From ce3e466efa6d18328d4d2c9dd2e3c09667183f59 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Wed, 13 Nov 2024 07:51:56 +0900 Subject: [PATCH] rename timeline_offset to time_offset --- src/afterfact.rs | 28 ++++----- src/detections/configs.rs | 84 ++++++++++++------------- src/detections/detection.rs | 10 +-- src/detections/rule/condition_parser.rs | 2 +- src/detections/rule/count.rs | 2 +- src/detections/rule/matchers.rs | 2 +- src/detections/rule/mod.rs | 2 +- src/detections/rule/selectionnodes.rs | 2 +- src/detections/utils.rs | 2 +- src/main.rs | 22 +++---- src/options/htmlreport.rs | 8 +-- src/options/profile.rs | 6 +- src/timeline/computer_metrics.rs | 2 +- src/timeline/metrics.rs | 2 +- src/timeline/timelines.rs | 6 +- src/yaml.rs | 2 +- 16 files changed, 91 insertions(+), 91 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 628a87f4f..3c74d183b 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -2322,7 +2322,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -2417,7 +2417,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -2670,7 +2670,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: Some("verbose-2".to_string()), enable_deprecated_rules: false, @@ -2775,7 +2775,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: Some("verbose-2".to_string()), enable_deprecated_rules: false, @@ -3012,7 +3012,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -3107,7 +3107,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -3355,7 +3355,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -3450,7 +3450,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -3771,7 +3771,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -3867,7 +3867,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -4132,7 +4132,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -4228,7 +4228,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -4418,7 +4418,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -4514,7 +4514,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 735e0a3e9..073ceb0a6 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -133,7 +133,7 @@ pub struct StoredStatic { pub field_data_map: Option, pub no_pwsh_field_extraction: bool, pub enable_recover_records: bool, - pub timeline_offset: Option, + pub time_offset: Option, pub is_low_memory: bool, pub enable_all_rules: bool, pub scan_all_evtx_files: bool, @@ -597,17 +597,17 @@ impl StoredStatic { Some(Action::LogMetrics(opt)) => opt.input_args.recover_records, _ => false, }; - let timeline_offset = match &input_config.as_ref().unwrap().action { - Some(Action::CsvTimeline(opt)) => opt.output_options.input_args.timeline_offset.clone(), + let time_offset = match &input_config.as_ref().unwrap().action { + Some(Action::CsvTimeline(opt)) => opt.output_options.input_args.time_offset.clone(), Some(Action::JsonTimeline(opt)) => { - opt.output_options.input_args.timeline_offset.clone() + opt.output_options.input_args.time_offset.clone() } - Some(Action::EidMetrics(opt)) => opt.input_args.timeline_offset.clone(), - Some(Action::LogonSummary(opt)) => opt.input_args.timeline_offset.clone(), - Some(Action::PivotKeywordsList(opt)) => opt.input_args.timeline_offset.clone(), - Some(Action::Search(opt)) => opt.input_args.timeline_offset.clone(), - Some(Action::ComputerMetrics(opt)) => opt.input_args.timeline_offset.clone(), - Some(Action::LogMetrics(opt)) => opt.input_args.timeline_offset.clone(), + Some(Action::EidMetrics(opt)) => opt.input_args.time_offset.clone(), + Some(Action::LogonSummary(opt)) => opt.input_args.time_offset.clone(), + Some(Action::PivotKeywordsList(opt)) => opt.input_args.time_offset.clone(), + Some(Action::Search(opt)) => opt.input_args.time_offset.clone(), + Some(Action::ComputerMetrics(opt)) => opt.input_args.time_offset.clone(), + Some(Action::LogMetrics(opt)) => opt.input_args.time_offset.clone(), _ => None, }; let include_status: HashSet = match &input_config.as_ref().unwrap().action { @@ -765,7 +765,7 @@ impl StoredStatic { field_data_map, no_pwsh_field_extraction: no_pwsh_field_extraction_flag, enable_recover_records, - timeline_offset, + time_offset, include_status, is_low_memory, enable_all_rules, @@ -1644,8 +1644,8 @@ pub struct InputOption { pub recover_records: bool, /// Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m) - #[arg(help_heading = Some("Filtering"), long = "timeline-offset", value_name = "OFFSET", conflicts_with = "start_timeline", display_order = 460)] - pub timeline_offset: Option, + #[arg(help_heading = Some("Filtering"), long = "time-offset", value_name = "OFFSET", conflicts_with = "start_timeline", display_order = 460)] + pub time_offset: Option, } #[derive(Args, Clone, Debug)] @@ -1890,9 +1890,9 @@ impl TargetEventTime { } }; - let get_timeline_offset = - |timeline_offset: &Option, parse_success_flag: &mut bool| { - if let Some(timeline_offline) = timeline_offset { + let get_time_offset = + |time_offset: &Option, parse_success_flag: &mut bool| { + if let Some(timeline_offline) = time_offset { let timekey = ['y', 'M', 'd', 'h', 'm', 's']; let mut time_num = [0, 0, 0, 0, 0, 0]; for (idx, key) in timekey.iter().enumerate() { @@ -1962,13 +1962,13 @@ impl TargetEventTime { }; let mut parse_success_flag = true; - let timeline_offset = - get_timeline_offset(&stored_static.timeline_offset, &mut parse_success_flag); + let time_offset = + get_time_offset(&stored_static.time_offset, &mut parse_success_flag); match &stored_static.config.action.as_ref().unwrap() { Action::CsvTimeline(option) => { - let start_time = if timeline_offset.is_some() { + let start_time = if time_offset.is_some() { get_time( - timeline_offset.as_ref(), + time_offset.as_ref(), "Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m", &mut parse_success_flag, ) @@ -1987,9 +1987,9 @@ impl TargetEventTime { Self::set(parse_success_flag, start_time, end_time) } Action::JsonTimeline(option) => { - let start_time = if timeline_offset.is_some() { + let start_time = if time_offset.is_some() { get_time( - timeline_offset.as_ref(), + time_offset.as_ref(), "Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m", &mut parse_success_flag, ) @@ -2008,9 +2008,9 @@ impl TargetEventTime { Self::set(parse_success_flag, start_time, end_time) } Action::PivotKeywordsList(option) => { - let start_time = if timeline_offset.is_some() { + let start_time = if time_offset.is_some() { get_time( - timeline_offset.as_ref(), + time_offset.as_ref(), "Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m", &mut parse_success_flag, ) @@ -2029,9 +2029,9 @@ impl TargetEventTime { Self::set(parse_success_flag, start_time, end_time) } Action::LogonSummary(option) => { - let start_time = if timeline_offset.is_some() { + let start_time = if time_offset.is_some() { get_time( - timeline_offset.as_ref(), + time_offset.as_ref(), "Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m", &mut parse_success_flag, ) @@ -2053,9 +2053,9 @@ impl TargetEventTime { | Action::EidMetrics(_) | Action::ComputerMetrics(_) | Action::Search(_) => { - let start_time = if timeline_offset.is_some() { + let start_time = if time_offset.is_some() { get_time( - timeline_offset.as_ref(), + time_offset.as_ref(), "Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m", &mut parse_success_flag, ) @@ -2514,7 +2514,7 @@ fn extract_output_options(config: &Config) -> Option { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, enable_deprecated_rules: false, enable_noisy_rules: false, @@ -2574,7 +2574,7 @@ fn extract_output_options(config: &Config) -> Option { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, enable_deprecated_rules: true, enable_noisy_rules: true, @@ -2843,7 +2843,7 @@ mod tests { } #[test] - fn test_timeline_offset_csv() { + fn test_time_offset_csv() { let csv_timeline = StoredStatic::create_static_data(Some(Config { action: Some(Action::CsvTimeline(CsvOutputOption { output_options: OutputOption { @@ -2852,7 +2852,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: Some("1d".to_string()), + time_offset: Some("1d".to_string()), }, profile: None, enable_deprecated_rules: false, @@ -2923,7 +2923,7 @@ mod tests { } #[test] - fn test_timeline_offset_json() { + fn test_time_offset_json() { let json_timeline = StoredStatic::create_static_data(Some(Config { action: Some(Action::JsonTimeline(JSONOutputOption { output_options: OutputOption { @@ -2932,7 +2932,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: Some("1y".to_string()), + time_offset: Some("1y".to_string()), }, profile: None, enable_deprecated_rules: false, @@ -3003,7 +3003,7 @@ mod tests { } #[test] - fn test_timeline_offset_search() { + fn test_time_offset_search() { let json_timeline = StoredStatic::create_static_data(Some(Config { action: Some(Action::Search(SearchOption { output: None, @@ -3017,7 +3017,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: Some("1h".to_string()), + time_offset: Some("1h".to_string()), }, keywords: Some(vec!["mimikatz".to_string()]), regex: None, @@ -3052,7 +3052,7 @@ mod tests { } #[test] - fn test_timeline_offset_eid_metrics() { + fn test_time_offset_eid_metrics() { let eid_metrics = StoredStatic::create_static_data(Some(Config { action: Some(Action::EidMetrics(EidMetricsOption { output: None, @@ -3066,7 +3066,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: Some("1h1m".to_string()), + time_offset: Some("1h1m".to_string()), }, clobber: true, time_format_options: TimeFormatOptions { @@ -3098,7 +3098,7 @@ mod tests { } #[test] - fn test_timeline_offset_logon_summary() { + fn test_time_offset_logon_summary() { let logon_summary = StoredStatic::create_static_data(Some(Config { action: Some(Action::LogonSummary(LogonSummaryOption { output: None, @@ -3112,7 +3112,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: Some("1y1d1h".to_string()), + time_offset: Some("1y1d1h".to_string()), }, clobber: true, time_format_options: TimeFormatOptions { @@ -3150,7 +3150,7 @@ mod tests { } #[test] - fn test_timeline_offset_pivot() { + fn test_time_offset_pivot() { let pivot_keywords_list = StoredStatic::create_static_data(Some(Config { action: Some(Action::PivotKeywordsList(PivotKeywordOption { output: None, @@ -3164,7 +3164,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: Some("1y1M1s".to_string()), + time_offset: Some("1y1M1s".to_string()), }, clobber: true, detect_common_options: DetectCommonOption { diff --git a/src/detections/detection.rs b/src/detections/detection.rs index f5a8935e5..74542cba9 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -1332,7 +1332,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -1591,7 +1591,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -1732,7 +1732,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -1868,7 +1868,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -2020,7 +2020,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, diff --git a/src/detections/rule/condition_parser.rs b/src/detections/rule/condition_parser.rs index af9a7a8ea..5226ef759 100644 --- a/src/detections/rule/condition_parser.rs +++ b/src/detections/rule/condition_parser.rs @@ -456,7 +456,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, diff --git a/src/detections/rule/count.rs b/src/detections/rule/count.rs index 79877593a..05a452cde 100644 --- a/src/detections/rule/count.rs +++ b/src/detections/rule/count.rs @@ -587,7 +587,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index 0557be7c1..e4840cc1a 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -1060,7 +1060,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, diff --git a/src/detections/rule/mod.rs b/src/detections/rule/mod.rs index 601bcd994..4adebe603 100644 --- a/src/detections/rule/mod.rs +++ b/src/detections/rule/mod.rs @@ -430,7 +430,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, diff --git a/src/detections/rule/selectionnodes.rs b/src/detections/rule/selectionnodes.rs index f964f5239..691b820d4 100644 --- a/src/detections/rule/selectionnodes.rs +++ b/src/detections/rule/selectionnodes.rs @@ -529,7 +529,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 1878c9eb5..46eaa0626 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -1110,7 +1110,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: Some("super-verbose".to_string()), enable_deprecated_rules: false, diff --git a/src/main.rs b/src/main.rs index 0714425a0..0c18fda00 100644 --- a/src/main.rs +++ b/src/main.rs @@ -2446,7 +2446,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -2622,7 +2622,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -2712,7 +2712,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -2801,7 +2801,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -2891,7 +2891,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -2980,7 +2980,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test_metrics.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, @@ -3037,7 +3037,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test_metrics.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, @@ -3091,7 +3091,7 @@ mod tests { directory: None, filepath: Some(Path::new("test_files/evtx/test_metrics.json").to_path_buf()), live_analysis: false, - timeline_offset: None, + time_offset: None, recover_records: false, }, common_options: CommonOptions { @@ -3150,7 +3150,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test_metrics.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, @@ -3207,7 +3207,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test_metrics.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, @@ -3250,7 +3250,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test_metrics.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, diff --git a/src/options/htmlreport.rs b/src/options/htmlreport.rs index b1643f67e..43224fbc1 100644 --- a/src/options/htmlreport.rs +++ b/src/options/htmlreport.rs @@ -257,7 +257,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -329,7 +329,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -404,7 +404,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -476,7 +476,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, diff --git a/src/options/profile.rs b/src/options/profile.rs index 5078619aa..925c28128 100644 --- a/src/options/profile.rs +++ b/src/options/profile.rs @@ -500,7 +500,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -583,7 +583,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: Some("minimal".to_string()), enable_deprecated_rules: false, @@ -696,7 +696,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: Some("not_exist".to_string()), enable_deprecated_rules: false, diff --git a/src/timeline/computer_metrics.rs b/src/timeline/computer_metrics.rs index 7d4154022..dbce9cdd0 100644 --- a/src/timeline/computer_metrics.rs +++ b/src/timeline/computer_metrics.rs @@ -135,7 +135,7 @@ mod tests { filepath: Some(Path::new("./dummy.evtx").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, diff --git a/src/timeline/metrics.rs b/src/timeline/metrics.rs index 4f1a325c8..ab0d4b944 100644 --- a/src/timeline/metrics.rs +++ b/src/timeline/metrics.rs @@ -506,7 +506,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, diff --git a/src/timeline/timelines.rs b/src/timeline/timelines.rs index 2dc6d7a49..cbe5858d2 100644 --- a/src/timeline/timelines.rs +++ b/src/timeline/timelines.rs @@ -690,7 +690,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, @@ -878,7 +878,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, @@ -971,7 +971,7 @@ mod tests { filepath: Some(Path::new("./dummy.evtx").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, diff --git a/src/yaml.rs b/src/yaml.rs index cb287feea..826dd2ca3 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -799,7 +799,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false,