anomalyx-normalize 0.4.1

anomalyx normalization: any input format -> the ax-core RecordSet
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220

//! Windows Event Log (EVTX) parser — central to endpoint forensics.
//!
//! EVTX is a binary chunked format; the heavy lifting (BinXML decoding) is
//! delegated to the `evtx` crate, which yields one `serde_json::Value` per event
//! plus the record id and timestamp. We flatten each event into dotted columns
//! (`Event.System.EventID`, `Event.System.Provider.#attributes.Name`,
//! `Event.EventData.TargetUserName`, …) and synthesize `eventRecordId` and
//! `timestampEpoch` (Unix seconds). That gives the detectors what the issue
//! wants: `Event.System.EventID` for rare event-ID `point` detection and logon
//! `dist` drift, `timestampEpoch` for off-hours `contextual` (`--period 24`).
//!
//! Binary magic `ElfFile\0` (confidence `MAGIC`); extension `.evtx`. The `evtx`
//! crate decodes chunks in parallel but yields records in file order, so output
//! is deterministic. Behind the default-on `evtx` feature.

use crate::infer;
use crate::parser::{Confidence, FormatParser, MAGIC};
use crate::table::TableBuilder;
use ax_core::{AxError, Column, Value};
use serde_json::Value as J;
use std::collections::BTreeMap;

/// The 8-byte EVTX file-header magic.
const EVTX_MAGIC: &[u8] = b"ElfFile\x00";

#[derive(Debug, Default, Clone)]
pub struct EvtxParser;

/// Flattens a decoded event into dotted columns; scalars and arrays are leaves
/// (arrays kept as canonical JSON via [`infer::json_to_value`]).
fn flatten(prefix: &str, value: &J, row: &mut BTreeMap<String, Value>) {
    match value {
        J::Object(map) => {
            for (key, val) in map {
                let dotted = if prefix.is_empty() {
                    key.clone()
                } else {
                    format!("{prefix}.{key}")
                };
                flatten(&dotted, val, row);
            }
        }
        leaf => {
            row.insert(prefix.to_string(), infer::json_to_value(leaf));
        }
    }
}

/// Builds one row from a decoded EVTX record: the flattened event plus the
/// synthesized `eventRecordId` and `timestampEpoch` columns.
fn record_to_row(data: &J, event_record_id: i64, epoch_seconds: i64) -> BTreeMap<String, Value> {
    let mut row = BTreeMap::new();
    flatten("", data, &mut row);
    row.insert("eventRecordId".to_string(), Value::Int(event_record_id));
    row.insert("timestampEpoch".to_string(), Value::Int(epoch_seconds));
    row
}

impl EvtxParser {
    fn err(&self, msg: impl std::fmt::Display) -> AxError {
        AxError::Parse {
            format: self.id().to_string(),
            message: msg.to_string(),
        }
    }
}

impl FormatParser for EvtxParser {
    fn id(&self) -> &'static str {
        "evtx"
    }
    fn extensions(&self) -> &'static [&'static str] {
        &["evtx"]
    }
    fn sniff(&self, bytes: &[u8]) -> Option<Confidence> {
        bytes.starts_with(EVTX_MAGIC).then_some(MAGIC)
    }
    fn parse(&self, _source: &str, bytes: &[u8]) -> Result<Vec<Column>, AxError> {
        let mut parser = evtx::EvtxParser::from_buffer(bytes.to_vec()).map_err(|e| self.err(e))?;
        let mut builder = TableBuilder::new();
        for record in parser.records_json_value() {
            let record = record.map_err(|e| self.err(e))?;
            let row = record_to_row(
                &record.data,
                record.event_record_id as i64,
                record.timestamp.as_second(),
            );
            builder.push_row(row);
        }
        Ok(builder.finish())
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use ax_core::ColType;

    /// A structurally-valid but empty EVTX: a 4096-byte file header with the
    /// magic and `header_block_size = 4096`, and no chunk data — so the `evtx`
    /// crate parses it and yields zero records. (A real EVTX with records needs a
    /// binary fixture; the per-record extraction is unit-tested via
    /// [`record_to_row`] below.)
    fn empty_evtx() -> Vec<u8> {
        let mut buf = vec![0u8; 4096];
        buf[0..8].copy_from_slice(EVTX_MAGIC);
        buf[32..36].copy_from_slice(&128u32.to_le_bytes()); // header_size
        buf[36..38].copy_from_slice(&1u16.to_le_bytes()); // minor version
        buf[38..40].copy_from_slice(&3u16.to_le_bytes()); // major version
        buf[40..42].copy_from_slice(&4096u16.to_le_bytes()); // header_block_size
        buf
    }

