add csv

2025-12-06 17:22:50 +01:00 · 2025-03-09 15:31:47 +09:00
parent 5e76eaf0d4
commit 11c13491d8
3 changed files with 46 additions and 124 deletions
--- a/.github/workflows/create-csv.yml
+++ b/.github/workflows/create-csv.yml
@@ -1,55 +0,0 @@
 name: Create auditpol_output.csv
 on:
  push:
    branches: [ "main" ]
  workflow_dispatch:
 jobs:
  build:
    runs-on: windows-2022
    steps:
      - uses: actions/checkout@v4
      - name: Generate csv from auditpol /list /subcategory:* /r
        run: |
              $data = auditpol /list /subcategory:* /r
              $output = @()
              $category = ""
              foreach ($line in $data) {
                  if ($line -match "^Category/Subcategory") { continue }
                  if ($line -match "^\s+(.+),\{(.+)\}$") {
                      $subcategory = $matches[1].Trim()
                      $guid = $matches[2].Trim()
                      $output += [PSCustomObject]@{
                          Category    = $category
                          Subcategory = $subcategory
                          GUID        = $guid
                      }
                  } elseif ($line -match "^(.+),\{(.+)\}$") {
                      $category = $matches[1].Trim()
                      $guid = $matches[2].Trim()
                      $output += [PSCustomObject]@{
                          Category    = $category
                          Subcategory = ""
                          GUID        = $guid
                      }
                  }
              }
              $output | Export-Csv -Path "eid_subcategory_mapping.csv" -NoTypeInformation -Encoding UTF8
              $output | Format-Table -AutoSize
      - name: Configure Git
        run: |
          git config --global user.name 'github-actions[bot]'
          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
      - name: Commit changes
        run: |
          git add *.csv
          if (git diff-index --quiet HEAD) {
            echo "No changes to commit"
          } else {
            git commit -m "Automated update"
            git push origin main
          }
--- a/config/eid_subcategory_mapping.csv
+++ b/config/eid_subcategory_mapping.csv
@@ -0,0 +1,46 @@
 Category,Subcategory,GUID,Event ID
 System,Security State Change,0CCE9210-69AE-11D9-BED3-505054503030,"4608, 4616, 4621"
 System,Security System Extension,0CCE9211-69AE-11D9-BED3-505054503030,"4610, 4611, 4614, 4622, 4697"
 System,System Integrity,0CCE9212-69AE-11D9-BED3-505054503030,"4612, 4615, 4618, 4816, 5038, 5056, 5057, 5060, 5061, 6281, 6410"
 System,IPsec Driver,0CCE9213-69AE-11D9-BED3-505054503030,"4960, 4961, 4962, 4963, 4965, 5478, 5479, 5480, 5483, 5484, 5485"
 System,Other System Events,0CCE9214-69AE-11D9-BED3-505054503030,"5024, 5025, 5027, 5028, 5029, 5030, 5032, 5033, 5034, 5035, 5037, 5058, 5059, 6400, 6401, 6402, 6403, 6404, 6405, 6406, 6407, 6408, 6409"
 Logon/Logoff,Logon,0CCE9215-69AE-11D9-BED3-505054503030,"4624, 4625, 4648, 4675"
 Logon/Logoff,Logoff,0CCE9216-69AE-11D9-BED3-505054503030,"4634, 4647"
 Logon/Logoff,Account Lockout,0CCE9217-69AE-11D9-BED3-505054503030,4625
