commands.ps1

function Add-EventListConfiguration {

<#
    .SYNOPSIS
    Writes an EventList configuration to the database.
 
    .DESCRIPTION
    Writes an EventList configuration to the database. Important: Specify the sigma\tools folder!
 
    Configurable options:
      - Path where Sigma is located to automatically parse the desired queries.
      - Default Output Path: Avoid clicking 1000 times to specify a default output location.
 
    .PARAMETER sigmaPath
    Path where Sigma is located to automatically parse the desired queries.
 
    .PARAMETER defaultOutputPath
    Default Output Path: Avoid clicking 1000 times to specify a default output location.
 
    .EXAMPLE
    Add-EventListConfiguration -sigmaPath "C:\tmp\sigma\tools"
 
    Writes the configuration for the Sigma Path to the database.
 
#>

    [CmdletBinding()]
    param(
        [string]$sigmaPath
    )

    if ($sigmaPath) {
        $query = "Update EventList_configuration set sigma_path='" + $sigmaPath + "' where id=1;"
    }

    if ($query) {
        Invoke-SqliteQuery -Query $query -DataSource $database
    }
}

function Add-MitreCheckboxes {

<#
    .SYNOPSIS
    Populates all the MITRE ATT&CK checkboxes.
 
    .DESCRIPTION
    Populates all the MITRE ATT&CK checkboxes in the EventList GUI. Used for initial creation of the checkboxes and the CheckedListBoxes
 
    .EXAMPLE
    Add-MitreCheckboxes
 
    Populates all the MITRE ATT&CK checkboxes.
 
#>

    
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
    [CmdletBinding()]
    param ()

    $query = "select id, area_name from mitre_areas;"

    $Script:areas = Invoke-SqliteQuery -Query $Query -DataSource $Database

    $Script:CheckBox = [ordered]@{}
    $Script:CheckBoxArea = [ordered]@{}


    $i=1
    $j = 0

    $width = 350
    $height = 200
    $x = 10
    $y = 20 + 60

    foreach ($area in $areas) {

        $x = $x +2
        $CheckBoxArea[$area.area_name]                       = New-Object system.Windows.Forms.CheckBox
        $CheckBoxArea[$area.area_name].text                  = $area.area_name
        $CheckBoxArea[$area.area_name].AutoSize              = $false
        $CheckBoxArea[$area.area_name].width                 = 300
        $CheckBoxArea[$area.area_name].height                = 20
        $CheckBoxArea[$area.area_name].location              = New-Object System.Drawing.Point($x,$y)
        $CheckBoxArea[$area.area_name].Font                  = 'Microsoft Sans Serif,12'
        $CheckBoxArea[$area.area_name].Tag                   = @{AreaName = $area.area_name}
        $CheckBoxArea[$area.area_name].Add_Click({
            param($Sender) & Select-AllCheckboxesFromOneArea -AreaName $($Sender.Tag.AreaName)
         })
        $x = $x -2
        $y = $y + 25

        $Form.controls.AddRange(@($CheckBoxArea[$area.area_name]))

        $tmp = New-Object system.Windows.Forms.CheckedListBox

        $tmp.AutoSize = $false
        $tmp.width = $width
        $tmp.height = $height
        $tmp.CheckOnClick = $true
        $tmp.location = New-Object System.Drawing.Point($x,$y)
        $tmp.Font = 'Microsoft Sans Serif,10'

        $query = "select distinct ma.area_name, mt.technique_id, mt.technique_name from mitre_events me, events_main em, mitre_techniques mt, mitre_areas ma where me.technique_id = mt.id and me.event_id = em.id and me.area_id = ma.id and ma.id = '" + $area.id + "' order by technique_name;"

        $techniques = Invoke-SqliteQuery -Query $query -DataSource $Database

        foreach ($technique in $techniques) {
            $tmp.Items.Add($technique.technique_id + " " + $technique.technique_name,$false) | Out-Null
        }

        $y = $y - 25

        $i++

        if ($x -gt 750){
            $x = 10
            $y = $y + 225
            $i = 1
        }

        $CheckBox.add( $area.area_name, $tmp )

        if ($i -ne 1) {
            $x = $x + 380
        }

        $j = $j + 1

    }

        foreach ($key in $CheckBox.keys) {
            $Form.controls.AddRange($CheckBox[$key])
        }

}

function Close-Form {

<#
    .SYNOPSIS
    Closes the Form.
 
    .DESCRIPTION
    Closes the Form, that was passed by the -Form Parameter. Nothing to see here, move on! ;-)
 
    .PARAMETER Form
    A Windows form that should be closed: [system.Windows.Forms.Form]
 
    .EXAMPLE
    Close-Form -Form $Form
 
    Closes the Form.
 
#>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [object]$Form
    )
    $Form.close()
}

function ConvertFrom-PSSQLString {

<#
    .SYNOPSIS
    Converts a text string from a database into output text.
 
    .DESCRIPTION
    Converts a text string from a database into output text, which was earlier parsed by the ConvertTo-PSSQLString function.
 
    .PARAMETER Text
    The String to parse for Output.
 
    .EXAMPLE
    ConvertFrom-PSSQLString -Text $queryString
 
    Converts a text string from a database into output text.
 
#>


    [CmdletBinding()]
    [OutputType([String])]
    param (
        [string]$Text
    )
    $Text = $Text.Replace("&quot;", '"')
    $Text = $Text.Replace("&apos;", "'")
    $Text = $Text.Replace("&x00;", "\x00")
    $Text = $Text.Replace("&n;", "\n")
    $Text = $Text.Replace("&r;", "\r")
    $Text = $Text.Replace("&bsol;", "\")
    $Text = $Text.Replace("&x1a;", "\x1a")
    $Text = $Text.Replace("&#59;", ";")

    return $Text
 }

function ConvertTo-PSSQLString {

<#
    .SYNOPSIS
    Converts a string into a format that can be inserted into a PSSQL database.
 
    .DESCRIPTION
    Converts a string into a format that can be inserted into a PSSQL database without the risk of common SQL injections.
 
    .PARAMETER Text
    The String to parse for the database.
 
