update

2025-12-06 09:12:46 +01:00 · 2025-03-12 00:15:34 +09:00
parent a8c71809a5
commit 22ee0beeb8
3 changed files with 101 additions and 1 deletions
--- a/.github/workflows/check-audit.yml
+++ b/.github/workflows/check-audit.yml
@@ -43,4 +43,8 @@ jobs:
            $audit_settings
            $endTime = Get-Date
            $duration = $endTime - $startTime
-            Write-Output "Duration: $duration"
+            Write-Output "Duration: $duration"
+
+      - name: Run
+        run: |
+          ./config/WELA.ps1
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ Cargo.lock
 **/*.rs.bk
 *.pdb
 .idea/
+*.csv
--- a/config/WELA.ps1
+++ b/config/WELA.ps1
@@ -0,0 +1,95 @@
+# Step 1: Run the auditpol command using cmd.exe and capture its output
+$auditpolOutput = Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -RedirectStandardOutput -PassThru | ForEach-Object { $_.StandardOutput.ReadToEnd() }
+$filteredOutput = $auditpolOutput | Select-String -Pattern '^(?!.*No Auditing).*{.*}$' -AllMatches | ForEach-Object { $_.Matches.Value }
+$extractedStrings = [System.Collections.Generic.HashSet[string]]::new()
+$filteredOutput | ForEach-Object {
+    if ($_ -match '{(.*?)}') {
+        $extractedStrings.Add($matches[1])
+    }
+}
+
+# Step 2: Read the rules from security_rules.json
+$jsonFilePath = "security_rules.json"
+$jsonContent = Get-Content -Path $jsonFilePath -Raw | ConvertFrom-Json
+
+foreach ($rule in $jsonContent) {
+    $rule | Add-Member -MemberType NoteProperty -Name "applicable" -Value $false
+    foreach ($guid in $rule.subcategory_guids) {
+        if ($filteredOutput -contains $guid) {
+            $rule.applicable = $true
+            break
+        }
+    }
+}
+$rules = $jsonContent
+
+# Step 4: Count the number of usable and unusable rules for each level
+$usableRules = $rules | Where-Object { $_.applicable -eq $true }
+$unusableRules = $rules | Where-Object { $_.applicable -eq $false }
+
+$totalCounts = $rules | Group-Object -Property level | ForEach-Object {
+    [PSCustomObject]@{
+        Level = $_.Name
+        Count = $_.Count
+    }
+}
+
+$usableCounts = $usableRules | Group-Object -Property level | ForEach-Object {
+    [PSCustomObject]@{
+        Level = $_.Name
+        Count = $_.Count
+    }
+}
+
+$unusableCounts = $unusableRules | Group-Object -Property level | ForEach-Object {
+    [PSCustomObject]@{
+        Level = $_.Name
+        Count = $_.Count
+    }
+}
+
+# Step 5: Calculate the percentages
+$usablePercentages = $usableCounts | ForEach-Object {
+    $total = ($totalCounts | Where-Object Level -match $PSItem.Level | Select-Object -ExpandProperty Count)[0]
+    [PSCustomObject]@{
+        Level = $PSItem.Level
+        UsableCount = $PSItem.Count
+        TotalCount = $total
+        Percentage = "{0:N2}" -f ($PSItem.Count / $total * 100)
+    }
+}
+
+$unusablePercentages = $unusableCounts | ForEach-Object {
+    $total = ($totalCounts | Where-Object Level -match $PSItem.Level | Select-Object -ExpandProperty Count)[0]
+    [PSCustomObject]@{
+        Level = $PSItem.Level
+        UnusableCount = $PSItem.Count
+        TotalCount = $total
+        Percentage = "{0:N2}" -f ($PSItem.Count / $total * 100)
+    }
+}
+
+# Step 6: Generate the required outputtotal
+Write-Output "Checking event log audit settings. Please wait."
+Write-Output ""
+Write-Output "Detection rules that can be used on this system versus total possible rules:"
+$usablePercentages | ForEach-Object {
+    Write-Output "$($_.Level) rules: $($_.UsableCount) / $($_.TotalCount) ($($_.Percentage)%)"
+}
+Write-Output ""
+Write-Output "Detection rules that cannot be used on this system:"
+$unusablePercentages | ForEach-Object {
+    Write-Output "$($_.Level) rules: $($_.UnusableCount) / $($_.TotalCount) ($($_.Percentage)%)"
+}
+Write-Output ""
+Write-Output "Usable detection rules list saved to: UsableRules.csv"
+Write-Output "Unusable detection rules list saved to: UnusableRules.csv"
+Write-Output ""
+$totalUsable = ($usablePercentages | Measure-Object -Property UsableCount -Sum).Sum
+$totalRulesCount = ($totalRules | Measure-Object -Property Count -Sum).Sum
+$utilizationPercentage = ($totalUsable / $totalRulesCount) * 100
+Write-Output "You can only utilize $utilizationPercentage% of your Security detection rules."
+
+# Step 7: Save the lists of usable and unusable rules to CSV files
+$usableRules | Export-Csv -Path "UsableRules.csv" -NoTypeInformation
+$unusableRules | Export-Csv -Path "UnusableRules.csv" -NoTypeInformation