diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml new file mode 100644 index 00000000..163aa24c --- /dev/null +++ b/.github/workflows/docs.yml @@ -0,0 +1,66 @@ +name: Deploy docs to GitHub Pages + +# Build the Material for MkDocs site in website/ and publish it to GitHub Pages. +# One-time setup: Settings -> Pages -> Source: "GitHub Actions". + +on: + push: + branches: [main] + paths: + - "website/**" + - "CHANGELOG.md" + - "CHANGELOG-Japanese.md" + - ".github/workflows/docs.yml" + workflow_dispatch: + +permissions: + contents: read + pages: write + id-token: write + +concurrency: + group: pages + cancel-in-progress: false + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v7 + with: + fetch-depth: 0 + + - name: Set up Python + uses: actions/setup-python@v6 + with: + python-version: "3.x" + cache: pip + + - name: Install dependencies + run: pip install -r website/requirements.txt + + - name: Sync changelog into docs + run: python website/scripts/sync_changelog.py + + - name: Build site (strict) + run: mkdocs build --strict --config-file website/mkdocs.yml + + - name: Configure Pages + uses: actions/configure-pages@v6 + + - name: Upload artifact + uses: actions/upload-pages-artifact@v5 + with: + path: website/site + + deploy: + needs: build + runs-on: ubuntu-latest + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v5 diff --git a/.gitignore b/.gitignore index e6fa573a..1a20b9fb 100644 --- a/.gitignore +++ b/.gitignore @@ -5,4 +5,6 @@ Cargo.lock *.pdb .idea/ *.csv -.DS_Store \ No newline at end of file +.DS_Store +# MkDocs documentation site build output +/website/site/ diff --git a/website/docs/assets/screenshots/WELA-Logo.png b/website/docs/assets/screenshots/WELA-Logo.png new file mode 100644 index 00000000..d358edc7 Binary files /dev/null and b/website/docs/assets/screenshots/WELA-Logo.png differ diff --git a/website/docs/assets/screenshots/configure.png b/website/docs/assets/screenshots/configure.png new file mode 100644 index 00000000..28127c64 Binary files /dev/null and b/website/docs/assets/screenshots/configure.png differ diff --git a/website/docs/assets/screenshots/filesize.png b/website/docs/assets/screenshots/filesize.png new file mode 100644 index 00000000..1363ee66 Binary files /dev/null and b/website/docs/assets/screenshots/filesize.png differ diff --git a/website/docs/assets/screenshots/gui.png b/website/docs/assets/screenshots/gui.png new file mode 100644 index 00000000..d7c957f2 Binary files /dev/null and b/website/docs/assets/screenshots/gui.png differ diff --git a/website/docs/assets/screenshots/mitre.png b/website/docs/assets/screenshots/mitre.png new file mode 100644 index 00000000..ecbee02d Binary files /dev/null and b/website/docs/assets/screenshots/mitre.png differ diff --git a/website/docs/assets/screenshots/startup.png b/website/docs/assets/screenshots/startup.png new file mode 100644 index 00000000..4cd69595 Binary files /dev/null and b/website/docs/assets/screenshots/startup.png differ diff --git a/website/docs/assets/screenshots/stdout.png b/website/docs/assets/screenshots/stdout.png new file mode 100644 index 00000000..83c946dc Binary files /dev/null and b/website/docs/assets/screenshots/stdout.png differ diff --git a/website/docs/assets/screenshots/table.png b/website/docs/assets/screenshots/table.png new file mode 100644 index 00000000..54b21d9f Binary files /dev/null and b/website/docs/assets/screenshots/table.png differ diff --git a/website/docs/commands/index.ja.md b/website/docs/commands/index.ja.md new file mode 100644 index 00000000..36bbab1e --- /dev/null +++ b/website/docs/commands/index.ja.md @@ -0,0 +1,5 @@ +# コマンド一覧 +- `audit-settings`: Windowsイベントログ監査ポリシー設定を評価する +- `audit-filesize`: Windowsイベントログファイルサイズを評価する +- `configure`: 推奨のWindowsイベントログ監査ポリシーとファイズサイズを設定する +- `update-rules`: WELAのSigmaルール設定ファイルを更新する diff --git a/website/docs/commands/index.md b/website/docs/commands/index.md new file mode 100644 index 00000000..a09e167d --- /dev/null +++ b/website/docs/commands/index.md @@ -0,0 +1,5 @@ +# Command List +- `audit-settings`: Check Windows event log audit policy settings. +- `audit-filesize`: Check Windows event log file size. +- `configure`: Configure recommended Windows event log audit policy and file size. +- `update-rules`: Update WELA's Sigma rules config files. diff --git a/website/docs/commands/usage.ja.md b/website/docs/commands/usage.ja.md new file mode 100644 index 00000000..76dacd7e --- /dev/null +++ b/website/docs/commands/usage.ja.md @@ -0,0 +1,55 @@ +# コマンド使用例 +## audit-settings +`audit-settings`コマンドは、Windowsイベントログ監査ポリシー設定を評価し、[Yamato Security](https://github.com/Yamato-Security/EnableWindowsLogSettings)、[Microsoft(Sever/Client)](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations)、[Australian Signals Directorate (ASD)](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/windows-event-logging-and-forwarding)の推奨設定と比較します。 +RuleCountは、そのカテゴリ内のイベントを検出できる[Sigmaルール](https://github.com/SigmaHQ/sigma)の数を示します。 + +#### `audit-settings` command examples +YamatoSecurityの推奨設定でチェックし、CSV形式で保存する: +``` +./WELA.ps1 audit-settings -Baseline YamatoSecurity +``` + +Australian Signals Directorateの推奨設定でチェックし、CSV形式で保存する: +``` +./WELA.ps1 audit-settings -Baseline ASD +``` + +Microsoftの推奨設定(Server)でチェックし、GUI形式で表示する: +``` +./WELA.ps1 audit-settings -Baseline Microsoft_Server -OutType gui +``` + +Microsoftの推奨設定(Client)でチェックし、Table形式で表示する: +``` +./WELA.ps1 audit-settings -Baseline Microsoft_Client -OutType table +``` + +## audit-filesize +`audit-filesize`コマンドは、Windowsイベントログファイルサイズを評価し、Yamato Securityの推奨設定と比較します。 + +#### `audit-filesize` command examples +WindowsイベントログファイルサイズをYamatoSecurityの推奨設定でチェックし、CSV形式で保存する: +``` +./WELA.ps1 audit-filesize -Baseline YamatoSecurity +``` + +## configure +`configure`コマンドは、推奨のWindowsイベントログ監査ポリシーとファイルサイズを設定します。 + +#### `configure` command examples +Yamato Securityの推奨設定を適用する(設定変更時に確認プロンプトを表示): +``` +./WELA.ps1 configure -Baseline YamatoSecurity +``` + +Australian Signals Directorateの推奨設定を自動で適用する: +``` +./WELA.ps1 configure -Baseline ASD -auto +``` + +## update-rules +#### `update-rules` command examples +WELAのSigmaルール設定ファイルを更新する: +``` +./WELA.ps1 update-rules +``` diff --git a/website/docs/commands/usage.md b/website/docs/commands/usage.md new file mode 100644 index 00000000..7843242e --- /dev/null +++ b/website/docs/commands/usage.md @@ -0,0 +1,55 @@ +# Command Usage +## audit-settings +The `audit-settings` command checks the Windows event log audit policy settings and compares them with the recommended settings from [Yamato Security](https://github.com/Yamato-Security/EnableWindowsLogSettings), [Microsoft(Sever/Client)](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations), and [Australian Signals Directorate (ASD)](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/windows-event-logging-and-forwarding). +`RuleCount` indicates the number of [Sigma rules](https://github.com/SigmaHQ/sigma) that can detect events within that category. + +### `audit-settings` command examples +Check with the default Yamato Security's recommended settings and save results to CSV: +``` +./WELA.ps1 audit-settings -Baseline YamatoSecurity +``` + +Check with the Australian Signals Directorate's recommended settings and save results to CSV: +``` +./WELA.ps1 audit-settings -Baseline ASD +``` + +Check with Microsoft's recommended Server OS settings and display results in a GUI: +``` +./WELA.ps1 audit-settings -Baseline Microsoft_Server -OutType gui +``` + +Check with Microsoft's recommended Client OS settings and display results in table format: +``` +./WELA.ps1 audit-settings -Baseline Microsoft_Client -OutType table +``` + +## audit-filesize +The `audit-filesize` command checks the Windows event logs' file size and compares them with the recommended settings from Yamato Security's recommendations. + +### `audit-filesize` command examples +Check the Windows event log file size with Yamato Security's recommendations and save results to CSV: +``` +./WELA.ps1 audit-filesize -Baseline YamatoSecurity +``` + +## configure +The `configure` command sets the recommended Windows event log audit policy and file size. + +#### `configure` command examples +Apply Yamato Security's recommended settings (with confirmation prompt before changing settings): +``` +./WELA.ps1 configure -Baseline YamatoSecurity +``` + +Apply Australian Signals Directorate's recommended settings without confirmation prompt: +``` +./WELA.ps1 configure -Baseline ASD -auto +``` + +## update-rules +#### `update-rules` command examples +Update WELA's Sigma rules config files: +``` +./WELA.ps1 update-rules +``` diff --git a/website/docs/getting-started/index.ja.md b/website/docs/getting-started/index.ja.md new file mode 100644 index 00000000..7d0e7e66 --- /dev/null +++ b/website/docs/getting-started/index.ja.md @@ -0,0 +1,14 @@ +# はじめに + +## 前提要件 +* PowerShell 5.1+ +* PowerShellをAdministrator権限で実行する + +## ダウンロード + +[リリースページ](https://github.com/Yamato-Security/wela/releases)から最新の安定版WELAをダウンロードしてください。 + +## WELAの実行 +1. [release zip file](https://github.com/Yamato-Security/wela/releases)を展開する。 +2. **Administrator権限**でPowerShellを開く。 +3. `./WELA.ps1 help`を実行する diff --git a/website/docs/getting-started/index.md b/website/docs/getting-started/index.md new file mode 100644 index 00000000..b08612fb --- /dev/null +++ b/website/docs/getting-started/index.md @@ -0,0 +1,14 @@ +# Getting Started + +## Prerequisites +* Windows PowerShell 5.1 or PowerShell Core +* Running PowerShell with Administrator privileges + +## Downloads + +Please download the latest stable version of WELA from the [Releases](https://github.com/Yamato-Security/wela/releases) page. + +## Running WELA +1. Unzip the [release zip file](https://github.com/Yamato-Security/wela/releases). +2. Open PowerShell with **Administrator privileges**. +3. `./WELA.ps1 help` to run WELA and see the help usage. diff --git a/website/docs/index.ja.md b/website/docs/index.ja.md new file mode 100644 index 00000000..017b8150 --- /dev/null +++ b/website/docs/index.ja.md @@ -0,0 +1,100 @@ +--- +hide: + - navigation + - toc +--- + +