    .EXAMPLE
    ConvertTo-PSSQLString -Text $queryString
 
    Converts a string into a format that can be inserted into a PSSQL database.
#>


    [CmdletBinding()]
    [OutputType([String])]
    param (
        [string]
        $Text
    )
    $Text = $Text.Replace('"', "&quot;")
    $Text = $Text.Replace("'", "&apos;")
    $Text = $Text.Replace("\x00", "&x00;")
    $Text = $Text.Replace("\n", "&n;")
    $Text = $Text.Replace("\r", "&r;")
    $Text = $Text.Replace("\", "&bsol;")
    $Text = $Text.Replace("\x1a", "&x1a;")
    $Text = $Text.Replace(";", "&#59;")

    return $Text
 }


function Get-AgentConfigSelect {

<#
    .SYNOPSIS
    Displays the form to select and display the Agent config of your choice.
 
    .DESCRIPTION
    Displays the form to select and display the Agent config of your choice. All Agent Forwarders are pulled out of the database and are being supported by Sigma.
 
    .EXAMPLE
    Get-AgentConfigSelect
 
    Displays the form to select and display the Agent config of your choice.
 
#>

    [CmdletBinding()]
    param ()

    [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
    [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")

    $Form = New-Object System.Windows.Forms.Form
    $Form.width = 700
    $Form.height = 550
    $Form.Text = "Import Baseline"

    $Font = New-Object System.Drawing.Font("Microsoft Sans Serif",10)
    $Form.Font = $Font

    $MyGroupBox = New-Object System.Windows.Forms.GroupBox
    $MyGroupBox.Location = '40,40'
    $MyGroupBox.size = '600,350'
    $MyGroupBox.text = "For which forwarder agent would you like to generate a configuration snippet?"


    $ComboBox2                       = New-Object system.Windows.Forms.ComboBox
    $query = "select name from agent_forwarder_syntax order by name;"
    $agentFwdNames = Invoke-SqliteQuery -Query $query -DataSource $database | Select-Object -ExpandProperty name

    if ([string]::IsNullOrEmpty($agentFwdNames)) {
        $ComboBox2.text = "No Agent Forwarder implemented"
    }
    else {
        $ComboBox2.text = "Select an option..."
    }


    $ComboBox2.width                 = 580
    $ComboBox2.height                = 40

    $agentFwdNames | ForEach-Object {[void] $ComboBox2.Items.Add($_)}
    $ComboBox2.location              = New-Object System.Drawing.Point(50,85)
    $ComboBox2.Font                  = 'Microsoft Sans Serif,11'
    $ComboBox2.Add_SelectedValueChanged({
        If ((!([string]::IsNullOrEmpty($ComboBox2.Text))) -and ($ComboBox2.Text -in $agentFwdNames)) {
            Get-AgentConfigString -ForwarderName $ComboBox2.Text
        }
    })

    $Script:agentSnippetBox = New-Object System.Windows.Forms.TextBox
    $agentSnippetBox.Multiline = $True;
    $agentSnippetBox.Location = New-Object System.Drawing.Size(50,130)
    $agentSnippetBox.Size = New-Object System.Drawing.Size(580,250)
    $agentSnippetBox.Scrollbars = "Vertical"
    $form.Controls.Add($agentSnippetBox)

    $OKButton = new-object System.Windows.Forms.Button
    $OKButton.Location = '230,425'
    $OKButton.Size = '100,40'
    $OKButton.Text = 'OK'
    $OKButton.DialogResult=[System.Windows.Forms.DialogResult]::OK

    $CancelButton = new-object System.Windows.Forms.Button
    $CancelButton.Location = '355,425'
    $CancelButton.Size = '100,40'
    $CancelButton.Text = "Cancel"
    $CancelButton.DialogResult=[System.Windows.Forms.DialogResult]::Cancel

    $Form.controls.AddRange(@($ComboBox2))
    $form.Controls.AddRange(@($MyGroupBox,$OKButton,$CancelButton))

    $form.AcceptButton = $OKButton
    $form.CancelButton = $CancelButton

    $form.Add_Shown({$form.Activate()})

    $form.ShowDialog()
}

function Get-AgentConfigString {

<#
    .SYNOPSIS
    Gets all the event ids that you need to monitor the selected MITRE Techniques & areas.
 
    .DESCRIPTION
    Gets all the event ids that you need to monitor the selected MITRE Techniques & areas and matches it to the selected event forwarder syntax.
 
    .PARAMETER ForwarderName
    Specifies the name of the Agent Forwarder for which the config should be queried.
 
    .EXAMPLE
    Get-AgentConfigString -ForwarderName "Splunk Universal Forwarder"
 
    Gets all the event ids for the Splunk Universal Forwarder that you need to monitor the selected MITRE Techniques & areas.
 
#>


    [CmdletBinding()]
    param (
        [string]$ForwarderName
    )

    $query = "select * from agent_forwarder_syntax where name = '" + (ConvertTo-PSSQLString($ForwarderName)) + "';"
    $results = Invoke-SqliteQuery -Query $query -DataSource $database

    foreach ($result in $results) {
        $eventStr = Get-MitreEvents -EventIds | Select-Object -ExpandProperty event_id -Unique | foreach-Object { $result.single_event_syntax -replace ("{{SINGLE_EVENTID}}", $_) }
        
        $eventStr = [string]$eventStr -replace(" ", ($result.event_separator + " "))
        $eventStr = [string]$eventStr -replace(($result.event_separator + " -1"), "")

        if ($result.single_event_syntax -eq "{{SINGLE_EVENTID}}") {
            $eventStr = [string]$eventStr -replace("-1", "")
        }
        else {
            $SingleEventSyntaxReplaced = $result.single_event_syntax -replace ("{{SINGLE_EVENTID}}", "")
            $eventStr = [string]$eventStr -replace(($SingleEventSyntaxReplaced + "-1" + $result.event_separator), "")
        }

        $syntaxStr = $result.syntax -replace ("{{EVENTIDS}}", $eventStr) -replace "`n", "`r`n"

        $syntaxStr = $syntaxStr -replace(("= " + $result.event_separator), "=")
        $agentSnippetBox.Text = $syntaxStr
        
    }

}

function Get-BaselineEventList {

<#
    .SYNOPSIS
    Gets an EventList for the selected Baseline.
 
    .DESCRIPTION
    Gets an EventList for the Baseline which was selected from the Combobox in the GUI.
 
    .PARAMETER generateExcelYsn
    Defines if an Excel document will be generated. When checked, one can define where the document should be stored.
 
    .EXAMPLE
    Get-BaselineEventList -generateExcelYsn $true
 
    Gets an EventList for the selected Baseline.
 
