From a721a1301b54778f8485f456299ec02a94016eac Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Fri, 6 Feb 2026 15:31:24 +0100 Subject: [PATCH] feat: rename finding --- thorlog/common/event.go | 2 +- thorlog/jsonschema/generateschema.go | 2 +- thorlog/parser/parser_test.go | 10 +-- thorlog/v3/amcache.go | 2 +- thorlog/v3/antivirus.go | 4 +- thorlog/v3/atjob.go | 2 +- thorlog/v3/auditlog.go | 2 +- thorlog/v3/authorizedkeys.go | 2 +- thorlog/v3/autorun.go | 2 +- thorlog/v3/beaconwatcher.go | 2 +- thorlog/v3/crontab.go | 2 +- thorlog/v3/deepdive.go | 2 +- thorlog/v3/dnscache.go | 2 +- thorlog/v3/doublepulsar.go | 2 +- thorlog/v3/ebpf.go | 2 +- thorlog/v3/envvar.go | 2 +- thorlog/v3/event.go | 98 ++++++++++++------------ thorlog/v3/event_test.go | 30 ++++---- thorlog/v3/eventlog.go | 4 +- thorlog/v3/file.go | 2 +- thorlog/v3/firewall.go | 4 +- thorlog/v3/groupsxml.go | 2 +- thorlog/v3/hostsfile.go | 2 +- thorlog/v3/issue.go | 2 +- thorlog/v3/journald.go | 2 +- thorlog/v3/jumplist.go | 2 +- thorlog/v3/kernelmodule.go | 2 +- thorlog/v3/knowledgedb.go | 2 +- thorlog/v3/logline.go | 2 +- thorlog/v3/lsasession.go | 2 +- thorlog/v3/mftfile.go | 4 +- thorlog/v3/moduleanalysiscache.go | 2 +- thorlog/v3/mplog.go | 8 +- thorlog/v3/networksession.go | 2 +- thorlog/v3/networkshares.go | 2 +- thorlog/v3/patches.go | 4 +- thorlog/v3/pipe.go | 4 +- thorlog/v3/plugin.go | 6 +- thorlog/v3/prefetch.go | 2 +- thorlog/v3/process.go | 2 +- thorlog/v3/processconnection.go | 2 +- thorlog/v3/processhandle.go | 2 +- thorlog/v3/quarantineevent.go | 2 +- thorlog/v3/reason.go | 8 +- thorlog/v3/registry.go | 8 +- thorlog/v3/rootkit.go | 2 +- thorlog/v3/scheduledtask.go | 4 +- thorlog/v3/sdb.go | 2 +- thorlog/v3/service.go | 6 +- thorlog/v3/shellbag.go | 2 +- thorlog/v3/shimcache.go | 4 +- thorlog/v3/systemresourceusagemonitor.go | 2 +- thorlog/v3/teamviewer.go | 2 +- thorlog/v3/thread.go | 2 +- thorlog/v3/tomcatusers.go | 2 +- thorlog/v3/unmarshal.go | 2 +- thorlog/v3/useraccesslog.go | 68 ++++++++-------- thorlog/v3/users.go | 8 +- thorlog/v3/webhistory.go | 4 +- thorlog/v3/winkernel.go | 4 +- thorlog/v3/wmi.go | 4 +- 61 files changed, 187 insertions(+), 187 deletions(-) diff --git a/thorlog/common/event.go b/thorlog/common/event.go index 0b8be81..c34c1bf 100644 --- a/thorlog/common/event.go +++ b/thorlog/common/event.go @@ -28,7 +28,7 @@ type LogEventMetadata struct { Mod string `json:"module" textlog:"module"` // The ID of the scan where this event was created. ScanID string `json:"scan_id" textlog:"scanid,omitempty"` - // A unique ID for this finding. + // A unique ID for this event. // The ID is transient and the same element may have different IDs across multiple scans. GenID string `json:"event_id,omitempty" textlog:"uid,omitempty"` // The hostname of the machine where this event was generated. diff --git a/thorlog/jsonschema/generateschema.go b/thorlog/jsonschema/generateschema.go index 18c7b10..c35c507 100644 --- a/thorlog/jsonschema/generateschema.go +++ b/thorlog/jsonschema/generateschema.go @@ -97,7 +97,7 @@ func main() { Title: "ThorEvent", OneOf: []*jsonschema.Schema{ { - Ref: "#/$defs/Finding", + Ref: "#/$defs/Assessment", }, { Ref: "#/$defs/Message", diff --git a/thorlog/parser/parser_test.go b/thorlog/parser/parser_test.go index 418df90..b03d71a 100644 --- a/thorlog/parser/parser_test.go +++ b/thorlog/parser/parser_test.go @@ -129,11 +129,11 @@ func TestParseEvent(t *testing.T) { }, }, { - "JsonV3Finding", - `{"type":"THOR finding","meta":{"time":"2024-09-24T14:18:46.190394329+02:00","level":"Alert","module":"Test","scan_id":"abdc","event_id":"abdas","hostname":"aserarsd"},"message":"This is a test finding","subject":{"type":"file","path":"path/to/file"},"score":70,"reasons":[{"type":"reason","summary":"Reason 1","signature":{"score":70,"ref":null,"origin":"internal","kind":""},"matched":null}],"reason_count":0,"context":[{"object":{"type":"at job"},"relation":"","unique":false}],"log_version":"v3"}`, - &thorlog.Finding{ + "JsonV3Assessment", + `{"type":"THOR assessment","meta":{"time":"2024-09-24T14:18:46.190394329+02:00","level":"Alert","module":"Test","scan_id":"abdc","event_id":"abdas","hostname":"aserarsd"},"message":"This is a test assessment","subject":{"type":"file","path":"path/to/file"},"score":70,"reasons":[{"type":"reason","summary":"Reason 1","signature":{"score":70,"ref":null,"origin":"internal","kind":""},"matched":null}],"reason_count":0,"context":[{"object":{"type":"at job"},"relation":"","unique":false}],"log_version":"v3"}`, + &thorlog.Assessment{ ObjectHeader: jsonlog.ObjectHeader{ - Type: "THOR finding", + Type: "THOR assessment", }, Meta: thorlog.LogEventMetadata{ Time: mustTime("2024-09-24T14:18:46.190394329+02:00"), @@ -143,7 +143,7 @@ func TestParseEvent(t *testing.T) { GenID: "abdas", Source: "aserarsd", }, - Text: "This is a test finding", + Text: "This is a test assessment", Subject: &thorlog.File{ ObjectHeader: jsonlog.ObjectHeader{ Type: "file", diff --git a/thorlog/v3/amcache.go b/thorlog/v3/amcache.go index e22ab8a..11629b1 100644 --- a/thorlog/v3/amcache.go +++ b/thorlog/v3/amcache.go @@ -31,4 +31,4 @@ func NewAmcacheEntry() *AmcacheEntry { } } -func (AmcacheEntry) reportable() {} +func (AmcacheEntry) observed() {} diff --git a/thorlog/v3/antivirus.go b/thorlog/v3/antivirus.go index 03a0074..109d0d0 100644 --- a/thorlog/v3/antivirus.go +++ b/thorlog/v3/antivirus.go @@ -13,7 +13,7 @@ type AntiVirusProduct struct { Path string `json:"path" textlog:"path"` } -func (AntiVirusProduct) reportable() {} +func (AntiVirusProduct) observed() {} const typeAntiVirusProduct = "antivirus product" @@ -35,7 +35,7 @@ type AntiVirusExclude struct { Exclusion string `json:"exclusion" textlog:"exclusion"` } -func (AntiVirusExclude) reportable() {} +func (AntiVirusExclude) observed() {} const typeAntiVirusExclude = "antivirus exclusion" diff --git a/thorlog/v3/atjob.go b/thorlog/v3/atjob.go index 6701235..f85539f 100644 --- a/thorlog/v3/atjob.go +++ b/thorlog/v3/atjob.go @@ -22,4 +22,4 @@ func NewAtJob() *AtJob { } } -func (AtJob) reportable() {} +func (AtJob) observed() {} diff --git a/thorlog/v3/auditlog.go b/thorlog/v3/auditlog.go index 2b91322..4390e47 100644 --- a/thorlog/v3/auditlog.go +++ b/thorlog/v3/auditlog.go @@ -22,4 +22,4 @@ func NewAuditLogEntry() *AuditLogEntry { } } -func (AuditLogEntry) reportable() {} +func (AuditLogEntry) observed() {} diff --git a/thorlog/v3/authorizedkeys.go b/thorlog/v3/authorizedkeys.go index 8f50e9b..74879d7 100644 --- a/thorlog/v3/authorizedkeys.go +++ b/thorlog/v3/authorizedkeys.go @@ -25,4 +25,4 @@ func NewAuthorizedKeysEntry() *AuthorizedKeysEntry { } } -func (AuthorizedKeysEntry) reportable() {} +func (AuthorizedKeysEntry) observed() {} diff --git a/thorlog/v3/autorun.go b/thorlog/v3/autorun.go index 80650b1..e3e1513 100644 --- a/thorlog/v3/autorun.go +++ b/thorlog/v3/autorun.go @@ -17,7 +17,7 @@ type AutorunEntry struct { OldMd5 string `json:"old_md5,omitempty" textlog:"md5_before,omitempty"` } -func (AutorunEntry) reportable() {} +func (AutorunEntry) observed() {} const typeAutorunEntry = "autorun entry" diff --git a/thorlog/v3/beaconwatcher.go b/thorlog/v3/beaconwatcher.go index 0986389..100e2b8 100644 --- a/thorlog/v3/beaconwatcher.go +++ b/thorlog/v3/beaconwatcher.go @@ -20,7 +20,7 @@ type NetworkConnectingThread struct { Connections NetworkConnections `json:"connections" textlog:"connections"` } -func (NetworkConnectingThread) reportable() {} +func (NetworkConnectingThread) observed() {} func NewNetworkConnectingThread(threadId uint32, process *Process) *NetworkConnectingThread { return &NetworkConnectingThread{ diff --git a/thorlog/v3/crontab.go b/thorlog/v3/crontab.go index b90cfaa..b550aa0 100644 --- a/thorlog/v3/crontab.go +++ b/thorlog/v3/crontab.go @@ -8,7 +8,7 @@ type CronJob struct { Command string `json:"command" textlog:"command"` } -func (CronJob) reportable() {} +func (CronJob) observed() {} const typeCronJob = "cron job" diff --git a/thorlog/v3/deepdive.go b/thorlog/v3/deepdive.go index 9803e9b..09f0777 100644 --- a/thorlog/v3/deepdive.go +++ b/thorlog/v3/deepdive.go @@ -17,7 +17,7 @@ type DeepDiveChunk struct { BeaconConfig *BeaconConfig `json:"beacon_config,omitempty" textlog:"beacon,expand,omitempty"` } -func (DeepDiveChunk) reportable() {} +func (DeepDiveChunk) observed() {} type HexNumber uint64 diff --git a/thorlog/v3/dnscache.go b/thorlog/v3/dnscache.go index 0f44506..8a3ba30 100644 --- a/thorlog/v3/dnscache.go +++ b/thorlog/v3/dnscache.go @@ -6,7 +6,7 @@ type DnsCacheEntry struct { IP string `json:"ip" textlog:"ip"` } -func (DnsCacheEntry) reportable() {} +func (DnsCacheEntry) observed() {} const typeDnsCacheEntry = "DNS cache entry" diff --git a/thorlog/v3/doublepulsar.go b/thorlog/v3/doublepulsar.go index 428dcfe..a3a931f 100644 --- a/thorlog/v3/doublepulsar.go +++ b/thorlog/v3/doublepulsar.go @@ -7,7 +7,7 @@ type DoublePulsarHandshake struct { Key HexNumber `json:"key,omitempty" textlog:"key,omitempty"` } -func (DoublePulsarHandshake) reportable() {} +func (DoublePulsarHandshake) observed() {} const typeDoublePulsarHandshake = "DoublePulsar Handshake" diff --git a/thorlog/v3/ebpf.go b/thorlog/v3/ebpf.go index 65d7e83..40316bf 100644 --- a/thorlog/v3/ebpf.go +++ b/thorlog/v3/ebpf.go @@ -74,7 +74,7 @@ type EBPFAttachTarget struct { Priority int `textlog:"priority,omitempty" json:"priority,omitempty"` } -func (EBPFProgram) reportable() {} +func (EBPFProgram) observed() {} const typeEbpfProgram = "eBPF program" diff --git a/thorlog/v3/envvar.go b/thorlog/v3/envvar.go index 747d5ab..b68dd53 100644 --- a/thorlog/v3/envvar.go +++ b/thorlog/v3/envvar.go @@ -7,7 +7,7 @@ type EnvironmentVariable struct { Value string `json:"value" textlog:"value"` } -func (EnvironmentVariable) reportable() {} +func (EnvironmentVariable) observed() {} const typeEnvironmentVariable = "environment variable" diff --git a/thorlog/v3/event.go b/thorlog/v3/event.go index e9958bd..891bf99 100644 --- a/thorlog/v3/event.go +++ b/thorlog/v3/event.go @@ -14,21 +14,21 @@ import ( "golang.org/x/exp/slices" ) -// Finding is a summary of a Subject's analysis by THOR. -// This object is usually, but not necessarily suspicious; the +// Assessment is a summary of a Subject's analysis by THOR. +// The assessed object is not necessarily suspicious; the // severity can be seen in the Score, and beyond that the -// Reasons contain further information on why this Subject is +// Reasons contain further information if this Subject is // considered suspicious. -type Finding struct { +type Assessment struct { jsonlog.ObjectHeader Meta LogEventMetadata `json:"meta" textlog:",expand"` - // Text is the message THOR printed for this finding. - // This is usually a summary based on this finding's subject and level. + // Text is the message THOR printed for this assessment. + // This is usually a summary based on this assessment's subject and level. Text string `json:"message" textlog:"message"` - // Subject is the object analysed by THOR. - Subject ReportableObject `json:"subject" textlog:",expand"` + // Subject is the object assessed by THOR. + Subject ObservedObject `json:"subject" textlog:",expand"` // Score is a metric that combines severity and certainty. The score is always in a range of 0 to 100; - // 0 indicates that the analysis found no suspicious indicators, whereas 100 indicates very high + // 0 indicates that the assessment found no suspicious indicators, whereas 100 indicates very high // severity and certainty. Score int64 `json:"score" textlog:"score"` // Reasons describes the indicators that contributed to the score. @@ -45,7 +45,7 @@ type Finding struct { // and a relation name of "parent", indicating that the Subject derives from this object, // which is its parent. EventContext Context `json:"context" textlog:",expand" jsonschema:"nullable"` - // Issues lists any problems that THOR encountered when trying to create a Finding for this analysis. + // Issues lists any problems that THOR encountered when trying to create a JSON struct for this assessment. // This may include e.g. overly long fields that were truncated, fields that could not be rendered to JSON, // or similar problems. Issues []Issue `json:"issues,omitempty" textlog:"-"` @@ -53,76 +53,76 @@ type Finding struct { LogVersion common.Version `json:"log_version"` } -// ReportableObject can be any object type that THOR analyses, e.g. File or Process. -type ReportableObject interface { - reportable() +// ObservedObject can be any object type that THOR observes, e.g. File or Process. +type