diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index c2e9f1b7a..f74b5e5e9 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -24,6 +24,10 @@ - 属性と同じ名前を持つ複数のサブノードは上書きされ、最後の1つだけが出力されていた。(omerbenamram/evtx #245) - `logon-summary`と`eid-metrics`が複数のプログレスバーを出力することがあった。 #1479 (@fukusuket) +**その他:** + +- `timeline-offset`オプションは、`--time-offset`に名前変更された。 (#1490) (@yamatosecurity) + ## 2.18.0 [2024/10/23] - SecTor Release **新機能:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 015ce8bac..4c12213b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,10 @@ - Multiple sub-nodes with attributes and the same name would be overwritten and only the last one kept. (omerbenamram/evtx #245) - `logon-summary` and `eid-metrics` would sometimes output multiple progress bars. #1479 (@fukusuket) +**Other:** + +- The `--timeline-offset` option has been renamed to `--time-offset`. (#1490) (@yamatosecurity) + ## 2.18.0 [2024/10/23] - SecTor Release **New Features:** diff --git a/src/afterfact.rs b/src/afterfact.rs index 628a87f4f..3c74d183b 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -2322,7 +2322,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -2417,7 +2417,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -2670,7 +2670,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: Some("verbose-2".to_string()), enable_deprecated_rules: false, @@ -2775,7 +2775,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: Some("verbose-2".to_string()), enable_deprecated_rules: false, @@ -3012,7 +3012,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -3107,7 +3107,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -3355,7 +3355,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -3450,7 +3450,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -3771,7 +3771,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -3867,7 +3867,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -4132,7 +4132,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -4228,7 +4228,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -4418,7 +4418,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -4514,7 +4514,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 735e0a3e9..3eb719886 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -133,7 +133,7 @@ pub struct StoredStatic { pub field_data_map: Option, pub no_pwsh_field_extraction: bool, pub enable_recover_records: bool, - pub timeline_offset: Option, + pub time_offset: Option, pub is_low_memory: bool, pub enable_all_rules: bool, pub scan_all_evtx_files: bool, @@ -597,17 +597,15 @@ impl StoredStatic { Some(Action::LogMetrics(opt)) => opt.input_args.recover_records, _ => false, }; - let timeline_offset = match &input_config.as_ref().unwrap().action { - Some(Action::CsvTimeline(opt)) => opt.output_options.input_args.timeline_offset.clone(), - Some(Action::JsonTimeline(opt)) => { - opt.output_options.input_args.timeline_offset.clone() - } - Some(Action::EidMetrics(opt)) => opt.input_args.timeline_offset.clone(), - Some(Action::LogonSummary(opt)) => opt.input_args.timeline_offset.clone(), - Some(Action::PivotKeywordsList(opt)) => opt.input_args.timeline_offset.clone(), - Some(Action::Search(opt)) => opt.input_args.timeline_offset.clone(), - Some(Action::ComputerMetrics(opt)) => opt.input_args.timeline_offset.clone(), - Some(Action::LogMetrics(opt)) => opt.input_args.timeline_offset.clone(), + let time_offset = match &input_config.as_ref().unwrap().action { + Some(Action::CsvTimeline(opt)) => opt.output_options.input_args.time_offset.clone(), + Some(Action::JsonTimeline(opt)) => opt.output_options.input_args.time_offset.clone(), + Some(Action::EidMetrics(opt)) => opt.input_args.time_offset.clone(), + Some(Action::LogonSummary(opt)) => opt.input_args.time_offset.clone(), + Some(Action::PivotKeywordsList(opt)) => opt.input_args.time_offset.clone(), + Some(Action::Search(opt)) => opt.input_args.time_offset.clone(), + Some(Action::ComputerMetrics(opt)) => opt.input_args.time_offset.clone(), + Some(Action::LogMetrics(opt)) => opt.input_args.time_offset.clone(), _ => None, }; let include_status: HashSet = match &input_config.as_ref().unwrap().action { @@ -765,7 +763,7 @@ impl StoredStatic { field_data_map, no_pwsh_field_extraction: no_pwsh_field_extraction_flag, enable_recover_records, - timeline_offset, + time_offset, include_status, is_low_memory, enable_all_rules, @@ -1644,8 +1642,8 @@ pub struct InputOption { pub recover_records: bool, /// Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m) - #[arg(help_heading = Some("Filtering"), long = "timeline-offset", value_name = "OFFSET", conflicts_with = "start_timeline", display_order = 460)] - pub timeline_offset: Option, + #[arg(help_heading = Some("Filtering"), long = "time-offset", value_name = "OFFSET", conflicts_with = "start_timeline", display_order = 460)] + pub time_offset: Option, } #[derive(Args, Clone, Debug)] @@ -1890,85 +1888,81 @@ impl TargetEventTime { } }; - let get_timeline_offset = - |timeline_offset: &Option, parse_success_flag: &mut bool| { - if let Some(timeline_offline) = timeline_offset { - let timekey = ['y', 'M', 'd', 'h', 'm', 's']; - let mut time_num = [0, 0, 0, 0, 0, 0]; - for (idx, key) in timekey.iter().enumerate() { - let mut timekey_splitter = timeline_offline.split(*key); - let mix_check = timekey_splitter.next(); - let mixed_checker: Vec<&str> = - mix_check.unwrap_or_default().split(timekey).collect(); - let target_num = if mixed_checker.is_empty() { - mix_check.unwrap() - } else { - mixed_checker[mixed_checker.len() - 1] - }; - if target_num.is_empty() { - continue; - } - if let Ok(num) = target_num.parse::() { - time_num[idx] = num; - } else { - AlertMessage::alert( + let get_time_offset = |time_offset: &Option, parse_success_flag: &mut bool| { + if let Some(timeline_offline) = time_offset { + let timekey = ['y', 'M', 'd', 'h', 'm', 's']; + let mut time_num = [0, 0, 0, 0, 0, 0]; + for (idx, key) in timekey.iter().enumerate() { + let mut timekey_splitter = timeline_offline.split(*key); + let mix_check = timekey_splitter.next(); + let mixed_checker: Vec<&str> = + mix_check.unwrap_or_default().split(timekey).collect(); + let target_num = if mixed_checker.is_empty() { + mix_check.unwrap() + } else { + mixed_checker[mixed_checker.len() - 1] + }; + if target_num.is_empty() { + continue; + } + if let Ok(num) = target_num.parse::() { + time_num[idx] = num; + } else { + AlertMessage::alert( "Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m", ) .ok(); - *parse_success_flag = false; - return None; - } + *parse_success_flag = false; + return None; } - if time_num.iter().all(|&x| x == 0) { - AlertMessage::alert( + } + if time_num.iter().all(|&x| x == 0) { + AlertMessage::alert( "Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m", ) .ok(); - *parse_success_flag = false; - return None; - } - let target_start_time = Local::now() - .checked_sub_months(Months::new(time_num[0] * 12)) - .and_then(|dt| dt.checked_sub_months(Months::new(time_num[1]))) - .and_then(|dt| dt.checked_sub_days(Days::new(time_num[2].into()))) - .and_then(|dt| { - dt.checked_sub_signed( - Duration::try_hours(time_num[3].into()).unwrap_or_default(), - ) - }) - .and_then(|dt| { - dt.checked_sub_signed( - Duration::try_minutes(time_num[4].into()).unwrap_or_default(), - ) - }) - .and_then(|dt| { - dt.checked_sub_signed( - Duration::try_seconds(time_num[5].into()).unwrap_or_default(), - ) - }); - if let Some(start_time) = target_start_time { - Some(start_time.format("%Y-%m-%d %H:%M:%S %z").to_string()) - } else { - AlertMessage::alert( - "timeline-offset field: the timestamp value is too large.", + *parse_success_flag = false; + return None; + } + let target_start_time = Local::now() + .checked_sub_months(Months::new(time_num[0] * 12)) + .and_then(|dt| dt.checked_sub_months(Months::new(time_num[1]))) + .and_then(|dt| dt.checked_sub_days(Days::new(time_num[2].into()))) + .and_then(|dt| { + dt.checked_sub_signed( + Duration::try_hours(time_num[3].into()).unwrap_or_default(), ) - .ok(); - *parse_success_flag = false; - None - } + }) + .and_then(|dt| { + dt.checked_sub_signed( + Duration::try_minutes(time_num[4].into()).unwrap_or_default(), + ) + }) + .and_then(|dt| { + dt.checked_sub_signed( + Duration::try_seconds(time_num[5].into()).unwrap_or_default(), + ) + }); + if let Some(start_time) = target_start_time { + Some(start_time.format("%Y-%m-%d %H:%M:%S %z").to_string()) } else { + AlertMessage::alert("timeline-offset field: the timestamp value is too large.") + .ok(); + *parse_success_flag = false; None } - }; + } else { + None + } + }; let mut parse_success_flag = true; - let timeline_offset = - get_timeline_offset(&stored_static.timeline_offset, &mut parse_success_flag); + let time_offset = get_time_offset(&stored_static.time_offset, &mut parse_success_flag); match &stored_static.config.action.as_ref().unwrap() { Action::CsvTimeline(option) => { - let start_time = if timeline_offset.is_some() { + let start_time = if time_offset.is_some() { get_time( - timeline_offset.as_ref(), + time_offset.as_ref(), "Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m", &mut parse_success_flag, ) @@ -1987,9 +1981,9 @@ impl TargetEventTime { Self::set(parse_success_flag, start_time, end_time) } Action::JsonTimeline(option) => { - let start_time = if timeline_offset.is_some() { + let start_time = if time_offset.is_some() { get_time( - timeline_offset.as_ref(), + time_offset.as_ref(), "Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m", &mut parse_success_flag, ) @@ -2008,9 +2002,9 @@ impl TargetEventTime { Self::set(parse_success_flag, start_time, end_time) } Action::PivotKeywordsList(option) => { - let start_time = if