#>


    [CmdletBinding()]
    param (
        [boolean]$generateExcelYsn = $false
    )

    if (($ComboBox1Value -eq "No Baselines imported") -or ($ComboBox1Value -eq "Select Baseline") -or [string]::IsNullOrEmpty($ComboBox1Value)) {
        $wshell = New-Object -ComObject Wscript.Shell
        $wshell.Popup("No Baseline was selected.",0,"Generate EventList",0x1)
    }
    else {
        $query = "select eaac.category_name as Category, d.subcategory as Subcategory, em.id as 'Event ID', em.event_name as 'Event Description', em.link_text as 'Event Link', d.inclusion_setting as 'Audit Recommendation', d.setting_value 'Audit Recommendation Number', sf.success_failure_name as 'Event S/F', d.policy_target as 'Policy Target', sr.sec_rec_name as Recommendation from baseline_main m, baseline_data d, events_main em, events_source so, events_success_failure sf, events_security_recommendation sr, events_audit_subcategory eas, events_advanced_audit_categories eaac, events_advanced_audit_subcategories eaas where m.id = d.b_id and d.subcategory = eaas.subcategory_name and em.so_id = so.id and em.success_failure_id = sf.id and em.sr_id = sr.id and em.id = eas.event_id and eas.audit_subc_id = eaas.id and eaas.c_id = eaac.id and m.name = '$ComboBox1Value';"
        $results = Invoke-SqliteQuery -Query $query -DataSource $database
        if ($generateExcelYsn) {
            $tmp = get-date -f yyyyMMddHHmmss
            $results | Export-Csv -Path $ExportFolder\$tmp"EventList.csv"
        }
        else {
            $results | Out-GridView -Title "EventList for: $ComboBox1Value"
        }

    }



}



function Get-BaselineNamesFromDB {

<#
    .SYNOPSIS
    Gets all the names of the baselines, stored in the database.
 
    .DESCRIPTION
    Gets all the names of the baselines, stored in the database.
 
    .EXAMPLE
    Get-BaselineNamesFromDB
 
    Gets all the names of the baselines, stored in the database.
 
#>


    [CmdletBinding()]
    param ()

    $query = "select name from baseline_main;"

    $baselineNames = Invoke-SqliteQuery -Query $query -DataSource $database | Select-Object -ExpandProperty name

    return $baselineNames
}

function Get-CheckedMitreAreas {

<#
    .SYNOPSIS
    Gets all Mitre Areas that were checked.
 
    .DESCRIPTION
    Gets all Mitre Areas that were checked.
 
    .EXAMPLE
    Get-CheckedMitreAreas
 
    Gets all Mitre Areas that were checked.
 
#>


    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
    [CmdletBinding()]
    param ()

    foreach ($key in $CheckBoxArea.keys) {

        if (![string]::IsNullOrEmpty($CheckBoxArea[$key].checkedItems)) {
            foreach ($item in ($CheckBoxArea[$key].checkedItems.Split(" "))) {
                if (![string]::IsNullOrEmpty($item)) {
                    if ([string]::IsNullOrEmpty($tmpStr)) {
                        $tmpStr = "'$item'"
                    }
                    else {
                        $tmpStr = "$tmpStr, '$item'"
                    }

                }
            }
        }
    }

    return $tmpStr
}

function Get-CheckedMitreTechniques {

<#
    .SYNOPSIS
    Gets all Mitre Techniques that were checked.
 
    .DESCRIPTION
    Gets all Mitre Techniques that were checked.
 
    .EXAMPLE
    Get-CheckedMitreTechniques
 
    Gets all Mitre Techniques that were checked.
 
#>


    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
    [CmdletBinding()]
    param ()

    foreach ($key in $CheckBox.keys) {

        if (![string]::IsNullOrEmpty($CheckBox[$key].checkedItems)) {
            foreach ($item in ($CheckBox[$key].checkedItems.Split(" ") | Select-String -Pattern 'T[0-9][0-9][0-9][0-9]' -CaseSensitive)) {
                if (![string]::IsNullOrEmpty($item)) {
                    if ([string]::IsNullOrEmpty($tmpStr)) {
                        $tmpStr = "'$item'"
                    }
                    else {
                        $tmpStr = "$tmpStr, '$item'"
                    }

                }
            }
        }
    }

    return $tmpStr
}

function Get-DeleteBaselineSelect {

<#
    .SYNOPSIS
    Shows a pop-up in which the deletion options are being displayed.
 
    .DESCRIPTION
    Shows a pop-up in which the deletion options are being displayed: Delete the selected baseline or Delete all baselines
 
    .EXAMPLE
    Get-DeleteBaselineSelect
 
    Shows a pop-up in which the deletion options are being displayed.
 
#>

    [CmdletBinding()]
    param ()

    [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
    [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")

    $Form = New-Object System.Windows.Forms.Form
    $Form.width = 700
    $Form.height = 350
    $Form.Text = "Delete Baseline"

    $Font = New-Object System.Drawing.Font("Microsoft Sans Serif",10)
    $Form.Font = $Font

    $MyGroupBox = New-Object System.Windows.Forms.GroupBox
    $MyGroupBox.Location = '40,40'
    $MyGroupBox.size = '600,150'
    $MyGroupBox.text = "Would you prefer to..."

    $RadioButton1 = New-Object System.Windows.Forms.RadioButton
    $RadioButton1.Location = '20,50'
    $RadioButton1.size = '450,30'
    $RadioButton1.Checked = $true
    $RadioButton1.Text = "Delete the selected baseline"

    $RadioButton2 = New-Object System.Windows.Forms.RadioButton
    $RadioButton2.Location = '20,85'
    $RadioButton2.size = '450,30'
    $RadioButton2.Checked = $false
    $RadioButton2.Text = "Delete all baselines"

    $OKButton = new-object System.Windows.Forms.Button
    $OKButton.Location = '230,200'
    $OKButton.Size = '100,40'
    $OKButton.Text = 'OK'
    $OKButton.DialogResult=[System.Windows.Forms.DialogResult]::OK

    $CancelButton = new-object System.Windows.Forms.Button
    $CancelButton.Location = '355,200'
    $CancelButton.Size = '100,40'
    $CancelButton.Text = "Cancel"
    $CancelButton.DialogResult=[System.Windows.Forms.DialogResult]::Cancel