ObservedObject interface { + observed() jsonlog.Object } -func (f *Finding) Message() string { - return f.Text +func (a *Assessment) Message() string { + return a.Text } -func (f *Finding) Version() common.Version { - return f.LogVersion +func (a *Assessment) Version() common.Version { + return a.LogVersion } -func (f *Finding) Metadata() *LogEventMetadata { - return &f.Meta +func (a *Assessment) Metadata() *LogEventMetadata { + return &a.Meta } -func (f *Finding) UnmarshalJSON(data []byte) error { - type plainFinding Finding - var rawFinding struct { - plainFinding // Embed without unmarshal method to avoid infinite recursion - Subject EmbeddedObject `json:"subject"` // EmbeddedObject is used to allow unmarshalling of the subject as a ReportableObject +func (a *Assessment) UnmarshalJSON(data []byte) error { + type plainAssessment Assessment + var rawAssessment struct { + plainAssessment // Embed without unmarshal method to avoid infinite recursion + Subject EmbeddedObject `json:"subject"` // EmbeddedObject is used to allow unmarshalling of the subject as a ObservedObject } - if err := json.Unmarshal(data, &rawFinding); err != nil { + if err := json.Unmarshal(data, &rawAssessment); err != nil { return err } - subject, ok := rawFinding.Subject.Object.(ReportableObject) + subject, ok := rawAssessment.Subject.Object.(ObservedObject) if !ok { - return fmt.Errorf("subject must implement the reportable interface") + return fmt.Errorf("subject must implement the ObservedObject interface") } - *f = Finding(rawFinding.plainFinding) // Copy the fields from rawFinding to f - f.Subject = subject + *a = Assessment(rawAssessment.plainAssessment) // Copy the fields from rawAssessment to a + a.Subject = subject // Resolve all references // When the event is unmarshalled, the references are not resolved yet and only contain the JSON pointers. // Resolve them to the actual values to be able to use them in the text log. - for i := range f.Reasons { - for j := range f.Reasons[i].StringMatches { - if f.Reasons[i].StringMatches[j].Field == nil { + for i := range a.Reasons { + for j := range a.Reasons[i].StringMatches { + if a.Reasons[i].StringMatches[j].Field == nil { continue } - target, err := jsonpointer.Resolve(f.Subject, f.Reasons[i].StringMatches[j].Field.ToJsonPointer()) + target, err := jsonpointer.Resolve(a.Subject, a.Reasons[i].StringMatches[j].Field.ToJsonPointer()) if err != nil { return err } - f.Reasons[i].StringMatches[j].Field = jsonlog.NewReference(f.Subject, target) + a.Reasons[i].StringMatches[j].Field = jsonlog.NewReference(a.Subject, target) } } - for i := range f.Issues { - if f.Issues[i].Affected == nil { + for i := range a.Issues { + if a.Issues[i].Affected == nil { continue } - target, err := jsonpointer.Resolve(f, f.Issues[i].Affected.ToJsonPointer()) + target, err := jsonpointer.Resolve(a, a.Issues[i].Affected.ToJsonPointer()) if err != nil { return err } - f.Issues[i].Affected = jsonlog.NewReference(f, target) + a.Issues[i].Affected = jsonlog.NewReference(a, target) } return nil } -var _ common.Event = (*Finding)(nil) +var _ common.Event = (*Assessment)(nil) type Context []ContextObject // ContextObject describes a relation of an object to another. type ContextObject struct { - Object ReportableObject `json:"object" textlog:",expand"` - // Relations describes how the object relates to the main subject of the finding. + Object ObservedObject `json:"object" textlog:",expand"` + // Relations describes how the object relates to the assessed subject. // There may be multiple relations, e.g. if the object is both the parent and the topmost ancestor of the subject. // // Relations should be ordered by relevance, i.e. the most important relation should be first. @@ -145,9 +145,9 @@ func (c *ContextObject) UnmarshalJSON(data []byte) error { if err := json.Unmarshal(data, &rawContextObject); err != nil { return err } - reportableObject, isReportable := rawContextObject.Object.Object.(ReportableObject) + reportableObject, isReportable := rawContextObject.Object.Object.(ObservedObject) if !isReportable { - return fmt.Errorf("object of type %q must implement the reportable interface", rawContextObject.Object.Object.EmbeddedHeader().Type) + return fmt.Errorf("object of type %q must implement the ObservedObject interface", rawContextObject.Object.Object.EmbeddedHeader().Type) } *c = ContextObject(rawContextObject.plainContextObject) // Copy the fields from rawContextObject to c c.Object = reportableObject @@ -207,14 +207,14 @@ func (c Context) MarshalTextLog(t jsonlog.TextlogFormatter) jsonlog.TextlogEntry return result } -const typeFinding = "THOR finding" +const typeAssessment = "THOR assessment" -func init() { AddLogObjectType(typeFinding, &Finding{}) } +func init() { AddLogObjectType(typeAssessment, &Assessment{}) } -func NewFinding(subject ReportableObject, message string) *Finding { - return &Finding{ +func NewAssessment(subject ObservedObject, message string) *Assessment { + return &Assessment{ ObjectHeader: LogObjectHeader{ - Type: typeFinding, + Type: typeAssessment, }, Text: message, Subject: subject, @@ -223,7 +223,7 @@ func NewFinding(subject ReportableObject, message string) *Finding { } // Message describes a THOR message printed during the scan. -// Unlike Finding, this does not describe an analysis' result, +// Unlike Assessment, this does not describe an analysis' result, // but rather something about the scan itself (e.g. how many IOCs were loaded). type Message struct { jsonlog.ObjectHeader diff --git a/thorlog/v3/event_test.go b/thorlog/v3/event_test.go index 3568fee..b41577e 100644 --- a/thorlog/v3/event_test.go +++ b/thorlog/v3/event_test.go @@ -117,10 +117,10 @@ func concatEntry(entry jsonlog.TextlogEntry) string { return builder.String() } -func TestFinding_UnmarshalJSON(t *testing.T) { - for i, finding := range []*Finding{ +func TestAssessment_UnmarshalJSON(t *testing.T) { + for i, assessment := range []*Assessment{ { - ObjectHeader: LogObjectHeader{Type: typeFinding}, + ObjectHeader: LogObjectHeader{Type: typeAssessment}, Meta: LogEventMetadata{ Lvl: common.Alert, Mod: "Test", @@ -128,7 +128,7 @@ func TestFinding_UnmarshalJSON(t *testing.T) { GenID: "abdas", Source: "aserarsd", }, - Text: "This is a test finding", + Text: "This is a test assessment", Subject: NewFile("path/to/file"), EventContext: Context{ { @@ -146,27 +146,27 @@ func TestFinding_UnmarshalJSON(t *testing.T) { }, } { t.Run(strconv.Itoa(i), func(t *testing.T) { - jsonform, err := json.Marshal(finding) + jsonform, err := json.Marshal(assessment) if err != nil { t.Fatal(err) } t.Log(string(jsonform)) - var newFinding Finding - if err := json.Unmarshal(jsonform, &newFinding); err != nil { + var newAssessment Assessment + if err := json.Unmarshal(jsonform, &newAssessment); err != nil { t.Fatal(err) } - newFinding.LogVersion = common.Version(newFinding.LogVersion.Major()) - if !reflect.DeepEqual(finding, &newFinding) { - t.Errorf("UnmarshalJSON() = %+v, want %+v", newFinding, *finding) + newAssessment.LogVersion = common.Version(newAssessment.LogVersion.Major()) + if !reflect.DeepEqual(assessment, &newAssessment) { + t.Errorf("UnmarshalJSON() = %+v, want %+v", newAssessment, *assessment) } }) } } -func TestFinding_UnmarshalIssue(t *testing.T) { - finding := `{"type":"THOR finding","meta":{"time":"2025-07-01T12:05:12.993789131+02:00","level":"Info","module":"ProcessCheck","scan_id":"S-pSxgCmyvvfs","event_id":"","hostname":"dummy"},"message":"process found","subject":{"type":"process","pid":502168,"name":"chromium","command":"/usr/lib/chromium/chromium","owner":"owner","image":{"type":"file","path":"/usr/lib/chromium/chromium","exists":"yes","extension":"","magic_header":"ELF","hashes":{"md5":"fc04ee20f064adc18e370c22512e268e","sha1":"2c8b7d05d25e04db9c169ce85e8e8f84321ef0c8","sha256":"0cf1727aa8dc3995d5aa103001f656b8ee8a1b3ffbc6d8664c5ad95cf225771f"},"first_bytes":{"hex":"7f454c4602010100000000000000000003003e00","ascii":"ELF\u003e"},"file_times":{"modified":"2025-06-25T19:45:43+02:00","accessed":"2025-07-01T08:46:56.750309598+02:00","changed":"2025-06-26T08:39:59.980605063+02:00"},"size":252546120,"permissions":{"type":"Unix permissions","owner":"root","group":"root","mask":{"user":{"readable":true,"writable":true,"executable":true},"group":{"readable":true,"writable":false,"executable":true},"world":{"readable":true,"writable":false,"executable":true}}}},"parent_info":{"pid":9011,"exe":"/usr/lib/chromium/chromium","command":"/usr/lib/chromium/chromium"},"tree":["/usr/lib/chromium/chromium","/usr/lib/chromium/chromium"],"created":"2025-07-01T12:00:05+02:00","session":"","listen_ports":null,"connections":[]},"score":0,"reasons":null,"reason_count":0,"context":null,"issues":[{"affected":"/subject/sections","category":"truncated","description":"Removed some sections from process memory (originally 638)"}],"log_version":"v3.0.0"}` - var findingObj Finding - if err := json.Unmarshal([]byte(finding), &findingObj); err != nil { - t.Fatalf("Failed to unmarshal finding: %v", err) +func TestAssessment_UnmarshalIssue(t *testing.T) { + assessment := `{"type":"THOR assessment","meta":{"time":"2025-07-01T12:05:12.993789131+02:00","level":"Info","module":"ProcessCheck","scan_id":"S-pSxgCmyvvfs","event_id":"","hostname":"dummy"},"message":"process found","subject":{"type":"process","pid":502168,"name":"chromium","command":"/usr/lib/chromium/chromium","owner":"owner","image":{"type":"file","path":"/usr/lib/chromium/chromium","exists":"yes","extension":"","magic_header":"ELF","hashes":{"md5":"fc04ee20f064adc18e370c22512e268e","sha1":"2c8b7d05d25e04db9c169ce85e8e8f84321ef0c8","sha256":"0cf1727aa8dc3995d5aa103001f656b8ee8a1b3ffbc6d8664c5ad95cf225771f"},"first_bytes":{"hex":"7f454c4602010100000000000000000003003e00","ascii":"ELF\u003e"},"file_times":{"modified":"2025-06-25T19:45:43+02:00","accessed":"2025-07-01T08:46:56.750309598+02:00","changed":"2025-06-26T08:39:59.980605063+02:00"},"size":252546120,"permissions":{"type":"Unix permissions","owner":"root","group":"root","mask":{"user":{"readable":true,"writable":true,"executable":true},"group":{"readable":true,"writable":false,"executable":true},"world":{"readable":true,"writable":false,"executable":true}}}},"parent_info":{"pid":9011,"exe":"/usr/lib/chromium/chromium","command":"/usr/lib/chromium/chromium"},"tree":["/usr/lib/chromium/chromium","/usr/lib/chromium/chromium"],"created":"2025-07-01T12:00:05+02:00","session":"","listen_ports":null,"connections":[]},"score":0,"reasons":null,"reason_count":0,"context":null,"issues":[{"affected":"/subject/sections","category":"truncated","description":"Removed some sections from process memory (originally 638)"}],"log_version":"v3.0.0"}` + var assessmentObj Assessment + if err := json.Unmarshal([]byte(assessment), &assessmentObj); err != nil { + t.Fatalf("Failed to unmarshal assessment: %v", err) } } diff --git a/thorlog/v3/eventlog.go b/thorlog/v3/eventlog.go index f686c83..68fc651 100644 --- a/thorlog/v3/eventlog.go +++ b/thorlog/v3/eventlog.go @@ -18,7 +18,7 @@ type WindowsEventlogEntry struct { Entry KeyValueList `json:"entry" textlog:"entry"` } -func (WindowsEventlogEntry) reportable() {} +func (WindowsEventlogEntry) observed() {} const TypeEventlogEntry = "eventlog entry" @@ -39,7 +39,7 @@ type EventlogProcessStart struct { Count int `json:"-" textlog:"count"` } -func (EventlogProcessStart) reportable() {} +func (EventlogProcessStart) observed() {} const TypeProcessStart = "process start" diff --git a/thorlog/v3/file.go b/thorlog/v3/file.go index 619939e..bb2d745 100644 --- a/thorlog/v3/file.go +++ b/thorlog/v3/file.go @@ -68,7 +68,7 @@ type File struct { VirusTotalInfo *VirusTotalInformation `json:"virustotal,omitempty" textlog:"virustotal,expand,omitempty"` } -func (File) reportable() {} +func (File) observed() {} func (f *File) UnmarshalJSON(data []byte) error { // Permissions are either unix or windows permissions, so we need to try both diff --git a/thorlog/v3/firewall.go b/thorlog/v3/firewall.go index 96f8970..c135560 100644 --- a/thorlog/v3/firewall.go +++ b/thorlog/v3/firewall.go @@ -19,7 +19,7 @@ type FirewallRule struct { Protocol string `json:"protocol" textlog:"protocol"` } -func (FirewallRule) reportable() {} +func (FirewallRule) observed() {} const typeFirewallRule = "firewall rule" @@ -39,7 +39,7 @@ type RawFirewallRule struct { Rule string `json:"rule" textlog:"rule"` } -func (RawFirewallRule) reportable() {} +func (RawFirewallRule) observed() {} const typeRawFirewallRule = "raw firewall