Check what rules can be used with the current settings

[YamatoSecurity]

After the necessary config files are created, we can check what rules are usable and not usable.

Ex:

Checking event log audit settings. Please wait.

Detection rules that can be used on this system versus total possible rules:
Critical rules: 20 / 200 (xx%)
High rules: 10 / 1000 (xx%)
等々

Detection rules that cannot be used on this system:
Critical rules: 180 / 200 (xx%)
High rules: 160 / 1000 (xx%)
等々

Usable detection rules list saved to: UsableRules.csv
Unusable detection rules list saved to: UnusableRules.csv

You can only utilize 10% of your Security detection rules.

For now, we can save the detailed rule list to CSV but later want to create two HTML reports that are easy to read.

[fukusuket]

memo:

Output auditpol results in English

open cmd.exe

chcp 437
auditpol /get /category:* /r

[fukusuket]

@YamatoSecurity
I created and tested this feature prototype! Could you check it when you have time?🙏

• https://github.com/Yamato-Security/WELA/actions/runs/13800668280/job/38602277598#step:10:1

Checking event log audit settings. Please wait.

Detection rules that can be used on this system versus total possible rules:
critical rules: 3 / 11 (27.27%)
high rules: 29 / 88 (32.95%)
informational rules: 27 / 43 (62.79%)
low rules: 20 / 32 (62.50%)
medium rules: 43 / 83 (51.81%)

Detection rules that cannot be used on this system:
critical rules: 8/ 11 (72.73%)
high rules: 59 / 88 (67.05%)
informational rules: 16 / 43 (37.21%)
low rules: 12 / 32 (37.50%)
medium rules: 40 / 83 (48.19%)

Usable detection rules list saved to: UsableRules.csv
Unusable detection rules list saved to: UnusableRules.csv

You can only utilize 47.47% of your Security detection rules.

[fukusuket]

In the prototype, we're starting with Security.evtx. It seems like we might be able to include other logs for checking as well?🤔 what do you think? (This would mean including all logs except Sysmon)

[fukusuket]

Strictly speaking, some logs, such as PowerShell:4103/4104, are not output unless enabled, but counting rules other than Security.evtx as enabled, the results were as follows. (to the extent that Sysmon is excluded)

• https://github.com/Yamato-Security/WELA/actions/runs/13807636499/job/38621736305#step:10:1

Checking event log audit settings. Please wait.

Detection rules that can be used on this system versus total possible rules:
critical rules: 22 / 30 (73.33%)
high rules: 140 / 199 (70.35%)
informational rules: 41 / 57 (71.93%)
low rules: 47 / 59 (79.6%)
medium rules: 116 / 156 (4.36%)

Detection rules that cannot be used on this system:
critical rules: 8 / 30 (26.67%)
high rules: 59 / 199 (29.65%)
informational rules: 16 / 57 (28.07%)
low rules: 12 / 59 (20.34%)
medium rules: 40 / 156 (25.64%)

Usable detection rules list saved to: UsableRules.csv
Unusable detection rules list saved to: UnusableRules.csv

You can only utilize 73.05% of your detection rules.

73.05% could be misleading in the opposite direction, that the log setting is sufficient... 😅

[YamatoSecurity]

In the prototype, we're starting with Security.evtx. It seems like we might be able to include other logs for checking as well?🤔 what do you think? (This would mean including all logs except Sysmon)

Yes! Don't worry, I will create issues to check all logs except Sysmon. 😄
For now, we should focus on Security though as that is the biggest and most complex.

[YamatoSecurity]

@fukusuket Can you put WELA.ps1 in the root folder instead of inside config.

Right now, since we only look at Security the utilization percent will be high but as we add (especially Sysmon at the end) more, it will decrease over time.

[fukusuket]

@YamatoSecurity
I moved WELA.ps! I see! I'm looking forward to the next issue being opened! :)