    $form.Controls.AddRange(@($MyGroupBox,$OKButton,$CancelButton))

    $MyGroupBox.Controls.AddRange(@($Radiobutton1,$RadioButton2,$RadioButton3))

    $form.AcceptButton = $OKButton
    $form.CancelButton = $CancelButton

    $form.Add_Shown({$form.Activate()})

    $dialogResult = $form.ShowDialog()

    if ($dialogResult -eq "OK"){

        if ($RadioButton1.Checked){
            Remove-OneBaseline -BaselineName $ComboBox1Value
            Reset-MitreCheckboxes
            $baselineNames = Get-BaselineNamesFromDB
            Sync-ComboBox -ComboBox $ComboBox1 -Items $baselineNames
        }
        elseif ($RadioButton2.Checked){
            Remove-AllBaselines
            Reset-MitreCheckboxes
            $baselineNames = Get-BaselineNamesFromDB
            Sync-ComboBox -ComboBox $ComboBox1 -Items $baselineNames
        }
    }
}

function Get-EventListConfigSelect {

<#
    .SYNOPSIS
    Shows a pop-up in which the EventList configuration options are being displayed.
 
    .DESCRIPTION
    Shows a pop-up in which the EventList configuration options are being displayed.
 
    .EXAMPLE
    Get-EventListConfigSelect
 
    Shows a pop-up in which the EventList configuration options are being displayed.
 
#>

    [CmdletBinding()]
    param ()

    [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
    [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")

    $Form = New-Object System.Windows.Forms.Form
    $Form.width = 700
    $Form.height = 400
    $Form.Text = "Configure EventList"

    $Font = New-Object System.Drawing.Font("Microsoft Sans Serif",10)
    $Form.Font = $Font

    $MyGroupBox = New-Object System.Windows.Forms.GroupBox
    $MyGroupBox.Location = '40,40'
    $MyGroupBox.size = '600,200'
    $MyGroupBox.text = "Configure EventList"

    $Checkbox1 = New-Object System.Windows.Forms.Checkbox
    $Checkbox1.Location = '20,50'
    $Checkbox1.size = '500,90'
    $sigmaPath = Get-SigmaPath
    if ($sigmaPath) {
        $Checkbox1.Checked = $true
        $Checkbox1.Text = "Sigma Path configured: $sigmaPath"
    }
    else {
        $Checkbox1.Checked = $false
        $Checkbox1.Text = "Configure Sigma Path"
    }

    $Checkbox1.Add_Click({
        if ($Checkbox1.checked) {
            $sigmaPath = Start-FilePicker -description "Please select where the sigmac file is located"
            if ($sigmaPath) {
                Add-EventListConfiguration -sigmaPath $sigmaPath
                $Checkbox1.Text = "Sigma Path configured: $sigmaPath"
            }
        }
        else {
            Remove-EventListConfiguration -sigmaPath
            $Checkbox1.Text = "Configure Sigma Path"
        }
     })

    $OKButton = new-object System.Windows.Forms.Button
    $OKButton.Location = '230,250'
    $OKButton.Size = '100,40'
    $OKButton.Text = 'OK'
    $OKButton.DialogResult=[System.Windows.Forms.DialogResult]::OK

    $CancelButton = new-object System.Windows.Forms.Button
    $CancelButton.Location = '355,250'
    $CancelButton.Size = '100,40'
    $CancelButton.Text = "Cancel"
    $CancelButton.DialogResult=[System.Windows.Forms.DialogResult]::Cancel

    $form.Controls.AddRange(@($MyGroupBox,$OKButton,$CancelButton))

    $MyGroupBox.Controls.AddRange(@($Radiobutton1,$RadioButton2,$Checkbox1,$Checkbox2))

    $form.AcceptButton = $OKButton
    $form.CancelButton = $CancelButton

    $form.Add_Shown({$form.Activate()})

    $form.ShowDialog()
}

function Get-EventListSelect {

<#
    .SYNOPSIS
    Shows a pop-up in which the EventList generation options are being displayed.
 
    .DESCRIPTION
    Shows a pop-up in which the EventList generation options are being displayed.
 
    .EXAMPLE
    Get-EventListSelect
 
    Shows a pop-up in which the EventList generation options are being displayed.
 
#>

    [CmdletBinding()]
    param ()

    [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
    [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")

    $Form = New-Object System.Windows.Forms.Form
    $Form.width = 700
    $Form.height = 400
    $Form.Text = "EventList"

    $Font = New-Object System.Drawing.Font("Microsoft Sans Serif",10)
    $Form.Font = $Font

    $MyGroupBox = New-Object System.Windows.Forms.GroupBox
    $MyGroupBox.Location = '40,40'
    $MyGroupBox.size = '600,200'
    $MyGroupBox.text = "Which Events would you like to process?"

    $RadioButton1 = New-Object System.Windows.Forms.RadioButton
    $RadioButton1.Location = '20,50'
    $RadioButton1.size = '450,30'
    $RadioButton1.Checked = $true
    $RadioButton1.Text = "Baseline Events only"

    $RadioButton2 = New-Object System.Windows.Forms.RadioButton
    $RadioButton2.Location = '20,85'
    $RadioButton2.size = '450,30'
    $RadioButton2.Checked = $false
    $RadioButton2.Text = "All MITRE ATT&&CK Events"

    $Checkbox1 = New-Object System.Windows.Forms.Checkbox
    $Checkbox1.Location = '50,130'
    $Checkbox1.size = '350,30'
    $Checkbox1.Checked = $false
    $Checkbox1.Text = "Export as CSV"
    $Checkbox1.Add_Click({
        $Script:ExportFolder = Start-FilePicker -description "Please select where to store your Excel file"
     })

    $OKButton = new-object System.Windows.Forms.Button
    $OKButton.Location = '230,250'
    $OKButton.Size = '100,40'
    $OKButton.Text = 'OK'
    $OKButton.DialogResult=[System.Windows.Forms.DialogResult]::OK

    $CancelButton = new-object System.Windows.Forms.Button
    $CancelButton.Location = '355,250'
    $CancelButton.Size = '100,40'
    $CancelButton.Text = "Cancel"
    $CancelButton.DialogResult=[System.Windows.Forms.DialogResult]::Cancel

    $form.Controls.AddRange(@($MyGroupBox,$OKButton,$CancelButton))

    $MyGroupBox.Controls.AddRange(@($Radiobutton1,$RadioButton2,$Checkbox1))

    $form.AcceptButton = $OKButton
    $form.CancelButton = $CancelButton

    $form.Add_Shown({$form.Activate()})

    $dialogResult = $form.ShowDialog()

    if ($dialogResult -eq "OK"){
        if ($RadioButton1.Checked){
            Get-BaselineEventList -generateExcelYsn $Checkbox1.Checked
        }
        elseif ($RadioButton2.Checked){
            Get-MitreEventList -generateExcelYsn $Checkbox1.Checked
        }
    }
}

function Get-ImportSelect {

<#
    .SYNOPSIS
    Shows a pop-up in which the baseline import options are being displayed.
 