rule" diff --git a/thorlog/v3/groupsxml.go b/thorlog/v3/groupsxml.go index ac86e87..254677d 100644 --- a/thorlog/v3/groupsxml.go +++ b/thorlog/v3/groupsxml.go @@ -10,7 +10,7 @@ type GroupsXmlUser struct { Password string `json:"password" textlog:"password"` } -func (GroupsXmlUser) reportable() {} +func (GroupsXmlUser) observed() {} const typeGroupsXmlPassword = "groups.xml user" diff --git a/thorlog/v3/hostsfile.go b/thorlog/v3/hostsfile.go index 35667bf..92e42f2 100644 --- a/thorlog/v3/hostsfile.go +++ b/thorlog/v3/hostsfile.go @@ -6,7 +6,7 @@ type HostsFileEntry struct { IP string `json:"ip" textlog:"ip"` } -func (HostsFileEntry) reportable() {} +func (HostsFileEntry) observed() {} const typeHostsFileEntry = "hosts file entry" diff --git a/thorlog/v3/issue.go b/thorlog/v3/issue.go index f6ca791..b2efa8f 100644 --- a/thorlog/v3/issue.go +++ b/thorlog/v3/issue.go @@ -2,7 +2,7 @@ package thorlog import "github.com/NextronSystems/jsonlog" -// Issue describes a problem that occurred during the analysis of a scan target like a file or process. +// Issue describes a problem that occurred during the assessment of a scan target like a file or process. // Often this will be an issue with displaying the results, // e.g. the results may be truncated due to size limitations. type Issue struct { diff --git a/thorlog/v3/journald.go b/thorlog/v3/journald.go index 3944f13..bf64983 100644 --- a/thorlog/v3/journald.go +++ b/thorlog/v3/journald.go @@ -25,4 +25,4 @@ func NewJournaldEntry() *JournaldEntry { } } -func (JournaldEntry) reportable() {} +func (JournaldEntry) observed() {} diff --git a/thorlog/v3/jumplist.go b/thorlog/v3/jumplist.go index bf00e26..38450de 100644 --- a/thorlog/v3/jumplist.go +++ b/thorlog/v3/jumplist.go @@ -22,7 +22,7 @@ type JumplistEntry struct { Checksum uint64 `json:"checksum" textlog:"checksum"` } -func (JumplistEntry) reportable() {} +func (JumplistEntry) observed() {} const typeJumplistEntry = "jump list entry" diff --git a/thorlog/v3/kernelmodule.go b/thorlog/v3/kernelmodule.go index 82e9bc1..28e9aa2 100644 --- a/thorlog/v3/kernelmodule.go +++ b/thorlog/v3/kernelmodule.go @@ -30,7 +30,7 @@ type LinuxKernelModule struct { InVmallocinfo bool `json:"in_vmallocinfo" textlog:"in_vmallocinfo"` } -func (LinuxKernelModule) reportable() {} +func (LinuxKernelModule) observed() {} const typeLinuxKernelModule = "Linux kernel module" diff --git a/thorlog/v3/knowledgedb.go b/thorlog/v3/knowledgedb.go index 08010ef..a668c71 100644 --- a/thorlog/v3/knowledgedb.go +++ b/thorlog/v3/knowledgedb.go @@ -14,7 +14,7 @@ type KnowledgeDBEntry struct { PrimaryKey int64 `json:"primary_key" textlog:"primary_key"` } -func (KnowledgeDBEntry) reportable() {} +func (KnowledgeDBEntry) observed() {} const typeKnowledgeDBEntry = "KnowledgeDB entry" diff --git a/thorlog/v3/logline.go b/thorlog/v3/logline.go index b354f27..f98e394 100644 --- a/thorlog/v3/logline.go +++ b/thorlog/v3/logline.go @@ -11,7 +11,7 @@ type LogLine struct { Line string `json:"line" textlog:"line"` } -func (LogLine) reportable() {} +func (LogLine) observed() {} const TypeLogLine = "log line" diff --git a/thorlog/v3/lsasession.go b/thorlog/v3/lsasession.go index 4f65b49..e24b326 100644 --- a/thorlog/v3/lsasession.go +++ b/thorlog/v3/lsasession.go @@ -16,7 +16,7 @@ type LsaSession struct { Server string `json:"server" textlog:"server"` } -func (LsaSession) reportable() {} +func (LsaSession) observed() {} const typeLsaSession = "LSA session" diff --git a/thorlog/v3/mftfile.go b/thorlog/v3/mftfile.go index 4271194..91c1df4 100644 --- a/thorlog/v3/mftfile.go +++ b/thorlog/v3/mftfile.go @@ -21,7 +21,7 @@ type MftFileEntry struct { Flags *uint64 `json:"flags,omitempty" textlog:"flags,omitempty"` } -func (MftFileEntry) reportable() {} +func (MftFileEntry) observed() {} const typeMftFileEntry = "MFT entry" @@ -43,7 +43,7 @@ type UsnEntry struct { Reasons StringList `json:"reasons" textlog:"reason"` } -func (UsnEntry) reportable() {} +func (UsnEntry) observed() {} const typeUsnEntry = "USN entry" diff --git a/thorlog/v3/moduleanalysiscache.go b/thorlog/v3/moduleanalysiscache.go index 2f77ec0..c4222df 100644 --- a/thorlog/v3/moduleanalysiscache.go +++ b/thorlog/v3/moduleanalysiscache.go @@ -11,7 +11,7 @@ type PSMacEntry struct { Command string `json:"command" textlog:"command"` } -func (PSMacEntry) reportable() {} +func (PSMacEntry) observed() {} const typeModuleAnalysisCacheEntry = "PowerShell module analysis cache module entry" diff --git a/thorlog/v3/mplog.go b/thorlog/v3/mplog.go index c5e276a..a34fbf2 100644 --- a/thorlog/v3/mplog.go +++ b/thorlog/v3/mplog.go @@ -15,7 +15,7 @@ type DetectionAddEntry struct { Detected KeyValueList `json:"detected" textlog:",expand"` } -func (DetectionAddEntry) reportable() {} +func (DetectionAddEntry) observed() {} const typeDetectionAdd = "DetectionAdd MPLog entry" @@ -42,7 +42,7 @@ type EstimatedImpactEntry struct { AccessedFile string `json:"file" textlog:"file"` } -func (EstimatedImpactEntry) reportable() {} +func (EstimatedImpactEntry) observed() {} const typeEstimatedImpact = "EstimatedImpact MPLog entry" @@ -70,7 +70,7 @@ type SdnQueryEntry struct { Sha256 string `json:"sha256" textlog:"sha256"` } -func (SdnQueryEntry) reportable() {} +func (SdnQueryEntry) observed() {} const typeSdnQuery = "SDN query MPLog entry" @@ -97,7 +97,7 @@ type EmsDetectionEntry struct { Pid int `json:"pid" textlog:"pid"` } -func (EmsDetectionEntry) reportable() {} +func (EmsDetectionEntry) observed() {} const typeEmsDetection = "EMS detection MPLog entry" diff --git a/thorlog/v3/networksession.go b/thorlog/v3/networksession.go index 3b654d2..54e98ba 100644 --- a/thorlog/v3/networksession.go +++ b/thorlog/v3/networksession.go @@ -14,7 +14,7 @@ type NetworkSession struct { NumOpens int `json:"num_opens" textlog:"num_opens"` } -func (NetworkSession) reportable() {} +func (NetworkSession) observed() {} const typeNetworkSession = "network session" diff --git a/thorlog/v3/networkshares.go b/thorlog/v3/networkshares.go index e2c3b9a..abe5c6c 100644 --- a/thorlog/v3/networkshares.go +++ b/thorlog/v3/networkshares.go @@ -11,7 +11,7 @@ type NetworkShare struct { Permissions AclEntries `json:"permissions" textlog:"share_perms,omitempty"` } -func (NetworkShare) reportable() {} +func (NetworkShare) observed() {} const typeNetworkShare = "network share" diff --git a/thorlog/v3/patches.go b/thorlog/v3/patches.go index 66b1dc9..4139f29 100644 --- a/thorlog/v3/patches.go +++ b/thorlog/v3/patches.go @@ -11,7 +11,7 @@ type HotfixSummary struct { LastHotfix time.Time `json:"last_hotfix" textlog:"last_hotfix"` } -func (HotfixSummary) reportable() {} +func (HotfixSummary) observed() {} const typeHotfixSummary = "hotfix summary" @@ -33,7 +33,7 @@ type EndOfLifeReport struct { EndOfLife time.Time `json:"end_of_life" textlog:"end_time"` } -func (EndOfLifeReport) reportable() {} +func (EndOfLifeReport) observed() {} const typeEndOfLifeReport = "end of life report" diff --git a/thorlog/v3/pipe.go b/thorlog/v3/pipe.go index 36dab71..a61d656 100644 --- a/thorlog/v3/pipe.go +++ b/thorlog/v3/pipe.go @@ -10,7 +10,7 @@ type WindowsPipe struct { Pipe string `json:"pipe" textlog:"pipe"` } -func (WindowsPipe) reportable() {} +func (WindowsPipe) observed() {} const typeWindowsPipe = "named pipe" @@ -30,7 +30,7 @@ type WindowsPipeList struct { Pipes StringList `json:"pipes" textlog:"pipes"` } -func (WindowsPipeList) reportable() {} +func (WindowsPipeList) observed() {} const typeWindowsPipeList = "pipe list" diff --git a/thorlog/v3/plugin.go b/thorlog/v3/plugin.go index 83465f3..14d1534 100644 --- a/thorlog/v3/plugin.go +++ b/thorlog/v3/plugin.go @@ -12,7 +12,7 @@ type PluginStructuredData struct { Data KeyValueList `json:"data" textlog:",inline"` } -func (PluginStructuredData) reportable() {} +func (PluginStructuredData) observed() {} const typePluginStructuredData = "structured data from plugin" @@ -35,7 +35,7 @@ type PluginString struct { String string `json:"string" textlog:"string"` } -func (PluginString) reportable() {} +func (PluginString) observed() {} const typePluginString = "data from plugin" @@ -58,7 +58,7 @@ type PluginFinding struct { LogDetails MessageFields `json:"details" textlog:",expand"` } -func (PluginFinding) reportable() {} +func (PluginFinding) observed() {} const typePluginFinding = "finding from plugin" diff --git a/thorlog/v3/prefetch.go b/thorlog/v3/prefetch.go index c449136..16ba504 100644 --- a/thorlog/v3/prefetch.go +++ b/thorlog/v3/prefetch.go @@ -26,7 +26,7 @@ type PrefetchInfo struct { AccessedFiles []string `json:"accessed_files" textlog:"-"` } -func (PrefetchInfo) reportable() {} +func (PrefetchInfo) observed() {} type ExecutionTimes []time.Time diff --git a/thorlog/v3/process.go b/thorlog/v3/process.go index 19a8c3e..bb22a41 100644 --- a/thorlog/v3/process.go +++ b/thorlog/v3/process.go @@ -24,7 +24,7 @@ type Process struct { PeSieveReport *PeSieveReport `json:"pe_sieve,omitempty" textlog:"pe_sieve,expand,omitempty"` } -func (Process) reportable() {} +func (Process) observed() {} type ProcessInfo struct { Name string `json:"name" textlog:"name"` diff --git a/thorlog/v3/processconnection.go b/thorlog/v3/processconnection.go index 75240a9..0f1cbd5 100644 --- a/thorlog/v3/processconnection.go +++ b/thorlog/v3/processconnection.go @@ -9,7 +9,7 @@ type ProcessConnectionObject struct { ProcessConnection } -func (ProcessConnectionObject) reportable() {} +func (ProcessConnectionObject) observed() {} const typeProcessConnection = "process connection" diff --git a/thorlog/v3/processhandle.go b/thorlog/v3/processhandle.go index 33bef18..bf5b898 100644 --- a/thorlog/v3/processhandle.go +++ b/thorlog/v3/processhandle.go @@ -12,7 +12,7 @@ type ProcessHandle struct { Type string `json:"handle_type,omitempty" textlog:"type,omitempty"` } -func (ProcessHandle) reportable() {} +func (ProcessHandle) observed() {} const typeProcessHandle = "process handle" diff --git a/thorlog/v3/quarantineevent.go b/thorlog/v3/quarantineevent.go index a05a5f7..167c4e7 100644 --- a/thorlog/v3/quarantineevent.go +++ b/thorlog/v3/quarantineevent.go @@ -16,7 +16,7 @@ type QuarantineEvent struct { Url string `json:"url" textlog:"url,omitempty"` } -func (QuarantineEvent) reportable() {} +func (QuarantineEvent) observed() {} const typeQuarantineEvent = "quarantine event" diff --git a/thorlog/v3/reason.go b/thorlog/v3/reason.go index a0dbd64..476db4d 100644 --- a/thorlog/v3/reason.go +++ b/thorlog/v3/reason.go @@ -7,7 +7,7 @@ import ( "github.com/NextronSystems/jsonlog" ) -// Reason describes a match of a single Signature on a ReportableObject. +// Reason describes a match of a single Signature on a ObservedObject. type Reason struct { jsonlog.ObjectHeader @@ -38,11 +38,11 @@ func init() { type Signature struct { // Score is a metric that combines severity and certainty for this signature. // - // It is related to the Finding.Score, which is derived from the scores of all + // It is related to the Assessment.Score, which is derived from the scores of all // signatures that matched; however, signature scores are not limited to the - // 0 to 100 interval of finding scores, but may also be negative to indicate + // 0 to 100 interval of assessment scores, but may also be negative to indicate // a likely false positive (which results in a score reduction on any related - // finding). + // assessment). Score int64 `json:"score" textlog:"subscore"` // Ref contains references (usually as links) for further information about // the threat that is detected by this signature. diff --git a/thorlog/v3/registry.go b/thorlog/v3/registry.go index 55297a5..d1fe5c6 100644 --- a/thorlog/v3/registry.go +++ b/thorlog/v3/registry.go @@ -15,7 +15,7 @@ type RegistryValue struct { Size uint64 `json:"size" textlog:"size"` } -func (RegistryValue) reportable() {} +func (RegistryValue) observed() {} const TypeRegistryValue = "registry value" @@ -36,7 +36,7 @@ type RegistryKey struct { FormattedValues string `json:"values" textlog:"values,omitincontext"` } -func (RegistryKey) reportable() {} +func (RegistryKey) observed() {} func (s *RegistryKey) RawEvent() (string, *jsonlog.Reference) { return s.FormattedValues, jsonlog.NewReference(s, &s.FormattedValues) @@ -67,7 +67,7 @@ type MsOfficeConnectionCacheEntry struct { Key string `json:"key" textlog:"key"` } -func (MsOfficeConnectionCacheEntry) reportable() {} +func (MsOfficeConnectionCacheEntry) observed() {} func NewMsOfficeConnectionCacheEntry() *MsOfficeConnectionCacheEntry { return &MsOfficeConnectionCacheEntry{ @@ -83,7 +83,7 @@ type