 Logon/Logoff,IPsec Main Mode,0CCE9218-69AE-11D9-BED3-505054503030,"4646, 4650, 4651, 4652, 4653, 4655, 4976, 5049, 5453"
 Logon/Logoff,IPsec Quick Mode,0CCE9219-69AE-11D9-BED3-505054503030,"4977, 5451, 5452"
 Logon/Logoff,IPsec Extended Mode,0CCE921A-69AE-11D9-BED3-505054503030,"4978, 4979, 4980, 4981, 4982, 4983, 4984"
 Logon/Logoff,Special Logon,0CCE921B-69AE-11D9-BED3-505054503030,"4672, 4964"
 Logon/Logoff,Other Logon/Logoff Events,0CCE921C-69AE-11D9-BED3-505054503030,"4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632, 5633"
 Logon/Logoff,Network Policy Server,0CCE9243-69AE-11D9-BED3-505054503030,"6272, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280"
 Logon/Logoff,User / Device Claims,0CCE9247-69AE-11D9-BED3-505054503030,4626
 Logon/Logoff,Group Membership,0CCE9249-69AE-11D9-BED3-505054503030,4627
 Object Access,File System,0CCE921D-69AE-11D9-BED3-505054503030,"4656, 4658, 4660, 4663, 4664, 4670, 4985, 5051"
 Object Access,Registry,0CCE921E-69AE-11D9-BED3-505054503030,"4656, 4657, 4658, 4660, 4663, 4670, 5039"
 Object Access,Kernel Object,0CCE921F-69AE-11D9-BED3-505054503030,"4656, 4658, 4660, 4663"
 Object Access,SAM,0CCE9220-69AE-11D9-BED3-505054503030,4661
 Object Access,Certification Services,0CCE9221-69AE-11D9-BED3-505054503030,"4868, 4869, 4870, 4871, 4872, 4873, 4874, 4875, 4876, 4877, 4878, 4879, 4880, 4881, 4882, 4883, 4884, 4885, 4886, 4887, 4888, 4889, 4890, 4891, 4892, 4893, 4894, 4895, 4896, 4897, 4898"
 Object Access,Application Generated,0CCE9222-69AE-11D9-BED3-505054503030,"4665, 4666, 4667, 4668"
 Object Access,Handle Manipulation,0CCE9223-69AE-11D9-BED3-505054503030,"4658, 4690"
 Object Access,File Share,0CCE9224-69AE-11D9-BED3-505054503030,"5140, 5142, 5143, 5144, 5168"
 Object Access,Filtering Platform Packet Drop,0CCE9225-69AE-11D9-BED3-505054503030,"5152, 5153"
 Object Access,Filtering Platform Connection,0CCE9226-69AE-11D9-BED3-505054503030,"5031, 5150, 5151, 5154, 5155, 5156, 5157, 5158, 5159"
 Object Access,Other Object Access Events,0CCE9227-69AE-11D9-BED3-505054503030,"4671, 4691, 5148, 5149, 4698, 4699, 4700, 4701, 4702, 5888, 5889, 5890"
 Object Access,Detailed File Share,0CCE9244-69AE-11D9-BED3-505054503030,5145
 Object Access,Removable Storage,0CCE9245-69AE-11D9-BED3-505054503030,"4656, 4658, 4663"
 Object Access,Central Policy Staging,0CCE9246-69AE-11D9-BED3-505054503030,4818
 Privilege Use,Sensitive Privilege Use,0CCE9228-69AE-11D9-BED3-505054503030,"4673, 4674, 4985"
 Privilege Use,Non Sensitive Privilege Use,0CCE9229-69AE-11D9-BED3-505054503030,"4673, 4674, 4985"
 Privilege Use,Other Privilege Use Events,0CCE922A-69AE-11D9-BED3-505054503030,4985
 Detailed Tracking,Process Creation,0CCE922B-69AE-11D9-BED3-505054503030,"4688, 4696"
 Detailed Tracking,Process Termination,0CCE922C-69AE-11D9-BED3-505054503030,4689
 Detailed Tracking,DPAPI Activity,0CCE922D-69AE-11D9-BED3-505054503030,"4692, 4693, 4694, 4695"
 Detailed Tracking,RPC Events,0CCE922E-69AE-11D9-BED3-505054503030,5712
 Detailed Tracking,Plug and Play Events,0CCE9248-69AE-11D9-BED3-505054503030,"6416, 6419, 6420, 6421, 6422, 6423, 6424"
 Detailed Tracking,Token Right Adjusted Events,0CCE924A-69AE-11D9-BED3-505054503030,4703