    .DESCRIPTION
    Shows a pop-up in which the baseline import options are being displayed.
 
    .EXAMPLE
    Get-ImportSelect
 
    Shows a pop-up in which the baseline import options are being displayed.
 
#>


    [CmdletBinding()]
    param ()

    [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
    [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")

    $Form = New-Object System.Windows.Forms.Form
    $Form.width = 700
    $Form.height = 350
    $Form.Text = "Import Baseline"

    $Font = New-Object System.Drawing.Font("Microsoft Sans Serif",10)
    $Form.Font = $Font

    $MyGroupBox = New-Object System.Windows.Forms.GroupBox
    $MyGroupBox.Location = '40,40'
    $MyGroupBox.size = '600,150'
    $MyGroupBox.text = "What kind of baseline would you like to import?"

    $RadioButton1 = New-Object System.Windows.Forms.RadioButton
    $RadioButton1.Location = '20,50'
    $RadioButton1.size = '450,30'
    $RadioButton1.Checked = $true
    $RadioButton1.Text = "Import a Microsoft Security Baseline or a backed-up GPO"

    $OKButton = new-object System.Windows.Forms.Button
    $OKButton.Location = '230,200'
    $OKButton.Size = '100,40'
    $OKButton.Text = 'OK'
    $OKButton.DialogResult=[System.Windows.Forms.DialogResult]::OK

    $CancelButton = new-object System.Windows.Forms.Button
    $CancelButton.Location = '355,200'
    $CancelButton.Size = '100,40'
    $CancelButton.Text = "Cancel"
    $CancelButton.DialogResult=[System.Windows.Forms.DialogResult]::Cancel

    $form.Controls.AddRange(@($MyGroupBox,$OKButton,$CancelButton))

    $MyGroupBox.Controls.AddRange(@($Radiobutton1,$RadioButton2))

    $form.AcceptButton = $OKButton
    $form.CancelButton = $CancelButton

    $form.Add_Shown({$form.Activate()})

    $dialogResult = $form.ShowDialog()

    if ($dialogResult -eq "OK"){

        if ($RadioButton1.Checked){
           $baselineFolder = Start-FilePicker -description "Select a file or directory where the Baselines are located"
           if (![string]::IsNullOrEmpty($baselineFolder)) {
               Import-BaselineFromFolder -Path "$baselineFolder"
               $baselineNames = Get-BaselineNamesFromDB
               Sync-ComboBox -ComboBox $ComboBox1 -Items $baselineNames
           }
           else {
               $wshell = New-Object -ComObject Wscript.Shell
               $wshell.Popup("No Baseline was selected.",0,"Done",0x1)
           }
        }
    }
}

function Get-MitreEventList {

<#
    .SYNOPSIS
    Gets an EventList for the selected MITRE ATT&CK techniques.
 
    .DESCRIPTION
    Gets an EventList for the MITRE ATT&CK techniques which were selected from the checkboxes in the GUI.
 
    .PARAMETER generateExcelYsn
    Defines if an Excel document will be generated. When checked, one can define where the document should be stored.
 
    .EXAMPLE
    Get-MitreEventList -generateExcelYsn $true
 
    Gets an EventList for the selected MITRE ATT&CK techniques.
 
#>

    [CmdletBinding()]
    param (
        [boolean]$generateExcelYsn = $false
    )

    $results = Get-MitreEvents
    if (![string]::IsNullOrEmpty($results)) {
            if ($generateExcelYsn) {
                $tmp = get-date -f yyyyMMddHHmmss
                $results | Export-Csv -Path $ExportFolder\$tmp"EventList.csv"
            }
            else {
                $results | Out-GridView -Title "EventList for: $ComboBox1Value"
            }

    }
    else {
        $wshell = New-Object -ComObject Wscript.Shell
        $wshell.Popup("No MITRE ATT&CK techniques were selected.",0,"Done",0x1)
    }


}

function Get-MitreEvents {

<#
    .SYNOPSIS
    Returns all events for the selected Mitre techniques.
 
    .DESCRIPTION
    Returns all events for the selected Mitre techniques.
 
    .PARAMETER AdvancedAudit
    If set, only events which will be set from the Advanced Audit options will be taken into account.
 
    .PARAMETER EventIds
    If set, only Event Ids will be returned from this function.
 
    .EXAMPLE
    Get-MitreEvents
 
    Returns all events for the selected Mitre techniques.
 
#>


    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
    [CmdletBinding()]
    param (
        [switch]$AdvancedAudit,
        [switch]$EventIds
    )

    $tmpStr = Get-CheckedMitreTechniques

    if (![string]::IsNullOrEmpty($tmpStr)) {

        if ($AdvancedAudit){
            # if success_failure_id >= 3 it's always s+f / 1 = s / 2 = f
            $query = "select subcategory_name, guid, sum(success_failure_id) as sf_sum from ( select distinct eaas.subcategory_name, eaas.guid, m.success_failure_id from mitre_techniques t, mitre_events e left join events_main m on e.event_id = m.id left join events_source so on m.so_id = so.id left join events_audit_subcategory eas on m.id = eas.event_id left join events_advanced_audit_subcategories eaas on eas.audit_subc_id = eaas.id where t.technique_id in ($tmpStr) and t.id = e.technique_id and e.event_id is not null and so.source_name = 'Advanced Audit Logs' and e.event_id <> '-1' ) group by subcategory_name, guid order by subcategory_name"
        }
        elseif ($EventIds) {
            $query = "select distinct e.event_id from mitre_techniques t, mitre_events e left join events_main m on e.event_id = m.id left join events_source so on m.so_id = so.id left join events_security_recommendation sr on m.sr_id = sr.id where t.technique_id in ($tmpStr) and t.id = e.technique_id and e.event_id is not null order by e.event_id"
        }
        else {
            $query = "select t.technique_id, t.technique_name, e.event_id, m.event_name, m.link_text, so.source_name, sr.sec_rec_name from mitre_techniques t, mitre_events e left join events_main m on e.event_id = m.id left join events_source so on m.so_id = so.id left join events_security_recommendation sr on m.sr_id = sr.id where t.technique_id in ($tmpStr) and t.id = e.technique_id and e.event_id is not null order by e.event_id"
        }


        $resultStr = Invoke-SqliteQuery -Query $query -DataSource $database
    }
    return $resultStr
}

function Get-PolicyFromEvents {

<#
    .SYNOPSIS
    Creates a group policy out of the selected events.
 