RegisteredDebugger struct { Debugger string `json:"debugger" textlog:"element"` } -func (RegisteredDebugger) reportable() {} +func (RegisteredDebugger) observed() {} const TypeRegisteredDebugger = "registered debugger" diff --git a/thorlog/v3/rootkit.go b/thorlog/v3/rootkit.go index cb4acb1..1692093 100644 --- a/thorlog/v3/rootkit.go +++ b/thorlog/v3/rootkit.go @@ -6,7 +6,7 @@ type Rootkit struct { const typeRootkit = "rootkit" -func (Rootkit) reportable() {} +func (Rootkit) observed() {} func init() { AddLogObjectType(typeRootkit, &Rootkit{}) } diff --git a/thorlog/v3/scheduledtask.go b/thorlog/v3/scheduledtask.go index 44a43e6..b57594f 100644 --- a/thorlog/v3/scheduledtask.go +++ b/thorlog/v3/scheduledtask.go @@ -49,7 +49,7 @@ type ScheduledTask struct { NextRun time.Time `json:"next_run,omitzero" textlog:"nextrun,omitempty"` } -func (ScheduledTask) reportable() {} +func (ScheduledTask) observed() {} const typeScheduledTask = "scheduled task" @@ -75,7 +75,7 @@ type RegistryScheduledTask struct { LastResult string `json:"last_result" textlog:"last_result"` } -func (RegistryScheduledTask) reportable() {} +func (RegistryScheduledTask) observed() {} const typeRegistryScheduledTask = "registry scheduled task" diff --git a/thorlog/v3/sdb.go b/thorlog/v3/sdb.go index adb4f85..0cdd90a 100644 --- a/thorlog/v3/sdb.go +++ b/thorlog/v3/sdb.go @@ -10,7 +10,7 @@ type SdbEntry struct { Entry KeyValueList `json:"entry" textlog:"entry"` } -func (SdbEntry) reportable() {} +func (SdbEntry) observed() {} const typeSdbEntry = "shim database entry" diff --git a/thorlog/v3/service.go b/thorlog/v3/service.go index 335a2b5..f026f8a 100644 --- a/thorlog/v3/service.go +++ b/thorlog/v3/service.go @@ -10,7 +10,7 @@ type InitdService struct { File *File `json:"file" textlog:"file,expand"` } -func (InitdService) reportable() {} +func (InitdService) observed() {} const typeInitdService = "init.d service" @@ -35,7 +35,7 @@ type SystemdService struct { Image *File `json:"image" textlog:"image,expand"` } -func (SystemdService) reportable() {} +func (SystemdService) observed() {} const typeSystemdService = "systemd service" @@ -64,7 +64,7 @@ type WindowsService struct { Image *File `json:"image" textlog:"image,expand"` } -func (WindowsService) reportable() {} +func (WindowsService) observed() {} const typeWindowsService = "Windows service" diff --git a/thorlog/v3/shellbag.go b/thorlog/v3/shellbag.go index 15a940a..522f258 100644 --- a/thorlog/v3/shellbag.go +++ b/thorlog/v3/shellbag.go @@ -16,7 +16,7 @@ type ShellbagEntry struct { DateAccess time.Time `json:"date_access" textlog:"date_access"` } -func (ShellbagEntry) reportable() {} +func (ShellbagEntry) observed() {} const typeShellbagEntry = "shellbag entry" diff --git a/thorlog/v3/shimcache.go b/thorlog/v3/shimcache.go index 942505d..a6de60e 100644 --- a/thorlog/v3/shimcache.go +++ b/thorlog/v3/shimcache.go @@ -14,7 +14,7 @@ type ShimCacheEntry struct { Path string `json:"path" textlog:"path"` } -func (ShimCacheEntry) reportable() {} +func (ShimCacheEntry) observed() {} const typeShimCacheEntry = "shim cache entry" @@ -35,7 +35,7 @@ type ShimCache struct { LastKnownEntries int `json:"last_known_entries" textlog:"previous_entries,omitempty"` } -func (ShimCache) reportable() {} +func (ShimCache) observed() {} const typeShimCache = "shim cache" diff --git a/thorlog/v3/systemresourceusagemonitor.go b/thorlog/v3/systemresourceusagemonitor.go index 3680aac..5e43d3d 100644 --- a/thorlog/v3/systemresourceusagemonitor.go +++ b/thorlog/v3/systemresourceusagemonitor.go @@ -110,4 +110,4 @@ func NewSRUMResourceUsageEntry() *SRUMResourceUsageEntry { } } -func (SRUMResourceUsageEntry) reportable() {} +func (SRUMResourceUsageEntry) observed() {} diff --git a/thorlog/v3/teamviewer.go b/thorlog/v3/teamviewer.go index 780147c..c9209c5 100644 --- a/thorlog/v3/teamviewer.go +++ b/thorlog/v3/teamviewer.go @@ -10,7 +10,7 @@ type TeamViewerPassword struct { Name string `json:"name" textlog:"name"` } -func (TeamViewerPassword) reportable() {} +func (TeamViewerPassword) observed() {} const typeTeamViewerPassword = "TeamViewer password" diff --git a/thorlog/v3/thread.go b/thorlog/v3/thread.go index 85b3e02..cf43480 100644 --- a/thorlog/v3/thread.go +++ b/thorlog/v3/thread.go @@ -10,7 +10,7 @@ type Thread struct { Stack StringList `json:"stack" jsonschema:"nullable"` } -func (Thread) reportable() {} +func (Thread) observed() {} const typeThread = "thread" diff --git a/thorlog/v3/tomcatusers.go b/thorlog/v3/tomcatusers.go index e9da2f3..1859536 100644 --- a/thorlog/v3/tomcatusers.go +++ b/thorlog/v3/tomcatusers.go @@ -9,7 +9,7 @@ type TomcatUser struct { User string `json:"user" textlog:"user"` } -func (TomcatUser) reportable() {} +func (TomcatUser) observed() {} const typeTomcatUser = "Tomcat user" diff --git a/thorlog/v3/unmarshal.go b/thorlog/v3/unmarshal.go index 5573522..99808f6 100644 --- a/thorlog/v3/unmarshal.go +++ b/thorlog/v3/unmarshal.go @@ -19,7 +19,7 @@ type UnknownObject struct { Data map[string]any } -func (UnknownObject) reportable() {} +func (UnknownObject) observed() {} func (u *UnknownObject) UnmarshalJSON(data []byte) error { var details map[string]any diff --git a/thorlog/v3/useraccesslog.go b/thorlog/v3/useraccesslog.go index 3931243..bf44e1d 100644 --- a/thorlog/v3/useraccesslog.go +++ b/thorlog/v3/useraccesslog.go @@ -16,63 +16,63 @@ import ( // A UALEntry represents a single entry in the CLIENTS table, possibly enriched with // role details in the ROLE_IDS table of an accompanying SystemIdentity.mdb file. // -// from Current.mdb or .mdb: -// Table: 6 CLIENTS (10) -// Number of columns: 374 +// from Current.mdb or .mdb: +// Table: 6 CLIENTS (10) +// Number of columns: 374 +// Column Identifier Name Type +// 1 1 RoleGuid GUID +// 2 2 TenantId GUID +// 3 3 TotalAccesses Integer 32-bit unsigned +// 4 4 InsertDate Date and time +// 5 5 LastAccess Date and time +// 6 128 Address Binary data +// 7 256 AuthenticatedUserName Large text +// 8 257 ClientName Large text +// 9 258 Day1 Integer 16-bit unsigned +// 10 259 Day2 Integer 16-bit unsigned +// 11 260 Day3 Integer 16-bit unsigned +// ... +// +// from SystemIdentity.mdb: +// Table: 7 ROLE_IDS (12) +// Number of columns: 3 // Column Identifier Name Type // 1 1 RoleGuid GUID -// 