From 0560c6b8e4422e61fe010fc0eb5b331846727a19 Mon Sep 17 00:00:00 2001
From: fukusuket <41001169+fukusuket@users.noreply.github.com>
Date: Mon, 14 Apr 2025 08:51:53 +0900
Subject: [PATCH] chg: add other log

---
 WELA.ps1 | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 77 insertions(+), 1 deletion(-)

diff --git a/WELA.ps1 b/WELA.ps1
index 75a47140..040ad193 100644
--- a/WELA.ps1
+++ b/WELA.ps1
@@ -195,6 +195,78 @@ function AuditLogSetting {
     }
     $auditResult = @()
 
+    # Application
+    $guid    = ""
+    $eids     = @()
+    $channels = @("Application")
+    $enabled  = $true
+    $rules    = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid }
+    $rules    | ForEach-Object { $_.applicable = $enabled }
+    $auditResult += [WELA]::New(
+            "Application",
+            "",
+            $enabled,
+            $rules,
+            "Enabled. 20 MB",
+            "Enabled. 128 MB+",
+            "",
+            ""
+    )
+
+    # Applocker
+    $guid    = ""
+    $eids     = @()
+    $channels = @("Microsoft-Windows-AppLocker/MSI and Script")
+    $enabled  = $true
+    $rules    = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid }
+    $rules    | ForEach-Object { $_.applicable = $enabled }
+    $auditResult += [WELA]::New(
+            "AppLocker",
+            "",
+            $enabled,
+            $rules,
+            "Enabled if AppLocker is enabled? 1 MB",
+            "Enabled. 256 MB+",
+            "",
+            ""
+    )
+
+    # Bits-Client Operational
+    $guid    = ""
+    $eids     = @()
+    $channels = @("Microsoft-Windows-Bits-Client/Operational")
+    $enabled  = $true
+    $rules    = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid }
+    $rules    | ForEach-Object { $_.applicable = $enabled }
+    $auditResult += [WELA]::New(
+            "Bits-Client Operational",
+            "",
+            $enabled,
+            $rules,
+            "Enabled. 1 MB",
+            "Enabled. 128 MB+",
+            "",
+            ""
+    )
+
+    # CodeIntegrity Operational
+    $guid    = ""
+    $eids     = @()
+    $channels = @("Microsoft-Windows-CodeIntegrity/Operational")
+    $enabled  = $true
+    $rules    = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid }
+    $rules    | ForEach-Object { $_.applicable = $enabled }
+    $auditResult += [WELA]::New(
+            "CodeIntegrity Operational",
+            "",
+            $enabled,
+            $rules,
+            "Enabled. 1 MB",
+            "Enabled. 128 MB+",
+            "",
+            ""
+    )
+
     # PowerShell
     ## Classic
     $guid    = ""
@@ -207,7 +279,11 @@ function AuditLogSetting {
             "PowerShell",
             "Classic",
             $enabled,
-            $rules
+            $rules,
+            "Client OS: No Auditing | Server OS: Success",
+            "Client and Server OSes: Success and Failure",
+            "Depends on NTLM usage. Could be high on DCs and low on clients and servers.",
+            ""
     )
 
     ## Module