    .DESCRIPTION
    Creates a group policy out of the selected events which are mapped to the MITRE ATT&CK Techniques.
 
    .EXAMPLE
    Get-PolicyFromEvents
 
    Creates a group policy out of the selected events.
 
#>


    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseOutputTypeCorrectly", "")]
    [CmdletBinding()]
    param ()

    $destFolder = Start-FilePicker -description "Select a directory where the GPO should be saved"
    $GpoTmpl = "$ModuleRoot\internal\data\GPO\*"

    $tmp = Get-MitreEvents -advancedAudit

    if ($tmp) {
        $auditCsvString = "Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value"

        foreach ($item in $tmp) {
            $subcategory_name = $item | Select-Object -ExpandProperty subcategory_name
            $guid = $item | Select-Object -ExpandProperty guid
            $sf_sum = $item | Select-Object -ExpandProperty sf_sum

            switch ($sf_sum){
                # if success_failure_id >= 3 it's always s+f / 1 = s / 2 = f
                0 {""}
                1 {
                    $sf_string = "Success"
                    $sf_number = $sf_sum
                }
                2 {
                    $sf_string = "Failure"
                    $sf_number = $sf_sum
                }
                default {
                    $sf_string = "Success and Failure"
                    $sf_number = 3
                }
                }

            $auditCsvString = $auditCsvString + "`r`n,System,$subcategory_name,$guid,$sf_string,,$sf_number"
        }

        $GPOFolder = $("{$(New-Guid)}").ToUpper()

        New-Item -ItemType directory -Path "$destFolder\$GPOFolder"
        Copy-Item "$GpoTmpl" -Destination "$destFolder\$GPOFolder" -Recurse

        New-Item -ItemType directory -Path "$destFolder\$GPOFolder\Machine\Microsoft\Windows NT\Audit\"

        New-Item -ItemType directory -Path "$destFolder\$GPOFolder\Machine\Scripts\Shutdown\"
        New-Item -ItemType directory -Path "$destFolder\$GPOFolder\Machine\Scripts\Startup\"
        New-Item -ItemType directory -Path "$destFolder\$GPOFolder\User\"

        Set-Content -Path "$destFolder\$GPOFolder\Machine\Microsoft\Windows NT\Audit\audit.csv" -Value $auditCsvString
    }

}

function Get-Queries {

<#
    .SYNOPSIS
    Returns queries for the selected MITRE ATT&CK Techniques & areas.
 
    .DESCRIPTION
    Returns queries for the selected MITRE ATT&CK Techniques & areas.
 
    .EXAMPLE
    Get-Queries
 
    Returns queries for the selected MITRE ATT&CK Techniques & areas.
 
#>


    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
    [CmdletBinding()]
    param ()

    $techniques = Get-CheckedMitreTechniques
    $areas = Get-CheckedMitreAreas

    $query = "select distinct
                ma.area_name, mt.technique_id, mt.technique_name, qm.title, qm.description, qm.status, qm.date, qm.author, qm.raw_yaml, qm.level, qm.filename
            from mitre_events me, mitre_techniques mt, mitre_areas ma,
            queries_data_yaml_tags qt,
            queries_data_yaml_main qm
            where me.technique_id = mt.id
            and qt.mitre_technique_id = mt.id
            and qt.m_id = qm.id
            and me.area_id = ma.id
            and (
                    (mt.technique_id in ($techniques) )
                    or (ma.area_name in ($areas))
                )
            order by area_id, technique_name;"


    $result = Invoke-SqliteQuery -Query $query -DataSource $database

    return $result
}

function Get-QueriesSelect {

<#
    .SYNOPSIS
    Shows a pop-up in which the query creation options are being displayed.
 
    .DESCRIPTION
    Shows a pop-up in which the query creation options are being displayed.
 
    .EXAMPLE
    Get-QueriesSelect
 
    Shows a pop-up in which the query creation options are being displayed.
 
#>


    [CmdletBinding()]
    param ()

    [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
    [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")

    $Form = New-Object System.Windows.Forms.Form
    $Form.width = 700
    $Form.height = 400
    $Form.Text = "Generate Queries"

    $Font = New-Object System.Drawing.Font("Microsoft Sans Serif",10)
    $Form.Font = $Font

    $MyGroupBox = New-Object System.Windows.Forms.GroupBox
    $MyGroupBox.Location = '40,40'
    $MyGroupBox.size = '600,200'
    $MyGroupBox.text = "How would you like to create your queries?"

    $RadioButton1 = New-Object System.Windows.Forms.RadioButton
    $RadioButton1.Location = '20,50'
    $RadioButton1.size = '450,30'
    $RadioButton1.Checked = $true
    $RadioButton1.Text = "Please generate SIGMA queries for:"

    $ComboSiemBox                       = New-Object system.Windows.Forms.ComboBox
    $supportedSiem = Get-SupportedSiemFromDb
    if ([string]::IsNullOrEmpty($supportedSiem)) {
        $ComboSiemBox.text = "No supported Siem solution imported"
    }
    else {
        $ComboSiemBox.text = "Select Siem solution"
    }


    $ComboSiemBox.width                 = 200
    $ComboSiemBox.height                = 40

    $supportedSiem | ForEach-Object {[void] $ComboSiemBox.Items.Add($_)}
    $ComboSiemBox.location              = New-Object System.Drawing.Point(76,120)
    $ComboSiemBox.Font                  = 'Microsoft Sans Serif,11'

    $ComboSiemBox.Add_SelectedValueChanged({
        $Script:SelectedComboSiemBox = $ComboSiemBox.Text
    })

    $Form.controls.AddRange(@($ComboSiemBox))

