1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125

use std::collections::HashMap;

use duplicate::duplicate_item;
use serde::Serialize;
use serde_json::Value;

use super::{CustomizableField, ecs_object::EcsObject};

#[derive(Serialize)]
#[derive(Default)]
pub enum Kind {
    Alert,
    Enrichment,
    #[default]
    Event,
    Metric,
    State,
    PipelineError,
    Signal,
}



#[derive(Serialize)]
pub enum Category {
    Authentication,
    Configuration,
    Database,
    Driver,
    Email,
    File,
    Host,
    Iam,
    IntrusionDetection,
    Malware,
    Network,
    Package,
    Process,
    Registry,
    Session,
    Threat,
    Web,
}

#[derive(Serialize)]
pub enum Type {
    Access,
    Admin,
    Allowed,
    Change,
    Connection,
    Creation,
    Deletion,
    Denied,
    End,
    Error,
    Group,
    Indicator,
    Info,
    Installation,
    Protocol,
    Start,
    User,
}

#[derive(Serialize)]
pub enum Outcome {
    Failure,
    Success,
    Unknown,
}

#[derive(Default, Serialize)]
pub struct Event<'a> {
    event_kind: Kind,
    event_category: Option<Category>,
    event_type: Option<Type>,
    event_outcome: Option<Outcome>,
    code: Option<u64>,
    activity: Option<String>,
    sequence: Option<String>,
    module: Option<String>,
    provider: Option<String>,
    severity: Option<u8>,
    custom_data: HashMap<&'a String, &'a Value>,
}

impl<'a> Event<'a> {
    pub fn with_kind(mut self, ts: Kind) -> Self {
        self.event_kind = ts;
        self
    }

    #[duplicate_item(
        method            attribute    ret_type;
      [ with_category ] [ event_category ] [ Category ];
      [ with_type ]     [ event_type ]     [ Type ];
      [ with_outcome ]  [ event_outcome ]  [ Outcome ];
      [ with_code ]     [ code ]           [ u64 ];
      [ with_sequence ] [ sequence ]       [ String ];
      [ with_module ]   [ module ]         [ String ];
      [ with_provider ] [ provider ]       [ String ];
      [ with_severity ] [ severity ]       [ u8 ];
   )]
    pub fn method(mut self, ts: ret_type) -> Self {
        self.attribute = Some(ts);
        self
    }
}

impl<'a> EcsObject for Event<'a> {
    fn object_key(&self) -> &'static str {
        "event"
    }
}

impl<'a> CustomizableField<'a> for Event<'a> {
    fn with_custom_data(
        mut self,
        custom_data: &HashMap<&'a String, &'a serde_json::Value>,
    ) -> Self {
        self.custom_data.extend(custom_data);
        self
    }
}