diff --git a/CHANGELOG.md b/CHANGELOG.md index 77bb4380..2251ed26 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,8 +9,9 @@ Versioning](https://semver.org/spec/v2.0.0.html). ### Added -- Add new `WindowsThreat` event message for Windows Sysmon events. +- Add new `WindowsThreat` event message for Windows sysmon events. - Add new `NetworkThreat` event message for network events. +- Add new `LogThreat` event message for misc log events. - Added `ranked_outlier_stream` Graphql API to fetch `RankedOutlier` periodically. - Gets the id of the currently stored `Model`. - Generate a `RankedOutlier` iterator corresponding to the prefix of the diff --git a/src/graphql/event.rs b/src/graphql/event.rs index 3bfaf417..0961b559 100644 --- a/src/graphql/event.rs +++ b/src/graphql/event.rs @@ -6,6 +6,7 @@ mod group; mod http; mod kerberos; mod ldap; +mod log; mod mqtt; mod network; mod nfs; @@ -24,10 +25,10 @@ use self::{ dns::DnsCovertChannel, ftp::BlockListFtp, ftp::FtpBruteForce, ftp::FtpPlainText, http::BlockListHttp, http::DomainGenerationAlgorithm, http::HttpThreat, http::NonBrowser, http::RepeatedHttpSessions, http::TorConnection, kerberos::BlockListKerberos, - ldap::BlockListLdap, ldap::LdapBruteForce, ldap::LdapPlainText, mqtt::BlockListMqtt, - network::NetworkThreat, nfs::BlockListNfs, ntlm::BlockListNtlm, rdp::BlockListRdp, - rdp::RdpBruteForce, smb::BlockListSmb, smtp::BlockListSmtp, ssh::BlockListSsh, - sysmon::WindowsThreat, tls::BlockListTls, + ldap::BlockListLdap, ldap::LdapBruteForce, ldap::LdapPlainText, log::LogThreat, + mqtt::BlockListMqtt, network::NetworkThreat, nfs::BlockListNfs, ntlm::BlockListNtlm, + rdp::BlockListRdp, rdp::RdpBruteForce, smb::BlockListSmb, smtp::BlockListSmtp, + ssh::BlockListSsh, sysmon::WindowsThreat, tls::BlockListTls, }; use super::{ customer::{Customer, HostNetworkGroupInput}, @@ -154,6 +155,7 @@ async fn fetch_events( let mut block_list_tls_time = start_time; let mut windows_threat_time = start_time; let mut network_threat_time = start_time; + let mut misc_log_threat_time = start_time; loop { itv.tick().await; @@ -190,7 +192,8 @@ async fn fetch_events( .min(block_list_ssh_time) .min(block_list_tls_time) .min(windows_threat_time) - .min(network_threat_time); + .min(network_threat_time) + .min(misc_log_threat_time); // Fetch event iterator based on time let start = i128::from(start) << 64; @@ -399,8 +402,12 @@ async fn fetch_events( network_threat_time = event_time + ADD_TIME_FOR_NEXT_COMPARE; } } - - EventKind::Log => continue, + EventKind::LogThreat => { + if event_time >= network_threat_time { + tx.unbounded_send(value.into())?; + misc_log_threat_time = event_time + ADD_TIME_FOR_NEXT_COMPARE; + } + } } } } @@ -600,6 +607,7 @@ enum Event { WindowsThreat(WindowsThreat), NetworkThreat(NetworkThreat), + LogThreat(LogThreat), } impl From for Event { @@ -645,6 +653,7 @@ impl From for Event { }, database::Event::WindowsThreat(event) => Event::WindowsThreat(event.into()), database::Event::NetworkThreat(event) => Event::NetworkThreat(event.into()), + database::Event::LogThreat(event) => Event::LogThreat(event.into()), } } } diff --git a/src/graphql/event/network.rs b/src/graphql/event/network.rs index b8e103f8..5ea05ac0 100644 --- a/src/graphql/event/network.rs +++ b/src/graphql/event/network.rs @@ -12,7 +12,7 @@ pub(super) struct NetworkThreat { #[Object] impl NetworkThreat { async fn time(&self) -> DateTime { - self.inner.timestamp + self.inner.time } async fn source(&self) -> &str { diff --git a/src/graphql/semi_model.rs b/src/graphql/semi_model.rs index 0ef6dc18..942ad2c4 100644 --- a/src/graphql/semi_model.rs +++ b/src/graphql/semi_model.rs @@ -117,6 +117,7 @@ struct SemiModel { } #[derive(SimpleObject, Serialize)] +#[allow(clippy::module_name_repetitions)] pub struct SemiModelInfo { model_type: i32, model_name: String,