dfirtk_eventdata/
event_provider.rs

1use std::{fmt::Display, convert::TryFrom};
2
3use darling::FromMeta;
4use evtx::SerializedEvtxRecord;
5use quote::quote;
6use serde_json::Value;
7
8#[derive(Debug, PartialEq)]
9pub enum EventProvider {
10    TerminalServicesRemoteConnectionManager,
11    TerminalServicesLocalSessionManager,
12    RemoteDesktopServicesRdpCoreTS,
13    SecurityAuditing,
14    DesktopWindowManager,
15    UnsupportedProvider,
16}
17
18impl Display for EventProvider {
19    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
20        match self {
21            EventProvider::TerminalServicesRemoteConnectionManager => {
22                "Microsoft-Windows-Terminal-Services-RemoteConnectionManager"
23            }
24            EventProvider::TerminalServicesLocalSessionManager => {
25                "Microsoft-Windows-TerminalServices-LocalSessionManager"
26            }
27            EventProvider::RemoteDesktopServicesRdpCoreTS => {
28                "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS"
29            }
30            EventProvider::SecurityAuditing => "Microsoft-Windows-Security-Auditing",
31            EventProvider::DesktopWindowManager => "Desktop Window Manager",
32            EventProvider::UnsupportedProvider => "UNSUPPORTED PROVIDER",
33        }
34        .fmt(f)
35    }
36}
37
38impl TryFrom<&SerializedEvtxRecord<Value>> for EventProvider {
39    type Error = anyhow::Error;
40
41    fn try_from(record: &SerializedEvtxRecord<Value>) -> Result<Self, Self::Error> {
42        let provider_name = record.data["Event"]["System"]["Provider"]["#attributes"]["Name"]
43            .as_str()
44            .unwrap();
45        Self::try_from(provider_name)
46    }
47}
48
49impl TryFrom<&str> for EventProvider {
50    type Error = anyhow::Error;
51
52    fn try_from(value: &str) -> Result<Self, Self::Error> {
53        Ok(match value {
54            "Microsoft-Windows-TerminalServices-RemoteConnectionManager" => {
55                EventProvider::TerminalServicesRemoteConnectionManager
56            }
57            "Microsoft-Windows-TerminalServices-LocalSessionManager" => {
58                EventProvider::TerminalServicesLocalSessionManager
59            }
60            "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS" => {
61                EventProvider::RemoteDesktopServicesRdpCoreTS
62            }
63            "Microsoft-Windows-Security-Auditing" => EventProvider::SecurityAuditing,
64            "Desktop Window Manager" => EventProvider::DesktopWindowManager,
65            _ => {
66                //panic!("unknown provider name: {value}");
67                log::warn!("unknown provider name: {value}");
68                Self::UnsupportedProvider
69            }
70        })
71    }
72}
73
74impl FromMeta for EventProvider {
75    fn from_string(value: &str) -> darling::Result<Self> {
76        match Self::try_from(value) {
77            Ok(me) => Ok(me),
78            Err(_) => Err(darling::Error::unknown_value(value)),
79        }
80    }
81}
82
83impl quote::ToTokens for EventProvider {
84    fn to_tokens(&self, tokens: &mut quote::__private::TokenStream) {
85        let provider_token = match self {
86            EventProvider::TerminalServicesRemoteConnectionManager => {
87                quote!(EventProvider::TerminalServicesRemoteConnectionManager)
88            }
89            EventProvider::TerminalServicesLocalSessionManager => {
90                quote!(EventProvider::TerminalServicesLocalSessionManager)
91            }
92            EventProvider::RemoteDesktopServicesRdpCoreTS => {
93                quote!(EventProvider::RemoteDesktopServicesRdpCoreTS)
94            }
95            EventProvider::SecurityAuditing => quote!(EventProvider::SecurityAuditing),
96            EventProvider::DesktopWindowManager => quote!(EventProvider::DesktopWindowManager),
97            EventProvider::UnsupportedProvider => quote!(EventProvider::UnsupportedProvider),
98        };
99        tokens.extend(provider_token)
100    }
101}