update

2025-12-07 17:52:49 +01:00 · 2025-03-12 18:06:31 +09:00
parent 92ac146f88
commit 33ececa3a0
2 changed files with 21 additions and 6 deletions
--- a/config/WELA.ps1
+++ b/config/WELA.ps1
@@ -9,6 +9,7 @@ $filteredOutput | ForEach-Object {
        [void]$extractedStrings.Add($matches[1])
    }
 }
+[void]$extractedStrings.Add("00000000-0000-0000-0000-000000000000")

 # Step 2: Read the rules from security_rules.json
 $jsonFilePath = "./config/security_rules.json"
--- a/wela-extractor/src/main.rs
+++ b/wela-extractor/src/main.rs
@@ -61,14 +61,14 @@ fn extract_event_ids(yaml: &Yaml, event_ids: &mut HashSet<String>) {
 fn parse_yaml(doc: Yaml, eid_subcategory_pair: &Vec<(String, String)>) -> Option<Value> {
    if let Some(logsource) = doc["logsource"].as_hash() {
        if let Some(service) = logsource.get(&Yaml::from_str("service")) {
+            let uuid = doc["id"].as_str().unwrap_or("");
+            let title = doc["title"].as_str().unwrap_or("");
+            let desc = doc["description"].as_str().unwrap_or("");
+            let level = doc["level"].as_str().unwrap_or("");
+            let mut event_ids = HashSet::new();
+            let mut subcategories = HashSet::new();
            if service.as_str() == Some("security") {
-                let uuid = doc["id"].as_str().unwrap_or("");
-                let title = doc["title"].as_str().unwrap_or("");
-                let desc = doc["description"].as_str().unwrap_or("");
-                let level = doc["level"].as_str().unwrap_or("");
-                let mut event_ids = HashSet::new();
                extract_event_ids(&doc, &mut event_ids);
-                let mut subcategories = HashSet::new();
                for event_id in &event_ids {
                    for (eid, subcategory) in eid_subcategory_pair {
                        if eid == event_id {
@@ -86,6 +86,20 @@ fn parse_yaml(doc: Yaml, eid_subcategory_pair: &Vec<(String, String)>) -> Option
                    "event_ids": event_ids,
                    "subcategory_guids": subcategories
                }));
+            } else if let Some(tags) = doc["tags"].as_vec() {
+                if !tags.contains(&Yaml::from_str("sysmon")) {
+                    subcategories.insert("00000000-0000-0000-0000-000000000000".to_string());
+                    let event_ids: Vec<String> = event_ids.into_iter().collect();
+                    let subcategories: Vec<String> = subcategories.into_iter().collect();
+                    return Some(json!({
+                        "id": uuid,
+                        "title": title,
+                        "description": desc,
+                        "level": level,
+                        "event_ids": event_ids,
+                        "subcategory_guids": subcategories
+                    }));
+                }
            }
        }
    }