername = "testcomputer"; @@ -3165,6 +3177,7 @@ mod tests { CompactString::new(output), DetectInfo { rulepath: CompactString::from(test_rulepath), + ruleid: test_rule_id.into(), ruletitle: CompactString::from(test_title), level: CompactString::from(test_level), computername: CompactString::from(test_computername2), diff --git a/src/detections/message.rs b/src/detections/message.rs index f8033ae39..73488d59a 100644 --- a/src/detections/message.rs +++ b/src/detections/message.rs @@ -750,6 +750,7 @@ mod tests { for i in 1..2001 { let detect_info = DetectInfo { rulepath: CompactString::default(), + ruleid: CompactString::default(), ruletitle: CompactString::default(), level: CompactString::default(), computername: CompactString::default(), From 045ae5b4106313bc7663d3591320831d412b6f82 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sat, 1 Jul 2023 13:26:11 +0900 Subject: [PATCH 3/6] docs(added #1111): --- CHANGELOG-Japanese.md | 1 + CHANGELOG.md | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index ca040e634..664593aa2 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -15,6 +15,7 @@ **バグ修正:** - `metrics`と`logon-summary`コマンドのレコード数の表示が`csv-timeline`のコマンドでのレコード数の表示と異なっている状態を修正した。 (#1105) (@hitenkoku) +- ルールのIDベースでユニークな検出数をカウントするように修正した。 (#1111) (@hitenkoku) ## 2.6.0 [2023/06/16] "Ajisai Release" diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f13f5746..4a6f06644 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ **Bug Fixes:** - The total number of records being displayed in the `metrics` and `logon-summary` commands differed from the `csv-timeline` command. (#1105) (@hitenkoku) +- Fixed to count the number of unique detections based on the ID of rules. (#1111) (@hitenkoku) ## 2.6.0 [2023/06/16] "Ajisai Release" From 96cf586c1a9bd49083fbf87b76bffb51fcfb0691 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Sat, 1 Jul 2023 14:37:43 +0900 Subject: [PATCH 4/6] update changelog en --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a6f06644..affcc58b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ **Bug Fixes:** - The total number of records being displayed in the `metrics` and `logon-summary` commands differed from the `csv-timeline` command. (#1105) (@hitenkoku) -- Fixed to count the number of unique detections based on the ID of rules. (#1111) (@hitenkoku) +- The total counts of unique detections are now based on rule ID instead of rule file paths. (#1111) (@hitenkoku) ## 2.6.0 [2023/06/16] "Ajisai Release" From c6e1e2339d4c088c523eaa604c697abe1e5d46f9 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Sat, 1 Jul 2023 16:02:43 +0900 Subject: [PATCH 5/6] fix detections typo --- src/afterfact.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 787c189c5..11d0098a9 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -924,7 +924,7 @@ fn _print_unique_results( .ok(); let mut total_detect_md = vec!["- Total detections:".to_string()]; - let mut unique_detect_md = vec!["- Unique detecions:".to_string()]; + let mut unique_detect_md = vec!["- Unique detections:".to_string()]; for (i, level_name) in level_abbr.iter().enumerate() { if "undefined" == level_name[0] { From 28345f8e56736f262c5ff69e4fc1ab8ee9b2f50b Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Sun, 2 Jul 2023 05:35:15 +0900 Subject: [PATCH 6/6] update changelog --- CHANGELOG-Japanese.md | 3 +++ CHANGELOG.md | 3 +++ 2 files changed, 6 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 664593aa2..1f7fd19f8 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -15,6 +15,9 @@ **バグ修正:** - `metrics`と`logon-summary`コマンドのレコード数の表示が`csv-timeline`のコマンドでのレコード数の表示と異なっている状態を修正した。 (#1105) (@hitenkoku) + +**その他:** + - ルールのIDベースでユニークな検出数をカウントするように修正した。 (#1111) (@hitenkoku) ## 2.6.0 [2023/06/16] "Ajisai Release" diff --git a/CHANGELOG.md b/CHANGELOG.md index affcc58b5..c7b5e2463 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,9 @@ **Bug Fixes:** - The total number of records being displayed in the `metrics` and `logon-summary` commands differed from the `csv-timeline` command. (#1105) (@hitenkoku) + +**Other:** + - The total counts of unique detections are now based on rule ID instead of rule file paths. (#1111) (@hitenkoku) ## 2.6.0 [2023/06/16] "Ajisai Release"