diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index a5f949775..853b3299d 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -5,6 +5,7 @@ **改善:** - `search`コマンドに`--timeline-start/--timeline-end`オプションを追加した。 (#1543) (@fukuseket) +- チャンネルフィルタリングで `logon-summary` コマンドの速度を大幅に改善した。 (#1544) (@fukusuket) ## 3.0.1 [2024/12/29] - 3rd Year Anniversary Release diff --git a/CHANGELOG.md b/CHANGELOG.md index dc396a366..0aa3c1e7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ **Enhancements:** - Added `--timeline-start/--timeline-end` options to the `search` command. (#1543) (@fukuseket) +- Significantly improved the speed of the `logon-summary` command with channel filtering. (#1544) (@fukusuket) ## 3.0.1 [2024/12/29] - 3rd Year Anniversary Release diff --git a/src/main.rs b/src/main.rs index 99e686890..d872be51e 100644 --- a/src/main.rs +++ b/src/main.rs @@ -72,6 +72,7 @@ use tokio::runtime::Runtime; use tokio::spawn; use tokio::task::JoinHandle; use ureq::get; +use yaml_rust2::YamlLoader; #[derive(Embed)] #[folder = "art/"] @@ -1819,6 +1820,26 @@ impl App { println!(); } + if stored_static.logon_summary_flag && !stored_static.json_input_flag { + // Logon summary用のChannelフィルターを作成 + let yaml_str = r#" + detection: + selection: + Channel: + - Security + - Microsoft-Windows-TerminalServices-Gateway/Operational + - Microsoft-Windows-TerminalServices-LocalSessionManager/Operational + "#; + let yaml_data = YamlLoader::load_from_str(yaml_str); + let node = RuleNode::new( + "logon".to_string(), + yaml_data.ok().unwrap_or_default().first().unwrap().clone(), + ); + let rule_files = vec![node]; + let mut channel_filter = create_channel_filter(&evtx_files, &rule_files); + evtx_files.retain(|e| channel_filter.scanable_rule_exists(e)); + } + let template = if stored_static.common_options.no_color { "[{elapsed_precise}] {human_pos} / {human_len} {spinner} [{bar:40}] {percent}%\r\n\r\n{msg}".to_string() } else {