feat: add support for Data[x] notation and Provider_name(filed mappin…

…g feature)
Yamato-Security · May 19, 2024 · ed6b7e7 · ed6b7e7
1 parent b8b0f86
commit ed6b7e7
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 2 deletions.
diff --git a/src/detections/detection.rs b/src/detections/detection.rs
@@ -716,8 +716,9 @@ impl Detection {
             FieldDataMapKey::default()
         } else {
             FieldDataMapKey {
-                channel: CompactString::from(ch_str.clone().to_lowercase()),
+                channel: CompactString::from(ch_str.to_lowercase()),
                 event_id: eid.clone(),
+                provider: CompactString::from(provider.to_lowercase()),
             }
         };
         let detect_info = DetectInfo {

diff --git a/src/detections/field_data_map.rs b/src/detections/field_data_map.rs
@@ -17,10 +17,11 @@ pub enum FieldDataConverter {
     ReplaceStr((AhoCorasick, Vec<String>)),
 }
 
-#[derive(Debug, Eq, Hash, PartialEq, Default, Clone)]
+#[derive(Debug, Default, Clone, PartialEq, Eq, Hash)]
 pub struct FieldDataMapKey {
     pub channel: CompactString,
     pub event_id: CompactString,
+    pub provider: CompactString,
 }
 
 impl FieldDataMapKey {
@@ -38,6 +39,12 @@ impl FieldDataMapKey {
                     .unwrap_or_default()
                     .to_string(),
             ),
+            provider: CompactString::from(
+                yaml_data["Provider_Name"]
+                    .as_str()
+                    .unwrap_or_default()
+                    .to_lowercase(),
+            ),
         }
     }
 }
@@ -189,6 +196,7 @@ mod tests {
         let key = FieldDataMapKey {
             channel: CompactString::from("Security".to_lowercase()),
             event_id: CompactString::from("4625".to_string()),
+            provider: CompactString::from(""),
         };
         map.insert(key.clone(), HashMap::new());
         let r = convert_field_data(&map, &key, "", "");

diff --git a/src/detections/message.rs b/src/detections/message.rs
@@ -314,6 +314,7 @@ pub fn parse_message(
                 .unwrap_or(tmp_event_record)
                 .get((suffix - 1) as usize)
                 .unwrap_or(tmp_event_record);
+            field = target_str;
         }
         let hash_value = get_serde_number_to_string(tmp_event_record, false);
         if hash_value.is_some() {