CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-06 09:12:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: verbose security

Browse Source
This commit is contained in:
fukusuket
2025-04-02 10:22:04 +09:00
parent c21700572e
commit 4f9fab2523
2 changed files with 37 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
WELA.ps1
View File

@@ -72,7 +72,7 @@ ShowRulesCountsByLevel -usableRate $usablePwsClaRate -msg "PowerShell classic lo
ShowRulesCountsByLevel -usableRate $usablePwsModRate -msg "PowerShell module logging detection rules: " -colorMsg "$totalUsablePwsModRate ($pwsModStatus)"
ShowRulesCountsByLevel -usableRate $usablePwsScrRate -msg "PowerShell script block logging detection rules: " -colorMsg "$totalUsablePwsScrRate ($pwsSrcStatus)"
ShowRulesCountsByLevel -usableRate $usableSecRate -msg "Security event log detection rules: " -colorMsg "$totalUsableSecRate (Partially Enabled)"
ShowVerboseSecurity
ShowVerboseSecurity -rules $rules
Write-Output "Usable detection rules list saved to: UsableRules.csv"
Write-Output "Unusable detection rules list saved to: UnusableRules.csv"

36
WELAVerboseSecAudit.psm1
View File

@@ -1,4 +1,40 @@
function Get-RuleCounts {
param (
[string]$guid,
[array]$rules
)
$filteredRules = $rules | Where-Object { $_.subcategory_guids -contains $guid }
if ($filteredRules.Count -eq 0) {
return "no rules"
}
$groupedRules = $filteredRules | Group-Object -Property level
$levels = @("critical", "high", "medium", "low", "informational")
$counts = @{}
foreach ($level in $levels) {
$counts[$level] = 0
}
foreach ($group in $groupedRules) {
$counts[$group.Name] = $group.Count
}
$status = if ($filteredRules[0].applicable) { "enabled" } else { "disabled" }
$result = "$status ("
$result += $levels | ForEach-Object { "$_: $($counts[$_])" } -join " | "
$result += ")"
return $result
}
function ShowVerboseSecurity {
param (
[array]$rules
)
Get-RuleCounts -guid "0CCE9226-69AE-11D9-BED3-505054503030" -rules $rules
$m_credential_validation = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
$m_kerberos_authentication_service = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"
$m_kerberos_sevice_ticket_operations = "disabled (critical: 10 | high: 100 | medium | low: 10, info: 1000)"