CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-06 17:22:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
fukusuket
2025-03-15 11:00:55 +09:00
parent 65ff0c495d
commit 74c12268af
1 changed files with 25 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
wela-extractor/src/main.rs
View File

@@ -73,26 +73,40 @@ fn extract_event_ids(yaml: &Yaml, event_ids: &mut HashSet<String>) {
} }
} }
fn contains_channel_security(yaml: &Yaml) -> Option<Channel> { fn contains_builtin_channel(yaml: &Yaml) -> Option<Channel> {
fn check_channel(value: &Yaml) -> Option<Channel> {
match value.as_str() {
Some("Security") => Some(Channel::Security),
Some("Microsoft-Windows-PowerShell/Operational")
| Some("PowerShellCore/Operational")
| Some("Windows PowerShell") => Some(Channel::PowerShell),
_ => None,
}
}
match yaml { match yaml {
Yaml::Hash(hash) => { Yaml::Hash(hash) => {
for (key, value) in hash { for (key, value) in hash {
if key.as_str() == Some("Channel") { if key.as_str() == Some("Channel") {
match value.as_str() { match value {
Some("Security") => return Some(Channel::Security), Yaml::Array(array) => {
Some("Microsoft-Windows-PowerShell/Operational") for item in array {
| Some("PowerShellCore/Operational") if let Some(channel) = check_channel(item) {
| Some("Windows PowerShell") => return Some(Channel::PowerShell), return Some(channel);
_ => None::<Channel>, }
}; }
} else if let Some(channel) = contains_channel_security(value) { }
Yaml::String(_) => return check_channel(value),
_ => {}
}
} else if let Some(channel) = contains_builtin_channel(value) {
return Some(channel); return Some(channel);
} }
} }
} }
Yaml::Array(array) => { Yaml::Array(array) => {
for item in array { for item in array {
if let Some(channel) = contains_channel_security(item) { if let Some(channel) = contains_builtin_channel(item) {
return Some(channel); return Some(channel);
} }
} }
@@ -103,7 +117,7 @@ fn contains_channel_security(yaml: &Yaml) -> Option<Channel> {
} }
fn parse_yaml(doc: Yaml, eid_subcategory_pair: &Vec<(String, String)>) -> Option<Value> { fn parse_yaml(doc: Yaml, eid_subcategory_pair: &Vec<(String, String)>) -> Option<Value> {
if let Some(ch) = contains_channel_security(&doc["detection"]) { if let Some(ch) = contains_builtin_channel(&doc["detection"]) {
let uuid = doc["id"].as_str().unwrap_or(""); let uuid = doc["id"].as_str().unwrap_or("");
let title = doc["title"].as_str().unwrap_or(""); let title = doc["title"].as_str().unwrap_or("");
let level = doc["level"].as_str().unwrap_or(""); let level = doc["level"].as_str().unwrap_or("");