Skip to content

Commit

Permalink
rename timeline_offset to time_offset
Browse files Browse the repository at this point in the history
  • Loading branch information
@YamatoSecurity
YamatoSecurity committed Nov 12, 2024
1 parent 00b062b commit ce3e466
Show file tree
Hide file tree
Showing 16 changed files with 91 additions and 91 deletions.
28 changes: 14 additions & 14 deletions src/afterfact.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2322,7 +2322,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: None,
time_offset: None,
},
profile: None,
enable_deprecated_rules: false,
Expand Down Expand Up @@ -2417,7 +2417,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: None,
time_offset: None,
},
profile: None,
enable_deprecated_rules: false,
Expand Down Expand Up @@ -2670,7 +2670,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: None,
time_offset: None,
},
profile: Some("verbose-2".to_string()),
enable_deprecated_rules: false,
Expand Down Expand Up @@ -2775,7 +2775,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: None,
time_offset: None,
},
profile: Some("verbose-2".to_string()),
enable_deprecated_rules: false,
Expand Down Expand Up @@ -3012,7 +3012,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: None,
time_offset: None,
},
profile: None,
enable_deprecated_rules: false,
Expand Down Expand Up @@ -3107,7 +3107,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: None,
time_offset: None,
},
profile: None,
enable_deprecated_rules: false,
Expand Down Expand Up @@ -3355,7 +3355,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: None,
time_offset: None,
},
profile: None,
enable_deprecated_rules: false,
Expand Down Expand Up @@ -3450,7 +3450,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: None,
time_offset: None,
},
profile: None,
enable_deprecated_rules: false,
Expand Down Expand Up @@ -3771,7 +3771,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: None,
time_offset: None,
},
profile: None,
enable_deprecated_rules: false,
Expand Down Expand Up @@ -3867,7 +3867,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: None,
time_offset: None,
},
profile: None,
enable_deprecated_rules: false,
Expand Down Expand Up @@ -4132,7 +4132,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: None,
time_offset: None,
},
profile: None,
enable_deprecated_rules: false,
Expand Down Expand Up @@ -4228,7 +4228,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: None,
time_offset: None,
},
profile: None,
enable_deprecated_rules: false,
Expand Down Expand Up @@ -4418,7 +4418,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: None,
time_offset: None,
},
profile: None,
enable_deprecated_rules: false,
Expand Down Expand Up @@ -4514,7 +4514,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: None,
time_offset: None,
},
profile: None,
enable_deprecated_rules: false,
Expand Down
84 changes: 42 additions & 42 deletions src/detections/configs.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ pub struct StoredStatic {
pub field_data_map: Option<FieldDataMap>,
pub no_pwsh_field_extraction: bool,
pub enable_recover_records: bool,
pub timeline_offset: Option<String>,
pub time_offset: Option<String>,
pub is_low_memory: bool,
pub enable_all_rules: bool,
pub scan_all_evtx_files: bool,
Expand Down Expand Up @@ -597,17 +597,17 @@ impl StoredStatic {
Some(Action::LogMetrics(opt)) => opt.input_args.recover_records,
_ => false,
};
let timeline_offset = match &input_config.as_ref().unwrap().action {
Some(Action::CsvTimeline(opt)) => opt.output_options.input_args.timeline_offset.clone(),
let time_offset = match &input_config.as_ref().unwrap().action {
Some(Action::CsvTimeline(opt)) => opt.output_options.input_args.time_offset.clone(),
Some(Action::JsonTimeline(opt)) => {
opt.output_options.input_args.timeline_offset.clone()
opt.output_options.input_args.time_offset.clone()
}
Some(Action::EidMetrics(opt)) => opt.input_args.timeline_offset.clone(),
Some(Action::LogonSummary(opt)) => opt.input_args.timeline_offset.clone(),
Some(Action::PivotKeywordsList(opt)) => opt.input_args.timeline_offset.clone(),
Some(Action::Search(opt)) => opt.input_args.timeline_offset.clone(),
Some(Action::ComputerMetrics(opt)) => opt.input_args.timeline_offset.clone(),
Some(Action::LogMetrics(opt)) => opt.input_args.timeline_offset.clone(),
Some(Action::EidMetrics(opt)) => opt.input_args.time_offset.clone(),
Some(Action::LogonSummary(opt)) => opt.input_args.time_offset.clone(),
Some(Action::PivotKeywordsList(opt)) => opt.input_args.time_offset.clone(),
Some(Action::Search(opt)) => opt.input_args.time_offset.clone(),
Some(Action::ComputerMetrics(opt)) => opt.input_args.time_offset.clone(),
Some(Action::LogMetrics(opt)) => opt.input_args.time_offset.clone(),
_ => None,
};
let include_status: HashSet<CompactString> = match &input_config.as_ref().unwrap().action {
Expand Down Expand Up @@ -765,7 +765,7 @@ impl StoredStatic {
field_data_map,
no_pwsh_field_extraction: no_pwsh_field_extraction_flag,
enable_recover_records,
timeline_offset,
time_offset,
include_status,
is_low_memory,
enable_all_rules,
Expand Down Expand Up @@ -1644,8 +1644,8 @@ pub struct InputOption {
pub recover_records: bool,

/// Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)
#[arg(help_heading = Some("Filtering"), long = "timeline-offset", value_name = "OFFSET", conflicts_with = "start_timeline", display_order = 460)]
pub timeline_offset: Option<String>,
#[arg(help_heading = Some("Filtering"), long = "time-offset", value_name = "OFFSET", conflicts_with = "start_timeline", display_order = 460)]
pub time_offset: Option<String>,
}

#[derive(Args, Clone, Debug)]
Expand Down Expand Up @@ -1890,9 +1890,9 @@ impl TargetEventTime {
}
};

let get_timeline_offset =
|timeline_offset: &Option<String>, parse_success_flag: &mut bool| {
if let Some(timeline_offline) = timeline_offset {
let get_time_offset =
|time_offset: &Option<String>, parse_success_flag: &mut bool| {
if let Some(timeline_offline) = time_offset {
let timekey = ['y', 'M', 'd', 'h', 'm', 's'];
let mut time_num = [0, 0, 0, 0, 0, 0];
for (idx, key) in timekey.iter().enumerate() {
Expand Down Expand Up @@ -1962,13 +1962,13 @@ impl TargetEventTime {
};

let mut parse_success_flag = true;
let timeline_offset =
get_timeline_offset(&stored_static.timeline_offset, &mut parse_success_flag);
let time_offset =
get_time_offset(&stored_static.time_offset, &mut parse_success_flag);
match &stored_static.config.action.as_ref().unwrap() {
Action::CsvTimeline(option) => {
let start_time = if timeline_offset.is_some() {
let start_time = if time_offset.is_some() {
get_time(
timeline_offset.as_ref(),
time_offset.as_ref(),
"Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m",
&mut parse_success_flag,
)
Expand All @@ -1987,9 +1987,9 @@ impl TargetEventTime {
Self::set(parse_success_flag, start_time, end_time)
}
Action::JsonTimeline(option) => {
let start_time = if timeline_offset.is_some() {
let start_time = if time_offset.is_some() {
get_time(
timeline_offset.as_ref(),
time_offset.as_ref(),
"Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m",
&mut parse_success_flag,
)
Expand All @@ -2008,9 +2008,9 @@ impl TargetEventTime {
Self::set(parse_success_flag, start_time, end_time)
}
Action::PivotKeywordsList(option) => {
let start_time = if timeline_offset.is_some() {
let start_time = if time_offset.is_some() {
get_time(
timeline_offset.as_ref(),
time_offset.as_ref(),
"Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m",
&mut parse_success_flag,
)
Expand All @@ -2029,9 +2029,9 @@ impl TargetEventTime {
Self::set(parse_success_flag, start_time, end_time)
}
Action::LogonSummary(option) => {
let start_time = if timeline_offset.is_some() {
let start_time = if time_offset.is_some() {
get_time(
timeline_offset.as_ref(),
time_offset.as_ref(),
"Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m",
&mut parse_success_flag,
)
Expand All @@ -2053,9 +2053,9 @@ impl TargetEventTime {
| Action::EidMetrics(_)
| Action::ComputerMetrics(_)
| Action::Search(_) => {
let start_time = if timeline_offset.is_some() {
let start_time = if time_offset.is_some() {
get_time(
timeline_offset.as_ref(),
time_offset.as_ref(),
"Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m",
&mut parse_success_flag,
)
Expand Down Expand Up @@ -2514,7 +2514,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: None,
time_offset: None,
},
enable_deprecated_rules: false,
enable_noisy_rules: false,
Expand Down Expand Up @@ -2574,7 +2574,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: None,
time_offset: None,
},
enable_deprecated_rules: true,
enable_noisy_rules: true,
Expand Down Expand Up @@ -2843,7 +2843,7 @@ mod tests {
}

