From 33ececa3a0cc0ce56ba9e8846f39a28d9b87f1ed Mon Sep 17 00:00:00 2001
From: fukusuket <41001169+fukusuket@users.noreply.github.com>
Date: Wed, 12 Mar 2025 18:06:31 +0900
Subject: [PATCH] update

---
 config/WELA.ps1            |  1 +
 wela-extractor/src/main.rs | 26 ++++++++++++++++++++------
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/config/WELA.ps1 b/config/WELA.ps1
index 9bb0bef9..bb7e666c 100644
--- a/config/WELA.ps1
+++ b/config/WELA.ps1
@@ -9,6 +9,7 @@ $filteredOutput | ForEach-Object {
         [void]$extractedStrings.Add($matches[1])
     }
 }
+[void]$extractedStrings.Add("00000000-0000-0000-0000-000000000000")
 
 # Step 2: Read the rules from security_rules.json
 $jsonFilePath = "./config/security_rules.json"
diff --git a/wela-extractor/src/main.rs b/wela-extractor/src/main.rs
index 746f3857..f2edee63 100644
--- a/wela-extractor/src/main.rs
+++ b/wela-extractor/src/main.rs
@@ -61,14 +61,14 @@ fn extract_event_ids(yaml: &Yaml, event_ids: &mut HashSet<String>) {
 fn parse_yaml(doc: Yaml, eid_subcategory_pair: &Vec<(String, String)>) -> Option<Value> {
     if let Some(logsource) = doc["logsource"].as_hash() {
         if let Some(service) = logsource.get(&Yaml::from_str("service")) {
+            let uuid = doc["id"].as_str().unwrap_or("");
+            let title = doc["title"].as_str().unwrap_or("");
+            let desc = doc["description"].as_str().unwrap_or("");
+            let level = doc["level"].as_str().unwrap_or("");
+            let mut event_ids = HashSet::new();
+            let mut subcategories = HashSet::new();
             if service.as_str() == Some("security") {
-                let uuid = doc["id"].as_str().unwrap_or("");
-                let title = doc["title"].as_str().unwrap_or("");
-                let desc = doc["description"].as_str().unwrap_or("");
-                let level = doc["level"].as_str().unwrap_or("");
-                let mut event_ids = HashSet::new();
                 extract_event_ids(&doc, &mut event_ids);
-                let mut subcategories = HashSet::new();
                 for event_id in &event_ids {
                     for (eid, subcategory) in eid_subcategory_pair {
                         if eid == event_id {
@@ -86,6 +86,20 @@ fn parse_yaml(doc: Yaml, eid_subcategory_pair: &Vec<(String, String)>) -> Option
                     "event_ids": event_ids,
                     "subcategory_guids": subcategories
                 }));
+            } else if let Some(tags) = doc["tags"].as_vec() {
+                if !tags.contains(&Yaml::from_str("sysmon")) {
+                    subcategories.insert("00000000-0000-0000-0000-000000000000".to_string());
+                    let event_ids: Vec<String> = event_ids.into_iter().collect();
+                    let subcategories: Vec<String> = subcategories.into_iter().collect();
+                    return Some(json!({
+                        "id": uuid,
+                        "title": title,
+                        "description": desc,
+                        "level": level,
+                        "event_ids": event_ids,
+                        "subcategory_guids": subcategories
+                    }));
+                }
             }
         }
     }