 Policy Change,Audit Policy Change,0CCE922F-69AE-11D9-BED3-505054503030,"4715, 4719, 4817, 4902, 4904, 4905, 4906, 4907, 4908, 4912"
 Policy Change,Authentication Policy Change,0CCE9230-69AE-11D9-BED3-505054503030,"4670, 4706, 4707, 4713, 4716, 4717, 4718, 4739, 4864, 4865, 4866, 4867"
 Policy Change,Authorization Policy Change,0CCE9231-69AE-11D9-BED3-505054503030,"4670, 4703, 4704, 4705, 4911, 4913"
 Policy Change,Filtering Platform Policy Change,0CCE9233-69AE-11D9-BED3-505054503030,"4709, 4710, 4711, 4712, 5040, 5041, 5042, 5043, 5044, 5045, 5046, 5047, 5048"
 Policy Change,MPSSVC Rule-Level Policy Change,0CCE9232-69AE-11D9-BED3-505054503030,"4944, 4945, 4946, 4947, 4948, 4949, 4950, 4951, 4952, 4953, 4954, 4956, 4957, 4958"
 Policy Change,Other Policy Change Events,0CCE9234-69AE-11D9-BED3-505054503030,"4714, 4819, 4826, 4909, 4910, 5063, 5064, 5065, 5066, 5067, 5068, 5069, 5070"
--- a/eid_subcategory_mapping.csv
+++ b/eid_subcategory_mapping.csv
@@ -1,69 +0,0 @@
 "Category","Subcategory","GUID"
 "System","","69979848-797A-11D9-BED3-505054503030"
 "System","Security State Change","0CCE9210-69AE-11D9-BED3-505054503030"
 "System","Security System Extension","0CCE9211-69AE-11D9-BED3-505054503030"
 "System","System Integrity","0CCE9212-69AE-11D9-BED3-505054503030"
 "System","IPsec Driver","0CCE9213-69AE-11D9-BED3-505054503030"
 "System","Other System Events","0CCE9214-69AE-11D9-BED3-505054503030"
 "Logon/Logoff","","69979849-797A-11D9-BED3-505054503030"
 "Logon/Logoff","Logon","0CCE9215-69AE-11D9-BED3-505054503030"
 "Logon/Logoff","Logoff","0CCE9216-69AE-11D9-BED3-505054503030"
 "Logon/Logoff","Account Lockout","0CCE9217-69AE-11D9-BED3-505054503030"
 "Logon/Logoff","IPsec Main Mode","0CCE9218-69AE-11D9-BED3-505054503030"
 "Logon/Logoff","IPsec Quick Mode","0CCE9219-69AE-11D9-BED3-505054503030"
 "Logon/Logoff","IPsec Extended Mode","0CCE921A-69AE-11D9-BED3-505054503030"
 "Logon/Logoff","Special Logon","0CCE921B-69AE-11D9-BED3-505054503030"
 "Logon/Logoff","Other Logon/Logoff Events","0CCE921C-69AE-11D9-BED3-505054503030"
 "Logon/Logoff","Network Policy Server","0CCE9243-69AE-11D9-BED3-505054503030"
 "Logon/Logoff","User / Device Claims","0CCE9247-69AE-11D9-BED3-505054503030"
 "Logon/Logoff","Group Membership","0CCE9249-69AE-11D9-BED3-505054503030"
 "Object Access","","6997984A-797A-11D9-BED3-505054503030"
 "Object Access","File System","0CCE921D-69AE-11D9-BED3-505054503030"
 "Object Access","Registry","0CCE921E-69AE-11D9-BED3-505054503030"
 "Object Access","Kernel Object","0CCE921F-69AE-11D9-BED3-505054503030"
 "Object Access","SAM","0CCE9220-69AE-11D9-BED3-505054503030"
 "Object Access","Certification Services","0CCE9221-69AE-11D9-BED3-505054503030"
 "Object Access","Application Generated","0CCE9222-69AE-11D9-BED3-505054503030"
 "Object Access","Handle Manipulation","0CCE9223-69AE-11D9-BED3-505054503030"
 "Object Access","File Share","0CCE9224-69AE-11D9-BED3-505054503030"
 "Object Access","Filtering Platform Packet Drop","0CCE9225-69AE-11D9-BED3-505054503030"
 "Object Access","Filtering Platform Connection","0CCE9226-69AE-11D9-BED3-505054503030"