    $RadioButton2 = New-Object System.Windows.Forms.RadioButton
    $RadioButton2.Location = '20,115'
    $RadioButton2.size = '450,30'
    $RadioButton2.Checked = $false
    $RadioButton2.Text = "Generate Queries in YAML format"

    $OKButton = new-object System.Windows.Forms.Button
    $OKButton.Location = '230,250'
    $OKButton.Size = '100,40'
    $OKButton.Text = 'OK'
    $OKButton.DialogResult=[System.Windows.Forms.DialogResult]::OK

    $CancelButton = new-object System.Windows.Forms.Button
    $CancelButton.Location = '355,250'
    $CancelButton.Size = '100,40'
    $CancelButton.Text = "Cancel"
    $CancelButton.DialogResult=[System.Windows.Forms.DialogResult]::Cancel

    $form.Controls.AddRange(@($MyGroupBox,$OKButton,$CancelButton))

    $MyGroupBox.Controls.AddRange(@($Radiobutton1,$RadioButton2,$Checkbox1))

    $form.AcceptButton = $OKButton
    $form.CancelButton = $CancelButton

    $form.Add_Shown({$form.Activate()})

    $dialogResult = $form.ShowDialog()

    if ($dialogResult -eq "OK"){
        if ($ExportFolder = Start-FilePicker -description "Where do you want to save your Queries?") {
            if ($RadioButton1.Checked){
                Get-SigmaQueries -OutputPath $ExportFolder -siemName $SelectedComboSiemBox
            }
            elseif ($RadioButton2.Checked){
                Get-SigmaQueries -OutputPath $ExportFolder -siemName $SelectedComboSiemBox -yamlOnly
            }
        }
    }
}

function Get-SigmaPath {

<#
    .SYNOPSIS
    Returns the path to the location where sigmac is located.
 
    .DESCRIPTION
    Returns the path to the location where sigmac is located. The path is configured by the user.
 
    .EXAMPLE
    Get-SigmaPath
 
    Returns the path to the location where sigmac is located.
 
#>

    [CmdletBinding()]
    [OutputType([String])]
    param ()

    $query = "select sigma_path from EventList_configuration;"

    $sigmaPath = Invoke-SqliteQuery -Query $query -DataSource $database | Select-Object -ExpandProperty sigma_path

    $sigmaPath = $sigmaPath

    if (!(Test-Path -Path "$sigmaPath\sigmac" -PathType Leaf)) {
        return ""
    }
    else {
        return "$sigmaPath\sigmac"
    }

}

function Get-SigmaQueries {

<#
    .SYNOPSIS
    Returns the queries for the desired target system.
 
    .DESCRIPTION
    Returns the queries for the desired target system. Either as YAML, sigma command or already converted by sigma.
 
    .PARAMETER OutputPath
    Defines where the Output should be stored.
 
    .PARAMETER siemName
    Defines the target SIEM system. Must be supported by Sigma.
 
    .PARAMETER yamlOnly
    If set, the configuration will be generated in YAML only
 
    .EXAMPLE
    Get-SigmaQueries -OutputPath $ExportFolder -siemName $SelectedComboSiemBox
 
    Returns the queries for the desired target system.
 
#>


    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
    [CmdletBinding()]

    param (
        [string]$OutputPath,
        [string]$siemName,
        [switch]$yamlOnly
    )

    $query = "select target from sigma_supportedSiem where name = '" + $siemName + "' COLLATE NOCASE;"
    $target = Invoke-SqliteQuery -Query $query -DataSource $database | Select-Object -ExpandProperty target

    $queryObj = Get-Queries

    $tmp = get-date -f yyyyMMddHHmmss

    $yamlPath = $OutputPath + "\" + $tmp + "_EventList-Queries\yaml\"
    New-Item -ItemType directory -Path $OutputPath\$tmp"_EventList-Queries"
    New-Item -ItemType directory -Path $yamlPath

    foreach ($item in $queryObj) {
        $addQuery = $false
        $tmpStr = ""
        $sigmaLocation = Get-SigmaPath
        if ($sigmaLocation) {
            $sigmaIsInstalled = $true
        }
        else {
            $sigmaIsInstalled = $false
        }

        $area_name = ConvertFrom-PSSQLString -Text $item.area_name
        $technique_id = ConvertFrom-PSSQLString -Text $item.technique_id
        $technique_name = ConvertFrom-PSSQLString -Text $item.technique_name
        $title = ConvertFrom-PSSQLString -Text $item.title
        $description = ConvertFrom-PSSQLString -Text $item.description
        $status = ConvertFrom-PSSQLString -Text $item.status
        $date = ConvertFrom-PSSQLString -Text $item.date
        $author = ConvertFrom-PSSQLString -Text $item.author
        $raw_yaml = ConvertFrom-PSSQLString -Text $item.raw_yaml
        $level = ConvertFrom-PSSQLString -Text $item.level
        $filename = ConvertFrom-PSSQLString -Text $item.filename

        $yamlFile = ".\yaml\" + $filename
        Set-Content -Path ($yamlPath + $filename) -Value $raw_yaml



        if ($old_areaName -ne $area_name) {
            if ($old_areaName){
                $tmpStr = $tmpStr + "`r`n"
            }

            $tmpStr = $tmpStr + "# " + $area_name + "`r`n"
        }

        if ($old_techniqueName -ne $technique_name) {
            $tmpStr = $tmpStr + "`r`n"
            $tmpStr = $tmpStr + "## " + $technique_id + " " + $technique_name + "`r`n"
        }

        $tmpStr = $tmpStr + "`r`n"
        $tmpStr = $tmpStr + "### " + $title + "`r`n"

        if ($sigmaIsInstalled) {
            "Processing " + $title + "`r`n" >> $OutputPath\$tmp"_EventList-Queries\SigmaLog.txt"
        }

        $tmpStr = $tmpStr + "* Author: " + $author + "`r`n"
        $tmpStr = $tmpStr + "* Date: " + $date + "`r`n"
        $tmpStr = $tmpStr + "* Query Status: " + $status + "`r`n"
        $tmpStr = $tmpStr + "* Level: " + $level + "`r`n"

