From 22ee0beeb8e475ecb0a9d0c6c601882df8a0bb2f Mon Sep 17 00:00:00 2001
From: fukusuket <41001169+fukusuket@users.noreply.github.com>
Date: Wed, 12 Mar 2025 00:15:34 +0900
Subject: [PATCH] update

---
 .github/workflows/check-audit.yml |  6 +-
 .gitignore                        |  1 +
 config/WELA.ps1                   | 95 +++++++++++++++++++++++++++++++
 3 files changed, 101 insertions(+), 1 deletion(-)
 create mode 100644 config/WELA.ps1

diff --git a/.github/workflows/check-audit.yml b/.github/workflows/check-audit.yml
index 2d009081..b3ea6b2b 100644
--- a/.github/workflows/check-audit.yml
+++ b/.github/workflows/check-audit.yml
@@ -43,4 +43,8 @@ jobs:
             $audit_settings
             $endTime = Get-Date
             $duration = $endTime - $startTime
-            Write-Output "Duration: $duration"
\ No newline at end of file
+            Write-Output "Duration: $duration"
+
+      - name: Run
+        run: |
+          ./config/WELA.ps1
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index a4096bbe..a664a8f4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ Cargo.lock
 **/*.rs.bk
 *.pdb
 .idea/
+*.csv
\ No newline at end of file
diff --git a/config/WELA.ps1 b/config/WELA.ps1
new file mode 100644
index 00000000..28e4fd8f
--- /dev/null
+++ b/config/WELA.ps1
@@ -0,0 +1,95 @@
+# Step 1: Run the auditpol command using cmd.exe and capture its output
+$auditpolOutput = Start-Process -FilePath "cmd.exe" -ArgumentList "/c chcp 437 & auditpol /get /category:* /r" -NoNewWindow -RedirectStandardOutput -PassThru | ForEach-Object { $_.StandardOutput.ReadToEnd() }
+$filteredOutput = $auditpolOutput | Select-String -Pattern '^(?!.*No Auditing).*{.*}$' -AllMatches | ForEach-Object { $_.Matches.Value }
+$extractedStrings = [System.Collections.Generic.HashSet[string]]::new()
+$filteredOutput | ForEach-Object {
+    if ($_ -match '{(.*?)}') {
+        $extractedStrings.Add($matches[1])
+    }
+}
+
+# Step 2: Read the rules from security_rules.json
+$jsonFilePath = "security_rules.json"
+$jsonContent = Get-Content -Path $jsonFilePath -Raw | ConvertFrom-Json
+
+foreach ($rule in $jsonContent) {
+    $rule | Add-Member -MemberType NoteProperty -Name "applicable" -Value $false
+    foreach ($guid in $rule.subcategory_guids) {
+        if ($filteredOutput -contains $guid) {
+            $rule.applicable = $true
+            break
+        }
+    }
+}
+$rules = $jsonContent
+
+# Step 4: Count the number of usable and unusable rules for each level
+$usableRules = $rules | Where-Object { $_.applicable -eq $true }
+$unusableRules = $rules | Where-Object { $_.applicable -eq $false }
+
+$totalCounts = $rules | Group-Object -Property level | ForEach-Object {
+    [PSCustomObject]@{
+        Level = $_.Name
+        Count = $_.Count
+    }
+}
+
+$usableCounts = $usableRules | Group-Object -Property level | ForEach-Object {
+    [PSCustomObject]@{
+        Level = $_.Name
+        Count = $_.Count
+    }
+}
+
+$unusableCounts = $unusableRules | Group-Object -Property level | ForEach-Object {
+    [PSCustomObject]@{
+        Level = $_.Name
+        Count = $_.Count
+    }
+}
+
+# Step 5: Calculate the percentages
+$usablePercentages = $usableCounts | ForEach-Object {
+    $total = ($totalCounts | Where-Object Level -match $PSItem.Level | Select-Object -ExpandProperty Count)[0]
+    [PSCustomObject]@{
+        Level = $PSItem.Level
+        UsableCount = $PSItem.Count
+        TotalCount = $total
+        Percentage = "{0:N2}" -f ($PSItem.Count / $total * 100)
+    }
+}
+
+$unusablePercentages = $unusableCounts | ForEach-Object {
+    $total = ($totalCounts | Where-Object Level -match $PSItem.Level | Select-Object -ExpandProperty Count)[0]
+    [PSCustomObject]@{
+        Level = $PSItem.Level
+        UnusableCount = $PSItem.Count
+        TotalCount = $total
+        Percentage = "{0:N2}" -f ($PSItem.Count / $total * 100)
+    }
+}
+
+# Step 6: Generate the required outputtotal
+Write-Output "Checking event log audit settings. Please wait."
+Write-Output ""
+Write-Output "Detection rules that can be used on this system versus total possible rules:"
+$usablePercentages | ForEach-Object {
+    Write-Output "$($_.Level) rules: $($_.UsableCount) / $($_.TotalCount) ($($_.Percentage)%)"
+}
+Write-Output ""
+Write-Output "Detection rules that cannot be used on this system:"
+$unusablePercentages | ForEach-Object {
+    Write-Output "$($_.Level) rules: $($_.UnusableCount) / $($_.TotalCount) ($($_.Percentage)%)"
+}
+Write-Output ""
+Write-Output "Usable detection rules list saved to: UsableRules.csv"
+Write-Output "Unusable detection rules list saved to: UnusableRules.csv"
+Write-Output ""
+$totalUsable = ($usablePercentages | Measure-Object -Property UsableCount -Sum).Sum
+$totalRulesCount = ($totalRules | Measure-Object -Property Count -Sum).Sum
+$utilizationPercentage = ($totalUsable / $totalRulesCount) * 100
+Write-Output "You can only utilize $utilizationPercentage% of your Security detection rules."
+
+# Step 7: Save the lists of usable and unusable rules to CSV files
+$usableRules | Export-Csv -Path "UsableRules.csv" -NoTypeInformation
+$unusableRules | Export-Csv -Path "UnusableRules.csv" -NoTypeInformation
\ No newline at end of file