#[test]
fn test_timeline_offset_csv() {
fn test_time_offset_csv() {
let csv_timeline = StoredStatic::create_static_data(Some(Config {
action: Some(Action::CsvTimeline(CsvOutputOption {
output_options: OutputOption {
Expand All @@ -2852,7 +2852,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: Some("1d".to_string()),
time_offset: Some("1d".to_string()),
},
profile: None,
enable_deprecated_rules: false,
Expand Down Expand Up @@ -2923,7 +2923,7 @@ mod tests {
}

#[test]
fn test_timeline_offset_json() {
fn test_time_offset_json() {
let json_timeline = StoredStatic::create_static_data(Some(Config {
action: Some(Action::JsonTimeline(JSONOutputOption {
output_options: OutputOption {
Expand All @@ -2932,7 +2932,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: Some("1y".to_string()),
time_offset: Some("1y".to_string()),
},
profile: None,
enable_deprecated_rules: false,
Expand Down Expand Up @@ -3003,7 +3003,7 @@ mod tests {
}

#[test]
fn test_timeline_offset_search() {
fn test_time_offset_search() {
let json_timeline = StoredStatic::create_static_data(Some(Config {
action: Some(Action::Search(SearchOption {
output: None,
Expand All @@ -3017,7 +3017,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: Some("1h".to_string()),
time_offset: Some("1h".to_string()),
},
keywords: Some(vec!["mimikatz".to_string()]),
regex: None,
Expand Down Expand Up @@ -3052,7 +3052,7 @@ mod tests {
}

#[test]
fn test_timeline_offset_eid_metrics() {
fn test_time_offset_eid_metrics() {
let eid_metrics = StoredStatic::create_static_data(Some(Config {
action: Some(Action::EidMetrics(EidMetricsOption {
output: None,
Expand All @@ -3066,7 +3066,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: Some("1h1m".to_string()),
time_offset: Some("1h1m".to_string()),
},
clobber: true,
time_format_options: TimeFormatOptions {
Expand Down Expand Up @@ -3098,7 +3098,7 @@ mod tests {
}

#[test]
fn test_timeline_offset_logon_summary() {
fn test_time_offset_logon_summary() {
let logon_summary = StoredStatic::create_static_data(Some(Config {
action: Some(Action::LogonSummary(LogonSummaryOption {
output: None,
Expand All @@ -3112,7 +3112,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: Some("1y1d1h".to_string()),
time_offset: Some("1y1d1h".to_string()),
},
clobber: true,
time_format_options: TimeFormatOptions {
Expand Down Expand Up @@ -3150,7 +3150,7 @@ mod tests {
}

#[test]
fn test_timeline_offset_pivot() {
fn test_time_offset_pivot() {
let pivot_keywords_list = StoredStatic::create_static_data(Some(Config {
action: Some(Action::PivotKeywordsList(PivotKeywordOption {
output: None,
Expand All @@ -3164,7 +3164,7 @@ mod tests {
filepath: None,
live_analysis: false,
recover_records: false,
timeline_offset: Some("1y1M1s".to_string()),
time_offset: Some("1y1M1s".to_string()),
},
clobber: true,
detect_common_options: DetectCommonOption {
Expand Down
Loading

0 comments on commit ce3e466

Please sign in to comment.