1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
//! [`EventXpMalwareRemediated`]
use std::ffi::OsStr;
use endpoint_sec_sys::es_event_xp_malware_remediated_t;
use crate::AuditToken;
/// XProtect remediated malware.
#[doc(alias = "es_event_xp_malware_remediated_t")]
pub struct EventXpMalwareRemediated<'a> {
/// Raw event
pub(crate) raw: &'a es_event_xp_malware_remediated_t,
}
impl<'a> EventXpMalwareRemediated<'a> {
/// Version of the signatures used for detection. Currently corresponds to XProtect version.
#[inline(always)]
pub fn signature_version(&self) -> &'a OsStr {
// Safety: 'a tied to self, object obtained through ES
unsafe { self.raw.signature_version.as_os_str() }
}
/// String identifying the malware that was remediated.
#[inline(always)]
pub fn malware_identifier(&self) -> &'a OsStr {
// Safety: 'a tied to self, object obtained through ES
unsafe { self.raw.malware_identifier.as_os_str() }
}
/// String identifying the incident, intended for linking multiple malware remediated and
/// remediated events.
#[inline(always)]
pub fn incident_identifier(&self) -> &'a OsStr {
// Safety: 'a tied to self, object obtained through ES
unsafe { self.raw.incident_identifier.as_os_str() }
}
/// String indicating the type of action that was taken, e.g. "path_delete".
#[inline(always)]
pub fn action_type(&self) -> &'a OsStr {
// Safety: 'a tied to self, object obtained through ES
unsafe { self.raw.action_type.as_os_str() }
}
/// True only if remediation was successful.
#[inline(always)]
pub fn success(&self) -> bool {
self.raw.success
}
/// String describing specific reasons for failure or success.
#[inline(always)]
pub fn result_description(&self) -> &'a OsStr {
// Safety: 'a tied to self, object obtained through ES
unsafe { self.raw.result_description.as_os_str() }
}
/// Optional. Path that was subject to remediation, if any. This path is not necessarily
/// a malicious binary, it can also be a legitimate file containing a malicious portion.
/// Specifically, the file at this path may still exist after successful remediation.
#[inline(always)]
pub fn remediated_path(&self) -> &'a OsStr {
// Safety: 'a tied to self, object obtained through ES
unsafe { self.raw.remediated_path.as_os_str() }
}
/// Audit token of process that was subject to remediation, if any.
#[inline(always)]
pub fn remediated_process_audit_token(&self) -> Option<AuditToken> {
// Safety: 'a tied to self, object obtained through ES
let at = unsafe { self.raw.remediated_process_audit_token()? };
Some(AuditToken::new(*at))
}
}
// Safety: safe to send across threads: does not contain any interior mutability nor depend on current thread state
unsafe impl Send for EventXpMalwareRemediated<'_> {}
// Safety: safe to share across threads: does not contain any interior mutability nor depend on current thread state
unsafe impl Sync for EventXpMalwareRemediated<'_> {}
impl_debug_eq_hash_with_functions!(
EventXpMalwareRemediated<'a>;
signature_version, malware_identifier, incident_identifier, action_type,
success, result_description, remediated_path, remediated_process_audit_token,
);