    #[test]
    fn valid_empty_file_roundtrips_to_no_rows() {
        let cols = EvtxParser.parse("x.evtx", &empty_evtx()).unwrap();
        assert!(cols.is_empty(), "no records → no columns");
    }

    #[test]
    fn record_to_row_flattens_event_and_adds_synthetic_columns() {
        // A logon-shaped EVTX event (Security 4624).
        let data = serde_json::json!({
            "Event": {
                "System": {
                    "EventID": 4624,
                    "Provider": {"#attributes": {"Name": "Microsoft-Windows-Security-Auditing"}},
                    "Computer": "WIN-HOST",
                    "Level": 0
                },
                "EventData": {"TargetUserName": "alice", "LogonType": 2}
            }
        });
        let row = record_to_row(&data, 4242, 1_609_459_200);

        assert_eq!(row.get("Event.System.EventID"), Some(&Value::Int(4624)));
        assert_eq!(
            row.get("Event.System.Provider.#attributes.Name"),
            Some(&Value::Str("Microsoft-Windows-Security-Auditing".into()))
        );
        assert_eq!(
            row.get("Event.EventData.TargetUserName"),
            Some(&Value::Str("alice".into()))
        );
        assert_eq!(row.get("Event.EventData.LogonType"), Some(&Value::Int(2)));
        assert_eq!(row.get("eventRecordId"), Some(&Value::Int(4242)));
        assert_eq!(row.get("timestampEpoch"), Some(&Value::Int(1_609_459_200)));
    }

    #[test]
    fn flatten_keeps_arrays_as_json_and_recurses_objects() {
        let mut row = BTreeMap::new();
        flatten(
            "",
            &serde_json::json!({"a": {"b": 1}, "c": [1, 2]}),
            &mut row,
        );
        assert_eq!(row.get("a.b"), Some(&Value::Int(1)));
        assert_eq!(row.get("c"), Some(&Value::Str("[1,2]".into()))); // array → canonical JSON
    }

    #[test]
    fn end_to_end_columns_via_builder() {
        // Two synthesized rows through the same path parse() uses, to pin the
        // typed columns and null-padding the detectors consume.
        let mut builder = TableBuilder::new();
        builder.push_row(record_to_row(
            &serde_json::json!({"Event": {"System": {"EventID": 4624}}}),
            1,
            100,
        ));
        builder.push_row(record_to_row(
            &serde_json::json!({"Event": {"System": {"EventID": 4625}}}),
            2,
            200,
        ));
        let cols = builder.finish();
        let eid = cols
            .iter()
            .find(|c| c.name == "Event.System.EventID")
            .unwrap();
        assert_eq!(eid.ty, ColType::Int);
        assert_eq!(eid.cells, vec![Value::Int(4624), Value::Int(4625)]);
    }

    #[test]
    fn malformed_input_errors() {
        // Wrong magic / not an EVTX file.
        assert!(matches!(
            EvtxParser.parse("x.evtx", b"not an evtx file at all"),
            Err(AxError::Parse { .. })
        ));
        // Magic present but truncated header.
        assert!(matches!(
            EvtxParser.parse("x.evtx", b"ElfFile\x00short"),
            Err(AxError::Parse { .. })
        ));
    }

    #[test]
    fn sniff_keys_on_magic() {
        assert_eq!(EvtxParser.sniff(&empty_evtx()), Some(MAGIC));
        assert_eq!(EvtxParser.sniff(b"ElfFile\x00....."), Some(MAGIC));
        assert_eq!(EvtxParser.sniff(b"ElfFile"), None); // missing the NUL byte
        assert_eq!(EvtxParser.sniff(b"PAR1...."), None); // parquet, not evtx
        assert_eq!(EvtxParser.sniff(b"{\"a\":1}"), None);
    }

    #[test]
    fn claims_evtx_extension() {
        assert_eq!(EvtxParser.extensions(), &["evtx"]);
    }

    #[test]
    fn resolves_by_extension_and_magic() {
        let reg = crate::parser::ParserRegistry::default();
        assert_eq!(reg.resolve("Security.evtx", b"zz").unwrap().id(), "evtx");
        assert_eq!(reg.resolve("-", &empty_evtx()).unwrap().id(), "evtx");
    }
}