Merge pull request #1347 from Yamato-Security/1342-output-hyphen-when…

…-no-content output `-` when count rules's output has no content
Yamato-Security · May 18, 2024 · 69b7793 · 69b7793
2 parents 2845ad1 + c7c471c
commit 69b7793
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/src/afterfact.rs b/src/afterfact.rs
@@ -1231,7 +1231,11 @@ fn _get_serialized_disp_output(
                             output_str_char_pair.push(field_val_col_pair);
                         }
                     }
-                    output_str_char_pair
+                    if output_str_char_pair.is_empty() {
+                        vec![vec![(display_contents, None)]]
+                    } else {
+                        output_str_char_pair
+                    }
                 }
                 _ => {
                     vec![vec![(display_contents, None)]]

diff --git a/src/detections/detection.rs b/src/detections/detection.rs
@@ -806,7 +806,7 @@ impl Detection {
                     profile_converter.insert(key.as_str(), EventID("-".into()));
                 }
                 RecordID(_) => {
-                    profile_converter.insert(key.as_str(), RecordID("".into()));
+                    profile_converter.insert(key.as_str(), RecordID("-".into()));
                 }
                 RuleTitle(_) => {
                     profile_converter.insert(

diff --git a/src/detections/message.rs b/src/detections/message.rs
@@ -194,7 +194,7 @@ pub fn create_message(
                     if is_json_timeline {
                         record_details_info_map
                             .insert("#ExtraFieldInfo".into(), vec![CompactString::from("-")]);
-                        replaced_profiles.push((key.to_owned(), ExtraFieldInfo("".into())));
+                        replaced_profiles.push((key.to_owned(), ExtraFieldInfo("-".into())));
                     } else {
                         replaced_profiles.push((key.to_owned(), ExtraFieldInfo("-".into())));
                     }
@@ -230,7 +230,7 @@ pub fn create_message(
                     .collect();
                 if is_json_timeline {
                     record_details_info_map.insert("#ExtraFieldInfo".into(), extra_field_vec);
-                    replaced_profiles.push((key.to_owned(), ExtraFieldInfo("".into())));
+                    replaced_profiles.push((key.to_owned(), ExtraFieldInfo("-".into())));
                 } else if extra_field_vec.is_empty() {
                     replaced_profiles.push((key.to_owned(), ExtraFieldInfo("-".into())));
                 } else {