EasyToReadSecurityTimeline

Yamato-Security · Oct 20, 2021 · 8cfaf46 · 8cfaf46
1 parent 8655c7f
commit 8cfaf46
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 11 deletions.
diff --git a/Analyzers/Security-LogonTimeline.ps1 b/Analyzers/Security-LogonTimeline.ps1
@@ -190,7 +190,7 @@ function Get-KerberosStatusStr {
     return $msgStatusReadable
 }
 
-function Create-LogonTimeline {
+function Create-SecurityLogonTimeline {
     param([string] $UTCOffset, [string] $filePath)
     # Notes: 
     #   Logoff events without corresponding logon events first won't be printed
@@ -739,7 +739,7 @@ function Create-LogonTimeline {
 
 }
 
-function Create-Timeline {
+function Create-EasyToReadSecurityLogonTimeline {
 
     $filter = "@{ Path=""$LogFile""; ID=$EventIDsToAnalyze }"
     $filter2 = "@{Path = ""$LogFile"" }"

diff --git a/Config/Language/en.ps1 b/Config/Language/en.ps1
@@ -506,10 +506,13 @@ function Show-Help {
     Write-Host "Analysis Source (Specify one):"
 
     Write-Host "   -LiveAnalysis" -NoNewline -ForegroundColor Green
-    Write-Host " : Creates a timeline based on the live host's log"
+    Write-Host " : Analyze logs from the live host"
 
     Write-Host "   -LogFile <path-to-logfile>" -NoNewline -ForegroundColor Green
-    Write-Host " : Creates a timelime from an offline .evtx file"
+    Write-Host " : Analyze an offline .evtx file"
+
+    Write-Host "   -LogDirectory <path-to-logfiles> (Warning: not fully implemented.)" -NoNewline -ForegroundColor Green
+    Write-Host " : Analyze offline .evtx files"
 
     Write-Host
     Write-Host "Analysis Type (Specify one):"
@@ -522,7 +525,10 @@ function Show-Help {
 
     Write-Host "   -SecurityEventID_Statistics" -NoNewline -ForegroundColor Green
     Write-Host " : Output Security log event ID statistics" 
-
+
+    Write-Host "   -EasyToReadSecurityLogonTimeline" -NoNewline -ForegroundColor Green
+    Write-Host " : Output a very easy-to-read timeline of user logons based on the Security log"
+
     Write-Host "   -SecurityLogonTimeline" -NoNewline -ForegroundColor Green
     Write-Host " : Output a condensed timeline of user logons based on the Security log"
 
@@ -536,7 +542,7 @@ function Show-Help {
     Write-Host " : Specify the end of the timeline"
 
     Write-Host 
-    Write-Host "-LogonTimeline Analysis Options:"
+    Write-Host "-SecurityLogonTimeline Analysis Options:"
 
     Write-Host "   -IsDC" -NoNewline -ForegroundColor Green
     Write-Host " : Specify if the logs are from a DC"

diff --git a/Config/Language/ja.ps1 b/Config/Language/ja.ps1
@@ -511,10 +511,13 @@ function Show-Help {
 
     Write-Host "解析ソースを一つ指定して下さい：" 
     Write-Host "   -LiveAnalysis" -NoNewline -ForegroundColor Green
-    Write-Host " : ホストOSのログでタイムラインを作成する"
+    Write-Host " : ホストOSのログを解析する"
 
     Write-Host "   -LogFile <ログファイルのパス>" -NoNewline -ForegroundColor Green
-    Write-Host " : オフラインの.evtxファイルでタイムラインを作成する"
+    Write-Host " : オフラインの.evtxファイルを解析する"
+
+    Write-Host "   -LogDirectory <ログファイルのディレクトリのパス> (未完成)" -NoNewline -ForegroundColor Green
+    Write-Host " : 複数のオフラインの.evtxファイルを解析する"
 
     Write-Host
     Write-Host "解析タイプを一つ指定して下さい:"
@@ -528,6 +531,9 @@ function Show-Help {
     Write-Host "   -SecurityEventID_Statistics" -NoNewline -ForegroundColor Green
     Write-Host " : セキュリティログのイベントIDの集計情報を出力する" 
 
+    Write-Host "   -EasyToReadSecurityLogonTimeline" -NoNewline -ForegroundColor Green
+    Write-Host " : セキュリティログからユーザログオンの読みやすいタイムラインを出力する"
+
     Write-Host "   -SecurityLogonTimeline" -NoNewline -ForegroundColor Green
     Write-Host " : セキュリティログからユーザログオンの簡単なタイムラインを出力する"
 
@@ -541,7 +547,7 @@ function Show-Help {
     Write-Host " : タイムラインの終わりを指定する"
 
     Write-Host 
-    Write-Host "-LogonTimelineの解析オプション:"
+    Write-Host "-SecurityLogonTimelineの解析オプション:"
 
     Write-Host "   -IsDC" -NoNewline -ForegroundColor Green
     Write-Host " : ドメインコントローラーのログの場合は指定して下さい"

diff --git a/WELA.ps1 b/WELA.ps1
@@ -96,6 +96,7 @@ param (
     [switch]$ShowContributors,
     [switch]$SecurityEventID_Statistics,
     [switch]$SecurityLogonTimeline,
+    [switch]$EasyToReadSecurityLogonTimeline,
     [switch]$AccountInformation,
     [switch]$OutputGUI,
     [switch]$OutputCSV,
@@ -284,7 +285,7 @@ elseif ( $LogDirectory -ne "" ) {
     Get-ChildItem -Filter *.evtx -Path $LogDirectory | ForEach-Object { [void]$evtxFiles.Add($_.FullName) }
 }
 
-# Run analysis on -Logfile or -LogDirectory
+# Run analysis
 foreach ( $LogFile in $evtxFiles ) {
 
     if ( $SecurityEventID_Statistics -eq $true ) {
@@ -296,7 +297,13 @@ foreach ( $LogFile in $evtxFiles ) {
 
     if ( $SecurityLogonTimeline -eq $true ) {
         .  ($AnalyzersPath + "Security-LogonTimeline.ps1")
-        Create-LogonTimeline $UTCOffset -filePath $LogFile
+        Create-SecurityLogonTimeline $UTCOffset -filePath $LogFile
+
+    }
+
+    if ( $EasyToReadSecurityLogonTimeline -eq $true ) {
+        .  ($AnalyzersPath + "Security-LogonTimeline.ps1")
+        Create-EasyToReadSecurityLogonTimeline $UTCOffset -filePath $LogFile
 
     }