+ +![WELA](assets/screenshots/WELA-Logo.png){ .hb-logo } + +

+WELA(Windows Event Log Analyzer、ゑ羅)は、 +Yamato Security によって作られた、 +Windows イベントログの設定を監査するためのツールです。Windows イベントログは +DFIR における重要な情報源です。WELA は、本当に必要なイベントが記録されているかを確認するのに役立ちます。 +

+ +
+[はじめる :material-rocket-launch:](getting-started/index.md){ .md-button .md-button--primary } +[コマンド一覧 :material-console:](commands/index.md){ .md-button } +[GitHub で見る :fontawesome-brands-github:](https://github.com/Yamato-Security/WELA){ .md-button } +
+ +

+ + + + + + + + +

+ +
+ +--- + +## WELA の特徴 + +
+ +- :material-clipboard-check:{ .lg .middle } __監査ポリシー設定の監査__ + + --- + + Windows イベントログの**監査ポリシー設定**を監査し、必要なイベントが記録されているか確認します。 + +- :material-book-check:{ .lg .middle } __ガイドラインに基づく確認__ + + --- + + 主要な Windows イベントログ監査設定の**ガイドライン**に基づいてチェックします。 + +- :material-shield-search:{ .lg .middle } __Sigma 検知可能性__ + + --- + + 実際の **Sigma ルールの検知可能性**に基づいて設定を評価します。ログで攻撃を検知できますか? + +- :material-file-cog:{ .lg .middle } __ファイルサイズの監査__ + + --- + + Windows イベントログの**ファイルサイズ**を監査し、推奨サイズを提案します。 + +- :material-cog-play:{ .lg .middle } __自動設定__ + + --- + + `configure` コマンドで、**推奨**の監査ポリシーとログファイルサイズを適用します。 + +- :material-chart-box:{ .lg .middle } __柔軟な出力__ + + --- + + 結果をターミナル・GUI・テーブル、または **MITRE ATT&CK Navigator** のヒートマップで表示できます。 + +
+ +## クイックリンク + +
+ +- __:material-book-open-variant: はじめての方へ__ + + まずは[概要](overview/index.md)を読み、[はじめる](getting-started/index.md)で + WELA のインストールと実行を行いましょう。 + +- __:material-console-line: CLI を使う__ + + [コマンド一覧](commands/index.md)と[コマンド使用例](commands/usage.md) + (`audit-settings`・`audit-filesize`・`configure`・`update-rules`)をご覧ください。 + +- __:material-puzzle: さらに活用する__ + + [関連プロジェクト](resources/companion-projects.md)、[変更履歴](resources/changelog.md)、 + [貢献方法](resources/contributing.md)を見てみましょう。 + +
diff --git a/website/docs/index.md b/website/docs/index.md new file mode 100644 index 00000000..bc832f59 --- /dev/null +++ b/website/docs/index.md @@ -0,0 +1,101 @@ +--- +hide: + - navigation + - toc +--- + +
+ +![WELA](assets/screenshots/WELA-Logo.png){ .hb-logo } + +

+WELA (Windows Event Log Analyzer, ゑ羅), created by +Yamato Security, is a tool for +auditing Windows event log settings. Windows event logs are a vital source of +information for DFIR — WELA helps you make sure you are actually recording the events that matter. +

+ +
+[Get Started :material-rocket-launch:](getting-started/index.md){ .md-button .md-button--primary } +[Command Reference :material-console:](commands/index.md){ .md-button } +[View on GitHub :fontawesome-brands-github:](https://github.com/Yamato-Security/WELA){ .md-button } +
+ +

+ + + + + + + + +

+ +
+ +--- + +## Why WELA? + +
+ +- :material-clipboard-check:{ .lg .middle } __Audit log policy settings__ + + --- + + Audit your Windows event log **audit policy settings** to confirm the right events are being logged. + +- :material-book-check:{ .lg .middle } __Based on guidelines__ + + --- + + Checks against the **major Windows event log audit configuration guidelines**. + +- :material-shield-search:{ .lg .middle } __Sigma detectability__ + + --- + + Evaluates your settings against **real-world Sigma rule detectability** — will your logs actually catch attacks? + +- :material-file-cog:{ .lg .middle } __File-size auditing__ + + --- + + Audits Windows event log **file sizes** and suggests recommended sizes. + +- :material-cog-play:{ .lg .middle } __Auto-configure__ + + --- + + Apply the **recommended** audit policy and log file sizes with the `configure` command. + +- :material-chart-box:{ .lg .middle } __Flexible output__ + + --- + + View results in the terminal, a GUI, a table, or as a **MITRE ATT&CK Navigator** heatmap. + +
+ +## Quick links + +
+ +- __:material-book-open-variant: New here?__ + + Start with the [Overview](overview/index.md), then head to + [Getting Started](getting-started/index.md) to install and run WELA. + +- __:material-console-line: Working with the CLI?__ + + Browse the [Command List](commands/index.md) and the [Command Usage](commands/usage.md) + reference (`audit-settings`, `audit-filesize`, `configure`, `update-rules`). + +- __:material-puzzle: Going further?__ + + Explore the [Companion Projects](resources/companion-projects.md), the + [Changelog](resources/changelog.md), and how to + [contribute](resources/contributing.md). + +
