feat: show alert level for stacking command

[fukusuket]

What Changed

• Closed: show alert levels and rule names for stacking commands #112
• Related: Refactoring duplicate code #99
  • Refactor: I made the duplicated stack command logic into a function and deleted it.
  • Test: added integration-test case

Standard output specifications

• Output Count, level, RuleTitle in table layout
• Sort by level(cirt -> high -> med -> low)
• If the number of alerts is the same, sort in alphabetical order

I tried creating it with the above specifications, but what do you think? Please let me know if there is anything that should be changed :)

Test

In the integration test below, I confirmed that the altert level is output to stdout.

• https://github.com/Yamato-Security/takajo/actions/runs/7942064926/job/21684997377

I would appreciate it if you could check it out when you have time🙏

[YamatoSecurity]

@fukusuket Thanks so much! Sorry, I don't think my explanation was good. I want to combine all of these into one big table.

So the columns would be Count, Cmdline, NumOfAlerts, Levels, Alerts. Both when outputting to terminal and saving the CSV. I like how you sort by alert level first, and then how many alerts there were. Let's keep this order.
Sometimes command lines are very long, so we probably need to specify how many characters in a single line and do word wrapping so that the table does not overflow the screen.

[fukusuket]

@YamatoSecurity
Thank you so much for checking :) I have changed it as follows
https://github.com/Yamato-Security/takajo/actions/runs/7949301433/job/21700287941

Also, depending on the command,
there seemed to be a lot of noise when the info level was output..., so I tried adding the --level option.

• --level informational(default): stack-dns/tasks/services
• --level low(default): stack-processes/cmdlines

what do you think?

[YamatoSecurity]

@fukusuket Thanks for adding the --level option! stack-services was using sysmon instead of system so I fixed it.
Sorry, just a few more things. Can you add an Event column after the Count that displays where the event came from. For example Sec-4688, Sysmon-1, System-7050, etc...
Also, combining the results with -> is harder to read than I first thought. Is it possible to separate in new columns instead of in the same column separated by -> ?

[fukusuket]

@YamatoSecurity
Thank you so much for checking and fixing :) I implemented #113 (comment) ! what do you think?
https://github.com/Yamato-Security/takajo/actions/runs/7961384382/job/21732479063

[YamatoSecurity]

@fukusuket Looks great! Thanks so much. I changed the , separator to | to make it easier to read and added some messages about what log events are being used. If my commits look ok, please merge this.

[fukusuket]

@YamatoSecurity
Thank you so much! | is easier to read :) I was able to confirm that it works properly!

[hitenkoku]

LGTM