dfirtk_eventdata/
activity_id.rs1use std::{fmt::Display, convert::TryFrom};
2
3use evtx::SerializedEvtxRecord;
4use serde_json::Value;
5
6use super::EvtxFieldView;
7
8#[derive(PartialEq, Eq, Clone)]
9pub struct ActivityId<'a>(&'a Value);
10
11impl<'a> TryFrom<&'a SerializedEvtxRecord<Value>> for ActivityId<'a> {
12 type Error = anyhow::Error;
13
14 fn try_from(record: &'a SerializedEvtxRecord<Value>) -> Result<Self, Self::Error> {
15 let activity_id = &record.data["Event"]["System"]["Correlation"]["#attributes"]["ActivityID"];
16 Ok(Self(activity_id))
17 }
18}
19
20impl<'a> Display for ActivityId<'a> {
21 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
22 write!(f, "{}", self.0.as_str().unwrap())
23 }
24}
25
26const GUID_MAX_LENGTH: usize = "F4202F00-1781-44ED-99B9-1FAA35640000".len();
27impl<'a> EvtxFieldView for ActivityId<'a> {
28 fn maximum_display_length(&self) -> usize {
29 GUID_MAX_LENGTH
30 }
31
32 fn value_with_padding(&self) -> String {
33 self.0.as_str().unwrap_or(" ").to_owned()
34 }
35}
36
37impl<'a> ActivityId<'a> {
38 pub fn value(&self) -> &Value {
39 self.0
40 }
41}