diff --git a/website/docs/overview/features.ja.md b/website/docs/overview/features.ja.md new file mode 100644 index 00000000..4937b47a --- /dev/null +++ b/website/docs/overview/features.ja.md @@ -0,0 +1,6 @@ +# 機能 +- Windows Event Log Audit policyに対する評価 +- 主要なWindowsイベントログ監査設定ガイドに基づくチェック +- Windows Event Logの監査設定を、実際のSigmaルールの検知範囲に基づいて評価 +- Windows Event Logのファイルサイズを監査し、推奨サイズを提案 +- 推奨されるWindowsイベントログ監査ポリシーとファイルサイズの設定 diff --git a/website/docs/overview/features.md b/website/docs/overview/features.md new file mode 100644 index 00000000..3b5b1526 --- /dev/null +++ b/website/docs/overview/features.md @@ -0,0 +1,6 @@ +# Features +- Auditing Windows event log audit policy settings. +- Checking **based on the major Windows event log audit configuration guidelines**. +- Checking Windows event log audit settings based on **real-world Sigma rule detectability**. +- Auditing of Windows event log file sizes and suggestions for the recommended size. +- Setting recommended Windows event log audit policy and file sizes. diff --git a/website/docs/overview/index.ja.md b/website/docs/overview/index.ja.md new file mode 100644 index 00000000..66eeb1de --- /dev/null +++ b/website/docs/overview/index.ja.md @@ -0,0 +1,6 @@ +# WELAについて +**WELA(Windows Event Log Analyzer、ゑ羅)** は、Windowsイベントログの設定とログサイズを監査するツールです。 +Windowsイベントログは、DFIR(デジタルフォレンジックおよびインシデント対応)に不可欠な情報源であり、システムの動作やセキュリティイベントを可視化します。 +**しかし、デフォルト設定では、不十分なログサイズ、監査設定によって、脅威の検知漏れを引き起こす**可能性があります。 +WELAはこうした課題を洗い出し、Windowsイベントログ設定改善のための実用的な提案を行います。 +また、**実際のSigmaルールの検知範囲に基づいてWindowsイベントログ設定を評価**し、現状の設定で何が検知できるかを把握できます。 diff --git a/website/docs/overview/index.md b/website/docs/overview/index.md new file mode 100644 index 00000000..4698a44f --- /dev/null +++ b/website/docs/overview/index.md @@ -0,0 +1,6 @@ +# About WELA +**WELA (Windows Event Log Analyzer, ゑ羅)** is a tool for auditing Windows event log settings. +Windows event logs are a vital source of information for Digital Forensics and Incident Response (DFIR), providing visibility into system activity and security events. +**Unfortunately, default configurations often lead to problems such as limited log retention, insufficient audit policies, and blind spots that reduce detection capability**. +WELA helps uncover these weaknesses and offers practical recommendations to improve audit settings and enhance security visibility. +WELA also assesses log configurations **based on real-world Sigma rule coverage**, allowing users to evaluate what can or cannot be detected under current the settings. diff --git a/website/docs/overview/screenshots.ja.md b/website/docs/overview/screenshots.ja.md new file mode 100644 index 00000000..704badfd --- /dev/null +++ b/website/docs/overview/screenshots.ja.md @@ -0,0 +1,21 @@ +# スクリーンショット + +## スタートアップ +![WELA Startup](../assets/screenshots/startup.png) + +## audit-settings (stdout) +![WELA Stdout](../assets/screenshots/stdout.png) +## audit-settings (gui) +![WELA GUI](../assets/screenshots/gui.png) + +## audit-settings (table) +![WELA Table](../assets/screenshots/table.png) + +## audit-settings (mitre-attack-navigator) +![WELA Mitre Attack Navigator](../assets/screenshots/mitre.png) + +## audit-filesize +![WELA FileSize](../assets/screenshots/filesize.png) + +## configure +![WELA Configure](../assets/screenshots/configure.png) diff --git a/website/docs/overview/screenshots.md b/website/docs/overview/screenshots.md new file mode 100644 index 00000000..ab392699 --- /dev/null +++ b/website/docs/overview/screenshots.md @@ -0,0 +1,21 @@ +# Screenshots + +## Startup Help Menu +![WELA Startup](../assets/screenshots/startup.png) + +## audit-settings (terminal output) +![WELA Stdout](../assets/screenshots/stdout.png) +## audit-settings (GUI) +![WELA GUI](../assets/screenshots/gui.png) + +## audit-settings (table) +![WELA Table](../assets/screenshots/table.png) + +## audit-settings (mitre-attack-navigator) +![WELA Mitre Attack Navigator](../assets/screenshots/mitre.png) + +## audit-filesize +![WELA FileSize](../assets/screenshots/filesize.png) + +## configure +![WELA Configure](../assets/screenshots/configure.png) diff --git a/website/docs/resources/changelog.ja.md b/website/docs/resources/changelog.ja.md new file mode 100644 index 00000000..1721e887 --- /dev/null +++ b/website/docs/resources/changelog.ja.md @@ -0,0 +1,31 @@ +# 変更履歴 + +!!! info "情報" + このページはプロジェクトの [`CHANGELOG.md`](https://github.com/Yamato-Security/WELA/blob/main/CHANGELOG-Japanese.md) を反映したものです。ダウンロードは [リリースページ](https://github.com/Yamato-Security/WELA/releases) をご覧ください。 + +## 2.1.0 [2026/02/13] - Winter Release + +**バグ修正:** + +- 設定によりドメインコントローラのNetlogonが破損する可能性があった。 (#243) (@fukusuket) (この件を報告してくれた@feiglein74に感謝!) + +## 2.0.0 [2025/11/16] - CODE BLUE リリース + +**新機能:** + +- MITRE ATT&CK Navigatorヒートマップに対応した。 (#11) (@fukusuket) +- Windows設定を様々なベースラインに構成するための`configure`コマンドを追加した。 (#12) (@fukusuket) +- Defender for Identityの必要なログに対応した。 (#114) (@fukusuket) + +**バグ修正:** + +- ルールカウントの一部が正確ではなかった。 (#99) (@fukusuket) +- タスクスケジューラのログ設定が正確に報告されていなかった。 (#100 (@fukusuket)) + +## 1.0.0 [2025/05/20] - AUSCERT/SINCON リリース + +**新機能:** + +- `audit-settings`: Windows Event Log audit policy settingsをチェックする +- `audit-filesize`: Windows Event Logファイルサイズをチェックする +- `update-rules`: WELAのSigmaルール設定ファイルを更新する diff --git a/website/docs/resources/changelog.md b/website/docs/resources/changelog.md new file mode 100644 index 00000000..62467981 --- /dev/null +++ b/website/docs/resources/changelog.md @@ -0,0 +1,31 @@ +# Changelog + +!!! info + This page mirrors the project [`CHANGELOG.md`](https://github.com/Yamato-Security/WELA/blob/main/CHANGELOG.md). See the [Releases page](https://github.com/Yamato-Security/WELA/releases) for downloads. + +## 2.1.0 [2026/02/13] - Winter Release + +**Bug Fixes:** + +- Configuration might break Netlogon on Domain Controllers. (#243) (@fukusuket) (Thanks to @feiglein74 for reporting this!) + +## 2.0.0 [2025/11/16] - CODE BLUE Release + +**New Features:** + +- Support for MITRE ATT&CK Navigator heatmaps. (#11) (@fukusuket) +- Added a `configure` command to configure Windows settings to various baselines. (#12) (@fukusuket) +- Support for Defender for Identity required logs. (#114) (@fukusuket) + +**Bug Fixes:** + +- Some of the rule count was not accurate. (#99) (@fukusuket) +- TaskScheduler log settings were not accurately reported. (#100) (@fukusuket)) + +## 1.0.0 [2025/05/20] - AUSCERT/SINCON Release + +**New Features:** + +- `audit-settings`: Check Windows Event Log audit policy settings. +- `audit-filesize`: Check Windows Event Log file size. +- `update-rules`: Update WELA's Sigma rules config files. diff --git a/website/docs/resources/companion-projects.ja.md b/website/docs/resources/companion-projects.ja.md new file mode 100644 index 00000000..172e38bd --- /dev/null +++ b/website/docs/resources/companion-projects.ja.md @@ -0,0 +1,5 @@ +# 関連プロジェクト + +* [EnableWindowsLogSettings](https://github.com/Yamato-Security/EnableWindowsLogSettings) Yamato SecurityのWindowsイベントログ設定ガイド +* [EventLog-Baseline-Guide](https://github.com/Yamato-Security/EventLog-Baseline-Guide) Sigmaルールと主要なガイドにおける検知ギャップを可視化するツール +* [WELA-RulesGenerator](https://github.com/Yamato-Security/WELA-RulesGenerator) WELAのSigmaルール関連設定ファイルを生成するためのツール diff --git a/website/docs/resources/companion-projects.md b/website/docs/resources/companion-projects.md new file mode 100644 index 00000000..60c78661 --- /dev/null +++ b/website/docs/resources/companion-projects.md @@ -0,0 +1,5 @@ +# Companion Projects + +* [EnableWindowsLogSettings](https://github.com/Yamato-Security/EnableWindowsLogSettings): Yamato Security's Windows Event Log Configuration Guide. +* [EventLog-Baseline-Guide](https://github.com/Yamato-Security/EventLog-Baseline-Guide): A tool to visualize detection gaps in Sigma rules and major guides. +* [WELA-RulesGenerator](https://github.com/Yamato-Security/WELA-RulesGenerator): A tool for generating WELA's Sigma rule-related config files. diff --git a/website/docs/resources/contributing.ja.md b/website/docs/resources/contributing.ja.md new file mode 100644 index 00000000..3121fedd --- /dev/null +++ b/website/docs/resources/contributing.ja.md @@ -0,0 +1,30 @@ +# 貢献とサポート + +## 貢献 + +わたしたちは、どんな形でも貢献を歓迎します。 +プルリクエスト、ルール作成、サンプルログの提供が最も歓迎されますが、バグの報告や機能リクエストなども大歓迎です。 + +少なくとも、**私たちのツールやリソースが気に入ったら、GitHubでスターをつけて応援してください!** + +## 不具合の報告 + +* 不具合の報告は、[こちら](https://github.com/Yamato-Security/wela/issues/new?assignees=&labels=bug&template=bug_report.md&title=%5Bbug%5D)からお願いします。 +* このプロジェクトは現在も積極的にメンテナンスされており、バグの報告や機能のリクエストは大歓迎です。 + +## ライセンス + +* WELAは、[MITライセンス](https://opensource.org/licenses/MIT)のもとでリリースされています。 + +## 貢献者 + +* Fukusuke Takahashi (コア開発者) +* Zach Mathis (プロジェクトリーダー, ツールデザイン, テスト, など...) (@yamatosecurity) + +## 謝辞 + +* [Australian Cyber Security Centre: Windows event logging and forwarding](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/windows-event-logging-and-forwarding) +* [Microsoft: Advanced security auditing FAQ](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/advanced-security-auditing-faq) +* [SigmaHQ](https://github.com/SigmaHQ/sigma) + +## X diff --git a/website/docs/resources/contributing.md b/website/docs/resources/contributing.md new file mode 100644 index 00000000..6f47424f --- /dev/null +++ b/website/docs/resources/contributing.md @@ -0,0 +1,30 @@ +# Contributing & Support + +## Contributions + +We would love any form of contribution. +Pull requests are the best, but feature requests notifying us of bugs, etc... through issues are also very welcome. + +At the least, **if you like our tools and resources, then please give us a star on GitHub and show your support!