2 2 TenantId GUID -// 3 3 TotalAccesses Integer 32-bit unsigned -// 4 4 InsertDate Date and time -// 5 5 LastAccess Date and time -// 6 128 Address Binary data -// 7 256 AuthenticatedUserName Large text -// 8 257 ClientName Large text -// 9 258 Day1 Integer 16-bit unsigned -// 10 259 Day2 Integer 16-bit unsigned -// 11 260 Day3 Integer 16-bit unsigned -// ... -// -// from SystemIdentity.mdb: -// Table: 7 ROLE_IDS (12) -// Number of columns: 3 -// Column Identifier Name Type -// 1 1 RoleGuid GUID -// 2 256 ProductName Large text -// 3 257 RoleName Large text +// 2 256 ProductName Large text +// 3 257 RoleName Large text type UALEntry struct { jsonlog.ObjectHeader // AuthenticatedUserName is the user name on the client that accompanies the UAL // entries from installed roles and products, if applicable. - AuthenticatedUserName string `json:"authenticated_user_name" textlog:"authenticated_user_name"` + AuthenticatedUserName string `json:"authenticated_user_name" textlog:"authenticated_user_name"` // Address is the IP address of a client device that is used to access a role or // service. - Address string `json:"address" textlog:"address"` + Address string `json:"address" textlog:"address"` // TotalAccesses is the number of times a particular user accessed a role or service. - TotalAccesses uint32 `json:"total_accesses" textlog:"total_accesses"` + TotalAccesses uint32 `json:"total_accesses" textlog:"total_accesses"` // RoleGuid is the UAL assigned or registered GUID that represents the server role or // installed product. - RoleGuid uuid.UUID `json:"role_guid" textlog:"role_guid"` + RoleGuid uuid.UUID `json:"role_guid" textlog:"role_guid"` // RoleName is the name of the role, component, or subproduct that is providing UAL // data. - RoleName string `json:"role_name,omitempty" textlog:"role_name,omitempty"` + RoleName string `json:"role_name,omitempty" textlog:"role_name,omitempty"` // ProductName is the name of the software parent product, such as Windows, that is // providing UAL data. The value can be a GUID or a human-readable string. - ProductName string `json:"product_name,omitempty" textlog:"product_name,omitempty"` + ProductName string `json:"product_name,omitempty" textlog:"product_name,omitempty"` // TenantId is a unique GUID for a tenant client of an installed role or product that // accompanies the UAL data, if applicable. - TenantId uuid.UUID `json:"tenant_id" textlog:"tenant_id"` + TenantId uuid.UUID `json:"tenant_id" textlog:"tenant_id"` // InsertDate is the date and time when an IP address was first used to access a role // or service. - InsertDate time.Time `json:"insert_date" textlog:"insert_date"` + InsertDate time.Time `json:"insert_date" textlog:"insert_date"` // LastAccess is the date and time when an IP address was last used to access a role // or service. - LastAccess time.Time `json:"last_access" textlog:"last_access"` + LastAccess time.Time `json:"last_access" textlog:"last_access"` // ClientName. Usually unset. - ClientName string `json:"client_name,omitempty" textlog:"client_name,omitempty"` + ClientName string `json:"client_name,omitempty" textlog:"client_name,omitempty"` // AccessesByDay is a map of the number of accesses per day of the year. - AccessesByDay map[int]uint16 `json:"accesses_by_day" textlog:"-"` + AccessesByDay map[int]uint16 `json:"accesses_by_day" textlog:"-"` } const typeUALEntry = "User Access Log Entry" @@ -87,4 +87,4 @@ func NewUALEntry() *UALEntry { } } -func (UALEntry) reportable() {} +func (UALEntry) observed() {} diff --git a/thorlog/v3/users.go b/thorlog/v3/users.go index 56b2c9e..3321b1a 100644 --- a/thorlog/v3/users.go +++ b/thorlog/v3/users.go @@ -15,7 +15,7 @@ type LoggedInUser struct { OtherDomains string `json:"other_domains,omitempty" textlog:"other_domains,omitempty"` } -func (LoggedInUser) reportable() {} +func (LoggedInUser) observed() {} const typeLoggedInUser = "logged in user" @@ -39,7 +39,7 @@ type ProfileFolder struct { Created *time.Time `json:"created,omitempty" textlog:"created,omitempty"` } -func (ProfileFolder) reportable() {} +func (ProfileFolder) observed() {} const typeUserProfile = "user profile" @@ -67,7 +67,7 @@ type UnixUser struct { AccessFiles []string `json:"access_files" textlog:"-" jsonschema:"nullable"` } -func (UnixUser) reportable() {} +func (UnixUser) observed() {} const typeUnixUser = "Unix user" @@ -98,7 +98,7 @@ type WindowsUser struct { Comment string `json:"comment" textlog:"comment"` } -func (WindowsUser) reportable() {} +func (WindowsUser) observed() {} const typeWindowsUser = "Windows user" diff --git a/thorlog/v3/webhistory.go b/thorlog/v3/webhistory.go index c14ad7e..4dd58d6 100644 --- a/thorlog/v3/webhistory.go +++ b/thorlog/v3/webhistory.go @@ -21,7 +21,7 @@ type WebDownload struct { File *File `json:"file" textlog:"file,expand"` } -func (WebDownload) reportable() {} +func (WebDownload) observed() {} const typeWebDownload = "web download" @@ -47,7 +47,7 @@ type WebPageVisit struct { Title string `json:"title" textlog:"title"` } -func (WebPageVisit) reportable() {} +func (WebPageVisit) observed() {} const typeWebVisit = "web page visit" diff --git a/thorlog/v3/winkernel.go b/thorlog/v3/winkernel.go index 0b54143..1462c47 100644 --- a/thorlog/v3/winkernel.go +++ b/thorlog/v3/winkernel.go @@ -5,7 +5,7 @@ type WindowsEvent struct { Event string `json:"event" textlog:"event"` } -func (WindowsEvent) reportable() {} +func (WindowsEvent) observed() {} const typeWindowsEvent = "event" @@ -26,7 +26,7 @@ type WindowsMutex struct { Mutex string `json:"mutex" textlog:"mutex"` } -func (WindowsMutex) reportable() {} +func (WindowsMutex) observed() {} const typeWindowsMutex = "mutex" diff --git a/thorlog/v3/wmi.go b/thorlog/v3/wmi.go index c13f6aa..5c1ed86 100644 --- a/thorlog/v3/wmi.go +++ b/thorlog/v3/wmi.go @@ -16,7 +16,7 @@ type WmiElement struct { Eventconsumer string `json:"event_consumer" textlog:"eventconsumer"` } -func (WmiElement) reportable() {} +func (WmiElement) observed() {} const typeWmiElement = "WMI element" @@ -37,7 +37,7 @@ type WmiStartupCommand struct { Command string `json:"command" textlog:"command"` } -func (WmiStartupCommand) reportable() {} +func (WmiStartupCommand) observed() {} const typeWmiStartupCommand = "WMI startup command"