Merge pull request #1547 from Yamato-Security/1544-add-channel-filter…

…-logon-summary feat: add channel filter to logon-summary
Yamato-Security · Jan 18, 2025 · 2c362b6 · 2c362b6
2 parents 93ca1f0 + e509f68
commit 2c362b6
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 0 deletions.
diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md
@@ -5,6 +5,7 @@
 **改善:**
 
 - `search`コマンドに`--timeline-start/--timeline-end`オプションを追加した。 (#1543) (@fukuseket)
+- チャンネルフィルタリングで `logon-summary` コマンドの速度を大幅に改善した。 (#1544) (@fukusuket)
 
 ## 3.0.1 [2024/12/29] - 3rd Year Anniversary Release
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 **Enhancements:**
 
 - Added `--timeline-start/--timeline-end` options to the `search` command. (#1543) (@fukuseket)
+- Significantly improved the speed of the `logon-summary` command with channel filtering. (#1544) (@fukusuket)
 
 ## 3.0.1 [2024/12/29] - 3rd Year Anniversary Release
 

diff --git a/src/main.rs b/src/main.rs
@@ -72,6 +72,7 @@ use tokio::runtime::Runtime;
 use tokio::spawn;
 use tokio::task::JoinHandle;
 use ureq::get;
+use yaml_rust2::YamlLoader;
 
 #[derive(Embed)]
 #[folder = "art/"]
@@ -1819,6 +1820,26 @@ impl App {
             println!();
         }
 
+        if stored_static.logon_summary_flag && !stored_static.json_input_flag {
+            // Logon summary用のChannelフィルターを作成
+            let yaml_str = r#"
+            detection:
+                selection:
+                    Channel:
+                        - Security
+                        - Microsoft-Windows-TerminalServices-Gateway/Operational
+                        - Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
+            "#;
+            let yaml_data = YamlLoader::load_from_str(yaml_str);
+            let node = RuleNode::new(
+                "logon".to_string(),
+                yaml_data.ok().unwrap_or_default().first().unwrap().clone(),
+            );
+            let rule_files = vec![node];
+            let mut channel_filter = create_channel_filter(&evtx_files, &rule_files);
+            evtx_files.retain(|e| channel_filter.scanable_rule_exists(e));
+        }
+
         let template = if stored_static.common_options.no_color {
             "[{elapsed_precise}] {human_pos} / {human_len} {spinner} [{bar:40}] {percent}%\r\n\r\n{msg}".to_string()
         } else {