timeline_offset.is_some() { + let start_time = if time_offset.is_some() { get_time( - timeline_offset.as_ref(), + time_offset.as_ref(), "Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m", &mut parse_success_flag, ) @@ -2029,9 +2023,9 @@ impl TargetEventTime { Self::set(parse_success_flag, start_time, end_time) } Action::LogonSummary(option) => { - let start_time = if timeline_offset.is_some() { + let start_time = if time_offset.is_some() { get_time( - timeline_offset.as_ref(), + time_offset.as_ref(), "Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m", &mut parse_success_flag, ) @@ -2053,9 +2047,9 @@ impl TargetEventTime { | Action::EidMetrics(_) | Action::ComputerMetrics(_) | Action::Search(_) => { - let start_time = if timeline_offset.is_some() { + let start_time = if time_offset.is_some() { get_time( - timeline_offset.as_ref(), + time_offset.as_ref(), "Invalid timeline offset. Please use one of the following formats: 1y, 3M, 30d, 24h, 30m", &mut parse_success_flag, ) @@ -2514,7 +2508,7 @@ fn extract_output_options(config: &Config) -> Option { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, enable_deprecated_rules: false, enable_noisy_rules: false, @@ -2574,7 +2568,7 @@ fn extract_output_options(config: &Config) -> Option { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, enable_deprecated_rules: true, enable_noisy_rules: true, @@ -2843,7 +2837,7 @@ mod tests { } #[test] - fn test_timeline_offset_csv() { + fn test_time_offset_csv() { let csv_timeline = StoredStatic::create_static_data(Some(Config { action: Some(Action::CsvTimeline(CsvOutputOption { output_options: OutputOption { @@ -2852,7 +2846,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: Some("1d".to_string()), + time_offset: Some("1d".to_string()), }, profile: None, enable_deprecated_rules: false, @@ -2923,7 +2917,7 @@ mod tests { } #[test] - fn test_timeline_offset_json() { + fn test_time_offset_json() { let json_timeline = StoredStatic::create_static_data(Some(Config { action: Some(Action::JsonTimeline(JSONOutputOption { output_options: OutputOption { @@ -2932,7 +2926,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: Some("1y".to_string()), + time_offset: Some("1y".to_string()), }, profile: None, enable_deprecated_rules: false, @@ -3003,7 +2997,7 @@ mod tests { } #[test] - fn test_timeline_offset_search() { + fn test_time_offset_search() { let json_timeline = StoredStatic::create_static_data(Some(Config { action: Some(Action::Search(SearchOption { output: None, @@ -3017,7 +3011,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: Some("1h".to_string()), + time_offset: Some("1h".to_string()), }, keywords: Some(vec!["mimikatz".to_string()]), regex: None, @@ -3052,7 +3046,7 @@ mod tests { } #[test] - fn test_timeline_offset_eid_metrics() { + fn test_time_offset_eid_metrics() { let eid_metrics = StoredStatic::create_static_data(Some(Config { action: Some(Action::EidMetrics(EidMetricsOption { output: None, @@ -3066,7 +3060,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: Some("1h1m".to_string()), + time_offset: Some("1h1m".to_string()), }, clobber: true, time_format_options: TimeFormatOptions { @@ -3098,7 +3092,7 @@ mod tests { } #[test] - fn test_timeline_offset_logon_summary() { + fn test_time_offset_logon_summary() { let logon_summary = StoredStatic::create_static_data(Some(Config { action: Some(Action::LogonSummary(LogonSummaryOption { output: None, @@ -3112,7 +3106,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: Some("1y1d1h".to_string()), + time_offset: Some("1y1d1h".to_string()), }, clobber: true, time_format_options: TimeFormatOptions { @@ -3150,7 +3144,7 @@ mod tests { } #[test] - fn test_timeline_offset_pivot() { + fn test_time_offset_pivot() { let pivot_keywords_list = StoredStatic::create_static_data(Some(Config { action: Some(Action::PivotKeywordsList(PivotKeywordOption { output: None, @@ -3164,7 +3158,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: Some("1y1M1s".to_string()), + time_offset: Some("1y1M1s".to_string()), }, clobber: true, detect_common_options: DetectCommonOption { diff --git a/src/detections/detection.rs b/src/detections/detection.rs index f5a8935e5..74542cba9 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -1332,7 +1332,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -1591,7 +1591,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -1732,7 +1732,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -1868,7 +1868,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -2020,7 +2020,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, diff --git a/src/detections/rule/condition_parser.rs b/src/detections/rule/condition_parser.rs index af9a7a8ea..5226ef759 100644 --- a/src/detections/rule/condition_parser.rs +++ b/src/detections/rule/condition_parser.rs @@ -456,7 +456,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, diff --git a/src/detections/rule/count.rs b/src/detections/rule/count.rs index 79877593a..05a452cde 100644 --- a/src/detections/rule/count.rs +++ b/src/detections/rule/count.rs @@ -587,7 +587,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index 0557be7c1..e4840cc1a 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -1060,7 +1060,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, diff --git a/src/detections/rule/mod.rs b/src/detections/rule/mod.rs index 601bcd994..4adebe603 100644 --- a/src/detections/rule/mod.rs +++ b/src/detections/rule/mod.rs @@ -430,7 +430,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, diff --git a/src/detections/rule/selectionnodes.rs b/src/detections/rule/selectionnodes.rs index f964f5239..691b820d4 100644 --- a/src/detections/rule/selectionnodes.rs +++ b/src/detections/rule/selectionnodes.rs @@ -529,7 +529,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 1878c9eb5..46eaa0626 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -1110,7 +1110,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: Some("super-verbose".to_string()), enable_deprecated_rules: false, diff --git a/src/main.rs b/src/main.rs index 0714425a0..0c18fda00 100644 --- a/src/main.rs +++ b/src/main.rs @@ -2446,7 +2446,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -2622,7 +2622,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -2712,7 +2712,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -2801,7 +2801,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -2891,7 +2891,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -2980,7 +2980,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test_metrics.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, @@ -3037,7 +3037,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test_metrics.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, @@ -3091,7 +3091,7 @@ mod tests { directory: None, filepath: Some(Path::new("test_files/evtx/test_metrics.json").to_path_buf()), live_analysis: false, - timeline_offset: None, + time_offset: None, recover_records: false, }, common_options: CommonOptions { @@ -3150,7 +3150,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test_metrics.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, @@ -3207,7 +3207,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test_metrics.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, @@ -3250,7 +3250,7 @@ mod tests { filepath: Some(Path::new("test_files/evtx/test_metrics.json").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, diff --git a/src/options/htmlreport.rs b/src/options/htmlreport.rs index b1643f67e..43224fbc1 100644 --- a/src/options/htmlreport.rs +++ b/src/options/htmlreport.rs @@ -257,7 +257,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -329,7 +329,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -404,7 +404,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -476,7 +476,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, diff --git a/src/options/profile.rs b/src/options/profile.rs index 5078619aa..925c28128 100644 --- a/src/options/profile.rs +++ b/src/options/profile.rs @@ -500,7 +500,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false, @@ -583,7 +583,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: Some("minimal".to_string()), enable_deprecated_rules: false, @@ -696,7 +696,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: Some("not_exist".to_string()), enable_deprecated_rules: false, diff --git a/src/timeline/computer_metrics.rs b/src/timeline/computer_metrics.rs index 7d4154022..dbce9cdd0 100644 --- a/src/timeline/computer_metrics.rs +++ b/src/timeline/computer_metrics.rs @@ -135,7 +135,7 @@ mod tests { filepath: Some(Path::new("./dummy.evtx").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, diff --git a/src/timeline/metrics.rs b/src/timeline/metrics.rs index 4f1a325c8..ab0d4b944 100644 --- a/src/timeline/metrics.rs +++ b/src/timeline/metrics.rs @@ -506,7 +506,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, diff --git a/src/timeline/timelines.rs b/src/timeline/timelines.rs index 2dc6d7a49..cbe5858d2 100644 --- a/src/timeline/timelines.rs +++ b/src/timeline/timelines.rs @@ -690,7 +690,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, @@ -878,7 +878,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, @@ -971,7 +971,7 @@ mod tests { filepath: Some(Path::new("./dummy.evtx").to_path_buf()), live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, common_options: CommonOptions { no_color: false, diff --git a/src/yaml.rs b/src/yaml.rs index cb287feea..826dd2ca3 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -799,7 +799,7 @@ mod tests { filepath: None, live_analysis: false, recover_records: false, - timeline_offset: None, + time_offset: None, }, profile: None, enable_deprecated_rules: false,