1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

//! [`EventXpMalwareRemediated`]

use std::ffi::OsStr;

use endpoint_sec_sys::es_event_xp_malware_remediated_t;

use crate::AuditToken;

/// XProtect remediated malware.
#[doc(alias = "es_event_xp_malware_remediated_t")]
pub struct EventXpMalwareRemediated<'a> {
    /// Raw event
    pub(crate) raw: &'a es_event_xp_malware_remediated_t,
}

impl<'a> EventXpMalwareRemediated<'a> {
    /// Version of the signatures used for detection. Currently corresponds to XProtect version.
    #[inline(always)]
    pub fn signature_version(&self) -> &'a OsStr {
        // Safety: 'a tied to self, object obtained through ES
        unsafe { self.raw.signature_version.as_os_str() }
    }

    /// String identifying the malware that was remediated.
    #[inline(always)]
    pub fn malware_identifier(&self) -> &'a OsStr {
        // Safety: 'a tied to self, object obtained through ES
        unsafe { self.raw.malware_identifier.as_os_str() }
    }

    /// String identifying the incident, intended for linking multiple malware remediated and
    /// remediated events.
    #[inline(always)]
    pub fn incident_identifier(&self) -> &'a OsStr {
        // Safety: 'a tied to self, object obtained through ES
        unsafe { self.raw.incident_identifier.as_os_str() }
    }

    /// String indicating the type of action that was taken, e.g. "path_delete".
    #[inline(always)]
    pub fn action_type(&self) -> &'a OsStr {
        // Safety: 'a tied to self, object obtained through ES
        unsafe { self.raw.action_type.as_os_str() }
    }

    /// True only if remediation was successful.
    #[inline(always)]
    pub fn success(&self) -> bool {
        self.raw.success
    }

    /// String describing specific reasons for failure or success.
    #[inline(always)]
    pub fn result_description(&self) -> &'a OsStr {
        // Safety: 'a tied to self, object obtained through ES
        unsafe { self.raw.result_description.as_os_str() }
    }

    /// Optional. Path that was subject to remediation, if any. This path is not necessarily
    /// a malicious binary, it can also be a legitimate file containing a malicious portion.
    /// Specifically, the file at this path may still exist after successful remediation.
    #[inline(always)]
    pub fn remediated_path(&self) -> &'a OsStr {
        // Safety: 'a tied to self, object obtained through ES
        unsafe { self.raw.remediated_path.as_os_str() }
    }

    /// Audit token of process that was subject to remediation, if any.
    #[inline(always)]
    pub fn remediated_process_audit_token(&self) -> Option<AuditToken> {
        // Safety: 'a tied to self, object obtained through ES
        let at = unsafe { self.raw.remediated_process_audit_token()? };
        Some(AuditToken::new(*at))
    }
}

// Safety: safe to send across threads: does not contain any interior mutability nor depend on current thread state
unsafe impl Send for EventXpMalwareRemediated<'_> {}

impl_debug_eq_hash_with_functions!(
    EventXpMalwareRemediated<'a>;
    signature_version, malware_identifier, incident_identifier, action_type,
    success, result_description, remediated_path, remediated_process_audit_token,
);