** + +## Bug Submission + +* Please submit any bugs you find [here.](https://github.com/Yamato-Security/wela/issues/new?assignees=&labels=bug&template=bug_report.md&title=%5Bbug%5D) +* This project is currently actively maintained, and we are happy to fix any bugs reported. + +## License + +* WELA is released under the [MIT License](https://opensource.org/licenses/MIT). + +## Contributors + +* Fukusuke Takahashi (core developer) +* Zach Mathis (project leader, tool design, testing, etc...) (@yamatosecurity) + +## Acknowledgements + +* [Australian Cyber Security Centre: Windows event logging and forwarding](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/windows-event-logging-and-forwarding) +* [Microsoft: Advanced security auditing FAQ](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/advanced-security-auditing-faq) +* [SigmaHQ](https://github.com/SigmaHQ/sigma) + +## Twitter diff --git a/website/docs/resources/other-resources.ja.md b/website/docs/resources/other-resources.ja.md new file mode 100644 index 00000000..53c960c2 --- /dev/null +++ b/website/docs/resources/other-resources.ja.md @@ -0,0 +1,9 @@ +# Windowsイベントログの監査設定に関するその他の参考資料 + +* [A Data-Driven Approach to Windows Advanced Audit Policy – What to Enable and Why](https://www.splunk.com/en_us/blog/security/windows-audit-policy-guide.html) +* [Audit Policy Recommendations](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations) +* [Configure audit policies for Windows event logs](https://learn.microsoft.com/en-us/defender-for-identity/deploy/configure-windows-event-collection) +* [EnableWindowsLogSettings](https://github.com/Yamato-Security/EnableWindowsLogSettings) +* [Windows event logging and forwarding](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/windows-event-logging-and-forwarding) +* [mdecrevoisier/Windows-auditing-baseline](https://github.com/mdecrevoisier/Windows-auditing-baseline) +* [palantir/windows-event-forwarding](https://github.com/palantir/windows-event-forwarding/tree/master/group-policy-objects) diff --git a/website/docs/resources/other-resources.md b/website/docs/resources/other-resources.md new file mode 100644 index 00000000..c7f8ba9a --- /dev/null +++ b/website/docs/resources/other-resources.md @@ -0,0 +1,9 @@ +# Other Windows Event Log Audit Settings Related Resources + +* [A Data-Driven Approach to Windows Advanced Audit Policy – What to Enable and Why](https://www.splunk.com/en_us/blog/security/windows-audit-policy-guide.html) +* [Audit Policy Recommendations](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations) +* [Configure audit policies for Windows event logs](https://learn.microsoft.com/en-us/defender-for-identity/deploy/configure-windows-event-collection) +* [EnableWindowsLogSettings](https://github.com/Yamato-Security/EnableWindowsLogSettings) +* [Windows event logging and forwarding](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/windows-event-logging-and-forwarding) +* [mdecrevoisier/Windows-auditing-baseline](https://github.com/mdecrevoisier/Windows-auditing-baseline) +* [palantir/windows-event-forwarding](https://github.com/palantir/windows-event-forwarding/tree/master/group-policy-objects) diff --git a/website/docs/stylesheets/extra.css b/website/docs/stylesheets/extra.css new file mode 100644 index 00000000..1a0f30f5 --- /dev/null +++ b/website/docs/stylesheets/extra.css @@ -0,0 +1,125 @@ +/* ========================================================================= + Hayabusa docs — custom theme (falcon blue + amber) + ========================================================================= */ + +/* ---- Custom primary / accent palette (theme.palette primary: custom) ---- */ +[data-md-color-primary="custom"] { + --md-primary-fg-color: #163b6b; + --md-primary-fg-color--light: #2a5694; + --md-primary-fg-color--dark: #0e2747; + --md-primary-bg-color: #ffffff; + --md-primary-bg-color--light: #ffffffb3; +} + +[data-md-color-accent="custom"] { + --md-accent-fg-color: #e8851a; + --md-accent-fg-color--transparent:#e8851a1a; + --md-accent-bg-color: #ffffff; + --md-accent-bg-color--light: #ffffffb3; +} + +/* Light scheme: tasteful blue links */ +[data-md-color-scheme="default"] { + --md-typeset-a-color: #1d5fb8; +} + +/* Dark scheme: lighten header + links for contrast */ +[data-md-color-scheme="slate"] { + --md-primary-fg-color: #12233b; + --md-typeset-a-color: #6ea8fe; + --md-accent-fg-color: #ffa53b; +} + +/* ---- Top tabs: a touch bolder so main topics read as primary nav ---- */ +.md-tabs__link { + font-weight: 600; + opacity: 0.92; +} +.md-tabs__link--active { + opacity: 1; +} + +/* Subtle header gradient */ +.md-header { + background: linear-gradient(90deg, var(--md-primary-fg-color--dark), var(--md-primary-fg-color)); +} +.md-tabs { + background: var(--md-primary-fg-color); +} + +/* Slightly wider content for the dense command reference