feat: add config-critical-systems cmd

CHANGELOG-Japanese.md

@@ -5,7 +5,8 @@
 **新機能:**
 
 - `eid-metrics`と`logon-summary`コマンドに`-X, --remove-duplicate-detections`オプションを追加した。 (#1552) (@fukusuket)
-- 新しい「緊急アラート 」と重要なシステムに基づく重大度レベルの調整。`config/critical_systems.txt`に重要なシステム（例: ドメインコントローラ、ファイルサーバ等々）のコンピュータ名のリストを追加すると、`low`以上のすべてのアラートが1つ高く調整される。つまり、`low`は`medium`に、`medium`は`high`に、`critical`アラートは新しい`emergency`アラートになる。(#1551) (@fukusuket)
+- 新しい「緊急アラート 」と重要なシステムに基づく重大度レベルの調整。`config/critical_systems.txt`に重要なシステム（例: ドメインコントローラ、ファイルサーバ等々）のコンピュータ名のリストを追加すると、`low`以上のすべてのアラートが1つ高く調整される。つまり、`low`は`medium`に、`medium`は`high`に、`critical`アラートは新しい`emergency`アラートになる。 (#1551) (@fukusuket)
+- `./config/critical_systems.txt`ファイルに追加するドメインコントローラーとファイルサーバーを自動的に見つける`config-critical-systems`コマンドを追加した。 (#1570) (@fukusuket)
 
 **改善:**
 

CHANGELOG.md

@@ -6,6 +6,7 @@
 
 - `-X, --remove-duplicate-detections` option to `eid-metrics` and `logon-summary` commands. (#1552) (@fukusuket)
 - New "Emergency Alerts" and severity level adjustment based on critical systems. Add a list of the computer names of critical systems (Ex: Domain Controllers, File Servers, etc...) to `config/critical_systems.txt` and all of the alerts above `low` will be adjusted one higher. That is, `low` will become `medium`, `medium` will become `high`, etc... `critical` alerts will become new `emergency` alerts. (#1551) (@fukusuket)
+- New `config-critical-systems` command to automatically find domain controllers and file servers to add to the `./config/critical_systems.txt` file. (#1570) (@fukusuket)
 
 **Enhancements:**
 

src/afterfact.rs

@@ -16,7 +16,6 @@ use hashbrown::hash_map::RawEntryMut;
 use hashbrown::{HashMap, HashSet};
 use itertools::Itertools;
 use krapslog::{build_sparkline, build_time_markers};
-use lazy_static::lazy_static;
 use nested::Nested;
 use num_format::{Locale, ToFormattedString};
 use strum::IntoEnumIterator;
@@ -37,18 +36,6 @@ use crate::level::{_get_output_color, create_output_color_map, LEVEL};
 use crate::options::htmlreport;
 use crate::options::profile::Profile;
 
-lazy_static! {
-    // ここで字句解析するときに使う正規表現の一覧を定義する。
-    // ここはSigmaのGithubレポジトリにある、toos/sigma/parser/condition.pyのSigmaConditionTokenizerのtokendefsを参考にしています。
-    pub static ref LEVEL_MAP: HashMap<String, u128> = HashMap::from([
-        ("INFORMATIONAL".to_string(), 1),
-        ("LOW".to_string(), 2),
-        ("MEDIUM".to_string(), 3),
-        ("HIGH".to_string(), 4),
-        ("CRITICAL".to_string(), 5),
-    ]);
-}
-
 #[derive(Debug)]
 pub struct Colors {
     pub output_color: termcolor::Color,

src/detections/configs.rs

@@ -177,6 +177,7 @@ impl StoredStatic {
             Some(Action::ComputerMetrics(opt)) => opt.common_options,
             Some(Action::LogMetrics(opt)) => opt.common_options,
             Some(Action::ExpandList(opt)) => opt.common_options,
+            Some(Action::ConfigCriticalSystems(opt)) => opt.common_options,
             None => CommonOptions {
                 no_color: false,
                 quiet: false,
@@ -915,7 +916,7 @@ pub enum Action {
         author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)",
         help_template = "\nHayabusa v3.1.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n  hayabusa.exe csv-timeline <INPUT> [OPTIONS]\n\n{all-args}",
         term_width = 400,
-        display_order = 290,
+        display_order = 292,
         disable_help_flag = true
     )]
     /// Create a DFIR timeline and save it in CSV format
@@ -1048,6 +1049,16 @@ pub enum Action {
     )]
     /// Output the total number of events according to computer names
     ComputerMetrics(ComputerMetricsOption),
+
+    #[clap(
+        author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)",
+        help_template = "\nHayabusa v3.1.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n  hayabusa.exe config-critical-systems <INPUT> [OPTIONS]\n\n{all-args}",
+        term_width = 400,
+        display_order = 291,
+        disable_help_flag = true
+    )]
+    /// Find critical systems like domain controllers and file servers.
+    ConfigCriticalSystems(ConfigCriticalSystemsOption),
 }
 
