CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-06 09:12:46 +01:00
Code Issues Packages Projects Releases Wiki Activity
458 Commits 8 Branches 2 Tags
e37262b63ab8ac8a868908e702cc66c58fcfd957
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
fukusuket e37262b63a doc: add readme
2025-05-12 11:37:45 +09:00
.github
Update .github/workflows/release.yml
2025-05-11 08:35:55 +09:00
config
Sigma Rule Update (2025-05-07 20:15:15) (#57)
2025-05-07 20:15:21 +00:00
screenshots
doc: add readme
2025-05-12 10:44:56 +09:00
.gitignore
ignore DS_Store
2025-04-21 12:00:20 +09:00
CHANGELOG-Japanese.md
doc: add readme
2025-05-12 10:17:50 +09:00
CHANGELOG.md
doc: add readme
2025-05-12 10:17:50 +09:00
LICENSE
doc: add readme
2025-05-12 10:17:50 +09:00
README-Japanese.md
feat: release action
2025-05-11 08:30:35 +09:00
README.md
doc: add readme
2025-05-12 11:37:45 +09:00
WELA.ps1
feat: release action
2025-05-11 08:30:35 +09:00

README.md

WELA Logo

WELA (Windows Event Log Auditor) ゑ羅

[ English ] | [日本語]

About WELA

WELA (Windows Event Log Analyzer, ゑ羅) is a tool for auditing Windows Event Log settings and log file sizes. Windows Event Logs are a vital source of information for Digital Forensics and Incident Response (DFIR), providing visibility into system activity and security events. However, default configurations often lead to problems such as limited log retention, insufficient audit policies, and blind spots that reduce detection capability. WELA helps uncover these weaknesses and offers practical recommendations to improve audit settings and enhance security visibility. It also assesses log configurations based on real-world Sigma rule coverage, allowing users to evaluate what can—or cannot—be detected undercurrent settings.

Companion Projects

Table of Contents

Screenshots

Startup

WELA Startup

audit-settings (stdout)

WELA Stdout

audit-settings (gui)

WELA GUI

audit-settings (table)

WELA Table

audit-filesize

WELA FileSize

Features

  • Audit Windows Event Log Audit policy settings.
  • Checking based on the major Windows Event Log Audit configuration guides.
  • Checking Windows Event Log audit settings based on real-world Sigma rule detectability.
  • Audit Windows Event Log file sizes and suggest the recommended size.

Prerequisites

  • PowerShell 5.1+
  • Run PowerShell with Administrator privileges

Downloads

Please download the latest stable version of WELA from the Releases page.

Running WELA

  1. Unzip the release zip file.
  2. Open PowerShell with Administrator privileges.
  3. ./WELA.ps1 help to run WELA.

Command List

  • audit-settings: Check Windows Event Log audit policy settings.
  • audit-filesize: Check Windows Event Log file size.
  • update-rules: Update WELA's Sigma rules config files.

Command Usage

audit-settings

audit-settings command checks the Windows Event Log audit policy settings and compares them with the recommended settings from Yamato Security, Microsoft(Sever/Client), and Australian Signals Directorate (ASD). RuleCount indicates the number of Sigma rules that can detect events within that category.

audit-settings command examples

Check by YamatoSecurity(Default) recommend setting and save to CSV:

./WELA.ps1 audit-settings

Check by Australian Signals Directorate recommend setting and save to CSV:

./WELA.ps1 audit-settings -BaseLine ASD

Check by Microsoft recommend setting (Server) and Display results in GUI:

./WELA.ps1 audit-settings -BaseLine Microsoft_Server -OutType gui

Check by Microsoft recommend setting (Client) and Display results in Table format:

./WELA.ps1 audit-settings -BaseLine Microsoft_Client -OutType table

audit-filesize

audit-filesize command checks the Windows Event Log file size and compares it with the recommended settings from Yamato Security.

audit-filesize command examples

Check Windows Event Log file size by YamatoSecurity recommended settings and save to CSV:

./WELA.ps1 audit-filesize

update-rules

update-rulese command examples

Update WELA's Sigma rules config files:

./WELA.ps1 update-rules

Other Windows Event Log Audit Settings Related Resources

Contribution

We would love any form of contribution. Pull requests, rule creation, and sample logs are the best, but feature requests notifying us of bugs, etc... are also very welcome.

At the least, if you like our tools and resources, then please give us a star on GitHub and show your support!

Bug Submission

  • Please submit any bugs you find here.
  • This project is currently actively maintained, and we are happy to fix any bugs reported.

License

Contributors

  • Fukusuke Takahashi (core developer)
  • Zach Mathis (project leader, tool design, testing, etc...) (@yamatosecurity)

Acknowledgements

Twitter

You can receive the latest news about WELA, rule updates, other Yamato Security tools, etc... by following us on Twitter at @SecurityYamato.

Reference in New Issue View Git Blame Copy Permalink
Description
WELA (Windows Event Log Analyzer): The Swiss Army knife for Windows Event Logs! ゑ羅(ウェラ)
analysisdfireventforensicshuntingincidentloglogsresponsesigmathreattimelinewindows
Readme MIT 47 MiB
Languages
PowerShell 100%