Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add --disable-abbreviations option #1485

Closed
fukusuket opened this issue Nov 12, 2024 · 1 comment · Fixed by #1497
Closed

Add --disable-abbreviations option #1485

fukusuket opened this issue Nov 12, 2024 · 1 comment · Fixed by #1497
Assignees
@fukusuket
Labels
enhancement New feature or request
Milestone
2.19.0

Comments

@fukusuket
Copy link
Collaborator

fukusuket commented Nov 12, 2024
edited
Loading

#1474 (comment)

  1. I would like to do channel and provider abbreviation by default but add a -a --disable-abbreviations Disable abbreviations option under General Options to preserve the names as-is. I'd like to add this opiton to eid-metrics and csv-timeline and json-timeline as well as sometimes it is necessary to look up the original Channel and Provider names. We could create a separate issue for this though.
@fukusuket fukusuket added the enhancement New feature or request label Nov 12, 2024
@fukusuket fukusuket added this to the 2.19.0 milestone Nov 12, 2024
@fukusuket fukusuket self-assigned this Nov 12, 2024
@fukusuket fukusuket mentioned this issue Nov 12, 2024
Merged
@fukusuket
Copy link
Collaborator Author

fukusuket commented Nov 15, 2024
edited
Loading

memo

command

The following command takes effect when this option is set.

  • csv-timeline
  • json-timeline
  • search
  • eid-metrics
  • log-metrics

The following command does not require this option.

  • computer-metrics
  • level-tuning
  • list-contributors
  • list-profiles
  • logon-summary
  • pivot-keywords-list
  • set-default-profile
  • update-rules
  • help

Among the commands that do not require this option, the following command uses the General Option

  • computer-metrics
  • logon-summary
  • pivot-keywords-list

impl

  • https://github.com/Yamato-Security/hayabusa/blob/main/src/detections/configs.rs#L103
  • https://github.com/Yamato-Security/hayabusa/blob/main/src/detections/configs.rs#L106

  • hayabusa/src/timeline/timelines.rs

    Lines 630 to 649 in c7f1ecf

    fn replace_channel_abbr(stored_static: &StoredStatic, fmted_channel: &CompactString) -> String {
    stored_static.disp_abbr_generic.replace_all(
    stored_static
    .ch_config
    .get(&fmted_channel.to_ascii_lowercase())
    .unwrap_or(fmted_channel)
    .as_str(),
    &stored_static.disp_abbr_general_values,
    )
    }
    fn replace_provider_abbr(stored_static: &StoredStatic, fmted_provider: &CompactString) -> String {
    stored_static.disp_abbr_generic.replace_all(
    stored_static
    .provider_abbr_config
    .get(fmted_provider)
    .unwrap_or(fmted_provider),
    &stored_static.disp_abbr_general_values,
    )
    }

  • hayabusa/src/detections/detection.rs

    Lines 524 to 544 in c7f1ecf

    Provider(_) => {
    let provider_value = CompactString::from(
    record_info.record["Event"]["System"]["Provider_attributes"]["Name"]
    .to_string()
    .replace('\"', ""),
    );
    profile_converter.insert(
    key.as_str(),
    Provider(
    stored_static
    .disp_abbr_generic
    .replace_all(
    stored_static
    .provider_abbr_config
    .get(&provider_value)
    .unwrap_or(&provider_value),
    &stored_static.disp_abbr_general_values,
    )
    .into(),
    ),
    );

@fukusuket fukusuket mentioned this issue Nov 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fukusuket fukusuket

Labels
enhancement New feature or request
Projects
None yet
Milestone
2.19.0
Development

Successfully merging a pull request may close this issue.

feat: add --disable-abbreviations option Yamato-Security/hayabusa
1 participant
@fukusuket