 impl Action {
@@ -1069,6 +1080,7 @@ impl Action {
                 Action::LogMetrics(_) => 12,
                 Action::ExtractBase64(_) => 13,
                 Action::ExpandList(_) => 14,
+                Action::ConfigCriticalSystems(_) => 15,
             }
         } else {
             100
@@ -1092,6 +1104,7 @@ impl Action {
                 Action::LogMetrics(_) => "log-metrics",
                 Action::ExtractBase64(_) => "extract-base64",
                 Action::ExpandList(_) => "expand-list",
+                Action::ConfigCriticalSystems(_) => "config-critical-systems",
             }
         } else {
             ""
@@ -1926,6 +1939,21 @@ pub struct ExpandListOption {
     pub common_options: CommonOptions,
 }
 
+#[derive(Args, Clone, Debug)]
+#[clap(group(ArgGroup::new("input_filtering").args(["directory", "filepath"]).required(true)))]
+pub struct ConfigCriticalSystemsOption {
+    /// Directory of multiple .evtx files
+    #[arg(help_heading = Some("Input"), short = 'd', long, value_name = "DIR", conflicts_with_all = ["filepath"], display_order = 300)]
+    pub directory: Option<Vec<PathBuf>>,
+
+    /// File path to one .evtx file
+    #[arg(help_heading = Some("Input"), short = 'f', long = "file", value_name = "FILE", conflicts_with_all = ["directory"], display_order = 320)]
+    pub filepath: Option<PathBuf>,
+
+    #[clap(flatten)]
+    pub common_options: CommonOptions,
+}
+
 #[derive(Parser, Clone, Debug)]
 #[clap(
     author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)",
@@ -2834,6 +2862,66 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
             enable_all_rules: false,
             scan_all_evtx_files: false,
         }),
+        Action::ConfigCriticalSystems(option) => Some(OutputOption {
+            input_args: InputOption {
+                directory: option.directory.clone(),
+                filepath: option.filepath.clone(),
+                live_analysis: false,
+                recover_records: false,
+                time_offset: None,
+            },
+            enable_deprecated_rules: false,
+            enable_noisy_rules: false,
+            profile: None,
+            exclude_status: None,
+            min_level: String::default(),
+            exact_level: None,
+            end_timeline: None,
+            start_timeline: None,
+            eid_filter: false,
+            time_format_options: TimeFormatOptions {
+                european_time: false,
+                iso_8601: false,
+                rfc_2822: false,
+                rfc_3339: false,
+                us_military_time: false,
+                us_time: false,
+                utc: false,
+            },
+            visualize_timeline: false,
+            rules: Path::new("./rules").to_path_buf(),
+            html_report: None,
+            no_summary: false,
+            common_options: option.common_options,
+            detect_common_options: DetectCommonOption {
+                evtx_file_ext: None,
+                thread_number: None,
+                quiet_errors: false,
+                config: Path::new("./rules/config").to_path_buf(),
+                verbose: false,
+                json_input: false,
+                include_computer: None,
+                exclude_computer: None,
+            },
+            enable_unsupported_rules: false,
+            clobber: false,
+            proven_rules: false,
+            include_tag: None,
+            exclude_tag: None,
+            include_category: None,
+            exclude_category: None,
+            include_eid: None,
+            exclude_eid: None,
+            no_field: false,
+            no_pwsh_field_extraction: false,
+            remove_duplicate_data: false,
+            remove_duplicate_detections: false,
+            no_wizard: true,
+            include_status: None,
+            sort_events: false,
+            enable_all_rules: false,
+            scan_all_evtx_files: false,
+        }),
         _ => None,
     }
 }

src/level.rs

@@ -42,6 +42,8 @@ pub enum LEVEL {
 
 impl LEVEL {
     pub fn from(s: &str) -> Self {
+        let s = s.to_lowercase();
+        let s = s.as_str();
         match s {
             "informational" => LEVEL::INFORMATIONAL,
             "low" => LEVEL::LOW,