add LogThreat event message for misc log events

CHANGELOG.md

@@ -9,8 +9,9 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 
 ### Added
 
-- Add new `WindowsThreat` event message for Windows Sysmon events.
+- Add new `WindowsThreat` event message for Windows sysmon events.
 - Add new `NetworkThreat` event message for network events.
+- Add new `LogThreat` event message for misc log events.
 - Added `ranked_outlier_stream` Graphql API to fetch `RankedOutlier` periodically.
   - Gets the id of the currently stored `Model`.
   - Generate a `RankedOutlier` iterator corresponding to the prefix of the

src/graphql/event.rs

@@ -6,6 +6,7 @@ mod group;
 mod http;
 mod kerberos;
 mod ldap;
+mod log;
 mod mqtt;
 mod network;
 mod nfs;
@@ -24,10 +25,10 @@ use self::{
     dns::DnsCovertChannel, ftp::BlockListFtp, ftp::FtpBruteForce, ftp::FtpPlainText,
     http::BlockListHttp, http::DomainGenerationAlgorithm, http::HttpThreat, http::NonBrowser,
     http::RepeatedHttpSessions, http::TorConnection, kerberos::BlockListKerberos,
-    ldap::BlockListLdap, ldap::LdapBruteForce, ldap::LdapPlainText, mqtt::BlockListMqtt,
-    network::NetworkThreat, nfs::BlockListNfs, ntlm::BlockListNtlm, rdp::BlockListRdp,
-    rdp::RdpBruteForce, smb::BlockListSmb, smtp::BlockListSmtp, ssh::BlockListSsh,
-    sysmon::WindowsThreat, tls::BlockListTls,
+    ldap::BlockListLdap, ldap::LdapBruteForce, ldap::LdapPlainText, log::LogThreat,
+    mqtt::BlockListMqtt, network::NetworkThreat, nfs::BlockListNfs, ntlm::BlockListNtlm,
+    rdp::BlockListRdp, rdp::RdpBruteForce, smb::BlockListSmb, smtp::BlockListSmtp,
+    ssh::BlockListSsh, sysmon::WindowsThreat, tls::BlockListTls,
 };
 use super::{
     customer::{Customer, HostNetworkGroupInput},
@@ -154,6 +155,7 @@ async fn fetch_events(
     let mut block_list_tls_time = start_time;
     let mut windows_threat_time = start_time;
     let mut network_threat_time = start_time;
+    let mut misc_log_threat_time = start_time;
 
     loop {
         itv.tick().await;
@@ -190,7 +192,8 @@ async fn fetch_events(
             .min(block_list_ssh_time)
             .min(block_list_tls_time)
             .min(windows_threat_time)
-            .min(network_threat_time);
+            .min(network_threat_time)
+            .min(misc_log_threat_time);
 
         // Fetch event iterator based on time
         let start = i128::from(start) << 64;
@@ -399,8 +402,12 @@ async fn fetch_events(
                         network_threat_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
                     }
                 }
-
-                EventKind::Log => continue,
+                EventKind::LogThreat => {
+                    if event_time >= network_threat_time {
+                        tx.unbounded_send(value.into())?;
+                        misc_log_threat_time = event_time + ADD_TIME_FOR_NEXT_COMPARE;
+                    }
+                }
             }
         }
     }
@@ -600,6 +607,7 @@ enum Event {
     WindowsThreat(WindowsThreat),
 
     NetworkThreat(NetworkThreat),
+    LogThreat(LogThreat),
 }
 
 impl From<database::Event> for Event {
@@ -645,6 +653,7 @@ impl From<database::Event> for Event {
             },
             database::Event::WindowsThreat(event) => Event::WindowsThreat(event.into()),
             database::Event::NetworkThreat(event) => Event::NetworkThreat(event.into()),
+            database::Event::LogThreat(event) => Event::LogThreat(event.into()),
         }
     }
 }

src/graphql/event/network.rs

@@ -12,7 +12,7 @@ pub(super) struct NetworkThreat {
 #[Object]
 impl NetworkThreat {
     async fn time(&self) -> DateTime<Utc> {
-        self.inner.timestamp
+        self.inner.time
     }
 
     async fn source(&self) -> &str {

src/graphql/semi_model.rs

@@ -117,6 +117,7 @@ struct SemiModel {
 }
 
 #[derive(SimpleObject, Serialize)]
+#[allow(clippy::module_name_repetitions)]
 pub struct SemiModelInfo {
     model_type: i32,
     model_name: String,