 "Object Access","Other Object Access Events","0CCE9227-69AE-11D9-BED3-505054503030"
 "Object Access","Detailed File Share","0CCE9244-69AE-11D9-BED3-505054503030"
 "Object Access","Removable Storage","0CCE9245-69AE-11D9-BED3-505054503030"
 "Object Access","Central Policy Staging","0CCE9246-69AE-11D9-BED3-505054503030"
 "Privilege Use","","6997984B-797A-11D9-BED3-505054503030"
 "Privilege Use","Sensitive Privilege Use","0CCE9228-69AE-11D9-BED3-505054503030"
 "Privilege Use","Non Sensitive Privilege Use","0CCE9229-69AE-11D9-BED3-505054503030"
 "Privilege Use","Other Privilege Use Events","0CCE922A-69AE-11D9-BED3-505054503030"
 "Detailed Tracking","","6997984C-797A-11D9-BED3-505054503030"
 "Detailed Tracking","Process Creation","0CCE922B-69AE-11D9-BED3-505054503030"
 "Detailed Tracking","Process Termination","0CCE922C-69AE-11D9-BED3-505054503030"
 "Detailed Tracking","DPAPI Activity","0CCE922D-69AE-11D9-BED3-505054503030"
 "Detailed Tracking","RPC Events","0CCE922E-69AE-11D9-BED3-505054503030"
 "Detailed Tracking","Plug and Play Events","0CCE9248-69AE-11D9-BED3-505054503030"
 "Detailed Tracking","Token Right Adjusted Events","0CCE924A-69AE-11D9-BED3-505054503030"
 "Policy Change","","6997984D-797A-11D9-BED3-505054503030"
 "Policy Change","Audit Policy Change","0CCE922F-69AE-11D9-BED3-505054503030"
 "Policy Change","Authentication Policy Change","0CCE9230-69AE-11D9-BED3-505054503030"
 "Policy Change","Authorization Policy Change","0CCE9231-69AE-11D9-BED3-505054503030"
 "Policy Change","MPSSVC Rule-Level Policy Change","0CCE9232-69AE-11D9-BED3-505054503030"
 "Policy Change","Filtering Platform Policy Change","0CCE9233-69AE-11D9-BED3-505054503030"
 "Policy Change","Other Policy Change Events","0CCE9234-69AE-11D9-BED3-505054503030"
 "Account Management","","6997984E-797A-11D9-BED3-505054503030"
 "Account Management","User Account Management","0CCE9235-69AE-11D9-BED3-505054503030"
 "Account Management","Computer Account Management","0CCE9236-69AE-11D9-BED3-505054503030"
 "Account Management","Security Group Management","0CCE9237-69AE-11D9-BED3-505054503030"
 "Account Management","Distribution Group Management","0CCE9238-69AE-11D9-BED3-505054503030"
 "Account Management","Application Group Management","0CCE9239-69AE-11D9-BED3-505054503030"
 "Account Management","Other Account Management Events","0CCE923A-69AE-11D9-BED3-505054503030"
 "DS Access","","6997984F-797A-11D9-BED3-505054503030"
 "DS Access","Directory Service Access","0CCE923B-69AE-11D9-BED3-505054503030"
 "DS Access","Directory Service Changes","0CCE923C-69AE-11D9-BED3-505054503030"
 "DS Access","Directory Service Replication","0CCE923D-69AE-11D9-BED3-505054503030"
 "DS Access","Detailed Directory Service Replication","0CCE923E-69AE-11D9-BED3-505054503030"
 "Account Logon","","69979850-797A-11D9-BED3-505054503030"
 "Account Logon","Credential Validation","0CCE923F-69AE-11D9-BED3-505054503030"
 "Account Logon","Kerberos Service Ticket Operations","0CCE9240-69AE-11D9-BED3-505054503030"
 "Account Logon","Other Account Logon Events","0CCE9241-69AE-11D9-BED3-505054503030"
 "Account Logon","Kerberos Authentication Service","0CCE9242-69AE-11D9-BED3-505054503030"