tables */ +.md-grid { + max-width: 68rem; +} + +/* ========================================================================= + Landing-page hero + ========================================================================= */ +.hb-hero { + text-align: center; + padding: 2.4rem 0 1.2rem; +} +.hb-hero img.hb-logo { + width: min(420px, 80%); + margin: 0 auto 1rem; +} +.hb-hero .hb-tagline { + font-size: 1.15rem; + line-height: 1.6; + max-width: 46rem; + margin: 0 auto 1.4rem; + color: var(--md-default-fg-color--light); +} +.hb-badges { + margin: 0.4rem 0 1.4rem; +} +.hb-badges img { + margin: 2px; + vertical-align: middle; +} +.hb-cta { + display: flex; + gap: 0.6rem; + justify-content: center; + flex-wrap: wrap; + margin-bottom: 1rem; +} +.hb-cta .md-button { + margin: 0.2rem; +} + +/* ========================================================================= + Grid cards (feature highlights on the home page) + ========================================================================= */ +.md-typeset .grid.cards > ul > li { + border-radius: 0.5rem; + transition: border-color 160ms ease, box-shadow 160ms ease, transform 160ms ease; +} +.md-typeset .grid.cards > ul > li:hover { + border-color: var(--md-accent-fg-color); + box-shadow: 0 4px 16px rgba(0, 0, 0, 0.10); + transform: translateY(-2px); +} +.md-typeset .grid.cards .lg.middle { + color: var(--md-accent-fg-color); +} + +/* ========================================================================= + Misc readability tweaks + ========================================================================= */ +/* Screenshots get a light frame + zoom affordance */ +.md-typeset img:not(.hb-logo):not(.twemoji):not([src*="img.shields.io"]):not([src*="badge"]) { + border-radius: 6px; + box-shadow: 0 1px 6px rgba(0, 0, 0, 0.18); +} + +/* Wrap wide tables instead of overflowing oddly */ +.md-typeset table:not([class]) { + display: table; + width: 100%; +} + +/* Inline code a little calmer */ +.md-typeset code { + border-radius: 4px; +} diff --git a/website/mkdocs.yml b/website/mkdocs.yml new file mode 100644 index 00000000..1741e65d --- /dev/null +++ b/website/mkdocs.yml @@ -0,0 +1,198 @@ +# ============================================================================= +# WELA Documentation Site — Material for MkDocs +# ----------------------------------------------------------------------------- +# Hosted for free on GitHub Pages (see ../.github/workflows/docs.yml). +# Top tabs = main topics, left sidebar = subtopics. +# >>> If you fork/rename, update site_url, repo_url and repo_name below. <<< +# ============================================================================= + +site_name: WELA +site_description: >- + WELA (Windows Event Log Analyzer, ゑ羅) is a tool for auditing Windows event log settings. +site_author: Yamato Security +site_url: https://yamato-security.github.io/WELA/ + +repo_url: https://github.com/Yamato-Security/WELA +repo_name: Yamato-Security/WELA +edit_uri: edit/main/website/docs/ + +copyright: >- + Copyright © Yamato Security — Documentation built with Material for MkDocs + +docs_dir: docs + +theme: + name: material + language: en + logo: assets/screenshots/WELA-Logo.png + favicon: assets/screenshots/WELA-Logo.png + icon: + repo: fontawesome/brands/github + font: + text: Inter + code: JetBrains Mono + palette: + - media: "(prefers-color-scheme: light)" + scheme: default + primary: custom + accent: custom + toggle: + icon: material/weather-night + name: Switch to dark mode + - media: "(prefers-color-scheme: dark)" + scheme: slate + primary: custom + accent: custom + toggle: + icon: material/weather-sunny + name: Switch to light mode + features: + - navigation.tabs + - navigation.tabs.sticky + - navigation.sections + - navigation.top + - navigation.footer + - navigation.tracking + - toc.follow + - search.suggest + - search.highlight + - search.share + - content.code.copy + - content.code.annotate + - content.tooltips + +extra_css: + - stylesheets/extra.css + +markdown_extensions: + - abbr + - admonition + - attr_list + - def_list + - footnotes + - md_in_html + - tables + - toc: + permalink: true + toc_depth: 3 + slugify: !!python/object/apply:pymdownx.slugs.slugify + kwds: + case: lower + - pymdownx.details + - pymdownx.highlight: + anchor_linenums: true + line_spans: __span + pygments_lang_class: true + - pymdownx.inlinehilite + - pymdownx.snippets + - pymdownx.superfences + - pymdownx.tabbed: + alternate_style: true + - pymdownx.tasklist: + custom_checkbox: true + - pymdownx.keys + - pymdownx.emoji: + emoji_index: !!python/name:material.extensions.emoji.twemoji + emoji_generator: !!python/name:material.extensions.emoji.to_svg + +plugins: + - search + - glightbox: + touchNavigation: true + loop: false + effect: zoom + width: 100% + auto_caption: false + - i18n: + docs_structure: suffix + fallback_to_default: true + reconfigure_material: true + reconfigure_search: true + languages: + - locale: en + default: true + name: English + build: true + - locale: ja + name: 日本語 + build: true + site_name: WELA ドキュメント + nav_translations: + Home: ホーム + Overview: 概要 + About WELA: WELAについて + Features: 機能 + Screenshots: スクリーンショット + Getting Started: はじめに + Commands: コマンド + Command List: コマンド一覧 + Command Usage: コマンド使用例 + Resources: リソース + Companion Projects: 関連プロジェクト + Other Resources: その他の参考資料 + Changelog: 変更履歴 + Contributing & Support: 貢献とサポート + - locale: zh-TW + name: 繁體中文 + build: true + - locale: ko + name: 한국어 + build: true + - locale: de + name: Deutsch + build: true + - locale: tr + name: Türkçe + build: true + - locale: fr + name: Français + build: true + - locale: es + name: Español + build: true + - locale: pt-BR + name: Português (Brasil) + build: true + - locale: uk + name: Українська + build: true + - locale: hi + name: हिन्दी + build: true + - locale: id + name: Bahasa Indonesia + build: true + - locale: my + name: မြန်မာဘာသာ + build: true + - locale: th + name: ไทย + build: true + - locale: ar + name: العربية + build: true + +extra: + social: + - icon: fontawesome/brands/github + link: https://github.com/Yamato-Security/WELA + name: WELA on GitHub + - icon: fontawesome/brands/x-twitter + link: https://twitter.com/SecurityYamato + name: Yamato Security on X + +nav: + - Home: index.md + - Overview: + - About WELA: overview/index.md + - Features: overview/features.md + - Screenshots: overview/screenshots.md + - Getting Started: getting-started/index.md + - Commands: + - Command List: commands/index.md + - Command Usage: commands/usage.md + - Resources: + - Companion Projects: resources/companion-projects.md + - Other Resources: resources/other-resources.md + - Changelog: resources/changelog.md + - Contributing & Support: resources/contributing.md diff --git a/website/requirements.txt b/website/requirements.txt new file mode 100644 index 00000000..1f957055 --- /dev/null +++ b/website/requirements.txt @@ -0,0 +1,7 @@ +# Python dependencies for building the Hayabusa documentation site. +# Used by .github/workflows/docs.yml and for local previews: +# pip install -r website/requirements.txt +# mkdocs serve -f website/mkdocs.yml +mkdocs-material==9.7.6 +mkdocs-glightbox==0.5.2 +mkdocs-static-i18n==1.3.1 diff --git a/website/scripts/sync_changelog.py b/website/scripts/sync_changelog.py new file mode 100644 index 00000000..1e510381 --- /dev/null +++ b/website/scripts/sync_changelog.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python3 +"""Regenerate the docs Changelog pages from the repo's CHANGELOG files. + +The Resources > Changelog pages mirror the root CHANGELOG.md / +CHANGELOG-Japanese.md. The docs deploy workflow runs this before `mkdocs build`; +the committed pages are a snapshot for local previews. + +Run from anywhere: python website/scripts/sync_changelog.py +""" +import os +import re + +ROOT = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) +DOCS = os.path.join(ROOT, "website", "docs", "resources") + +NOTE_EN = ( + "!!! info\n" + " This page mirrors the project " + "[`CHANGELOG.md`](https://github.com/Yamato-Security/WELA/blob/main/CHANGELOG.md). " + "See the [Releases page](https://github.com/Yamato-Security/WELA/releases) for downloads." +) +NOTE_JA = ( + '!!! info "情報"\n' + " このページはプロジェクトの " + "[`CHANGELOG.md`](https://github.com/Yamato-Security/WELA/blob/main/CHANGELOG-Japanese.md) " + "を反映したものです。ダウンロードは " + "[リリースページ](https://github.com/Yamato-Security/WELA/releases) をご覧ください。" +) + +_LIST = re.compile(r'^([-*+]|\d{1,9}[.)])\s+\S') +_FENCE = re.compile(r'^\s*(```|~~~)') +_HEADING = re.compile(r'^#{1,6}\s') + + +def fix_tight_lists(text): + out, in_fence = [], False + for ln in text.split("\n"): + if _FENCE.match(ln): + in_fence = not in_fence + if not in_fence and _LIST.match(ln) and out: + p = out[-1] + if (p.strip() and not _LIST.match(p) and not _HEADING.match(p) + and not p.lstrip().startswith(">") and not p.lstrip().startswith("|") + and not re.match(r'^\s', p)): + out.append("") + out.append(ln) + return "\n".join(out) + + +def build(src, title, note, dest): + lines = open(src, encoding="utf-8").read().split("\n") + body = lines[1:] + while body and body[0].strip() == "": + body.pop(0) + content = f"# {title}\n\n{note}\n\n" + "\n".join(body) + content = fix_tight_lists(content).rstrip() + "\n" + with open(dest, "w", encoding="utf-8") as f: + f.write(content) + print("wrote", os.path.relpath(dest, ROOT)) + + +def main(): + build(os.path.join(ROOT, "CHANGELOG.md"), "Changelog", NOTE_EN, + os.path.join(DOCS, "changelog.md")) + build(os.path.join(ROOT, "CHANGELOG-Japanese.md"), "変更履歴", NOTE_JA, + os.path.join(DOCS, "changelog.ja.md")) + + +if __name__ == "__main__": + main()