        $tmpStr = $tmpStr + "*" + $description + "*`r`n"

        if ($yamlOnly) {
            $tmpStr = $tmpStr + "#### Yaml:`r`n"
            $tmpStr = $tmpStr + $raw_yaml
            $addQuery = $true
        }
        else {
            if ($sigmaIsInstalled) {
                $sigmaConfigPath = Join-Path -Path $sigmaLocation -ChildPath "..\config\generic\windows-audit.yml" -Resolve
                $sigmaquery = python.exe $sigmaLocation -t $target ($yamlPath + $filename) -c $sigmaConfigPath 2>>$OutputPath\$tmp"_EventList-Queries\SigmaLog.txt"
                if ($sigmaquery) {
                    $addQuery = $true
                }

                $tmpStr = $tmpStr + " " + $sigmaquery + "`r`n"
                if ($addQuery) {
                    $scriptStr = $scriptStr + $sigmaquery + "`r`n`r`n"
                }
            }
            else {
                $tmpStr = $tmpStr + " python.exe tools/sigmac -t $target $yamlFile -c config\generic\windows-audit.yml `r`n"
                $addQuery = $true
                $scriptStr = $scriptStr + "python.exe tools/sigmac -t $target $yamlFile -c config\generic\windows-audit.yml `r`n`r`n"
            }
        }

        if ($addQuery) {
            $outputStr = $outputStr + $tmpStr
        }

        $old_areaName = $area_name
        $old_techniqueName = $technique_name
    }

    Set-Content -Path $OutputPath\$tmp"_EventList-Queries\EventList-Queries.md" -Value $outputStr

    if ($scriptStr) {
        Set-Content -Path $OutputPath\$tmp"_EventList-Queries\EventList-Queries.txt" -Value $scriptStr
    }

}

function Get-SupportedSiemFromDb {

<#
    .SYNOPSIS
    Returns all SIEM systems which are supported by sigma.
 
    .DESCRIPTION
    Returns all SIEM systems which are supported by sigma.
 
    .EXAMPLE
    Get-SupportedSiemFromDb
 
    Returns all SIEM systems which are supported by sigma.
 
#>

    [CmdletBinding()]
    param ()

    $query = "select name from sigma_supportedSiem order by name;"

    $siemNames = Invoke-SqliteQuery -Query $query -DataSource $database | Select-Object -ExpandProperty name

    return $siemNames
}

function Get-YamlAdminSelect {

<#
    .SYNOPSIS
    Shows a pop-up in which the YAML admin options are being displayed.
 
    .DESCRIPTION
    Shows a pop-up in which the YAML admin options are being displayed.
 
    .EXAMPLE
    Get-YamlAdminSelect
 
    Shows a pop-up in which the YAML admin options are being displayed.
 
#>


    [CmdletBinding()]
    param ()

    [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
    [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")

    $Form = New-Object System.Windows.Forms.Form
    $Form.width = 700
    $Form.height = 350
    $Form.Text = "Delete Baseline"

    $Font = New-Object System.Drawing.Font("Microsoft Sans Serif",10)
    $Form.Font = $Font

    $MyGroupBox = New-Object System.Windows.Forms.GroupBox
    $MyGroupBox.Location = '40,40'
    $MyGroupBox.size = '600,150'
    $MyGroupBox.text = "Would you prefer to..."

    $RadioButton1 = New-Object System.Windows.Forms.RadioButton
    $RadioButton1.Location = '20,50'
    $RadioButton1.size = '450,30'
    $RadioButton1.Checked = $true
    $RadioButton1.Text = "Import YAML Configuration Files"

    $RadioButton2 = New-Object System.Windows.Forms.RadioButton
    $RadioButton2.Location = '20,85'
    $RadioButton2.size = '450,30'
    $RadioButton2.Checked = $false
    $RadioButton2.Text = "Remove existing YAML Configuration"

    $OKButton = new-object System.Windows.Forms.Button
    $OKButton.Location = '230,200'
    $OKButton.Size = '100,40'
    $OKButton.Text = 'OK'
    $OKButton.DialogResult=[System.Windows.Forms.DialogResult]::OK

    $CancelButton = new-object System.Windows.Forms.Button
    $CancelButton.Location = '355,200'
    $CancelButton.Size = '100,40'
    $CancelButton.Text = "Cancel"
    $CancelButton.DialogResult=[System.Windows.Forms.DialogResult]::Cancel

    $form.Controls.AddRange(@($MyGroupBox,$OKButton,$CancelButton))

    $MyGroupBox.Controls.AddRange(@($Radiobutton1,$RadioButton2,$RadioButton3))

    $form.AcceptButton = $OKButton
    $form.CancelButton = $CancelButton

    $form.Add_Shown({$form.Activate()})

    $dialogResult = $form.ShowDialog()

    if ($dialogResult -eq "OK"){

        if ($RadioButton1.Checked){
            Import-YamlCofigurationFiles
        }
        elseif ($RadioButton2.Checked){
            Remove-AllYamlConfigurations
        }
    }
}

function Import-BaselineFromFolder {

<#
    .SYNOPSIS
    Imports one or multiple baselines from a folder into the database.
 
    .DESCRIPTION
    Imports one or multiple baselines from a folder into the database.
 
    .PARAMETER Path
    Path where the baseline(s) is/are located.
 
    .EXAMPLE
    Import-BaselineFromFolder -Path "C:\tmp\"
 
    Imports one or multiple baselines from "C:\tmp" into the database.
 
#>


    [cmdletbinding()]
    param (
        [Parameter(Mandatory = $true)]
        [string]$Path
    )

    $test = Get-ChildItem -LiteralPath $Path -Filter audit.csv -Recurse -ErrorAction SilentlyContinue -Force | Group-Object path

    foreach ($item in $test.Group) {
        if (![string]::IsNullOrEmpty($item.FullName)) {
            if ($item.Directory -match "GPO") {
                $gpReportXmlPathStr = $item.Directory -Replace("DomainSysvol\\GPO\\Machine\\microsoft\\windows nt\\Audit", "gpreport.xml")
                [xml]$xml = Get-Content -Path $gpReportXmlPathStr
                $auditPolicyNameStr = $xml.GPO.Name
                Import-BaselineIntoDb -Path $item.FullName -PolicyName $auditPolicyNameStr
            }
        }
    }
}

function Import-BaselineIntoDb {

<#
    .SYNOPSIS
    Imports one policy into the database, if not existant yet.
 
    .DESCRIPTION
    Imports one policy into the database, if not existant yet.
 
    .PARAMETER Path
    Defines the path where the baseline is located.
 
    .PARAMETER PolicyName
    Name of the baseline which should be imported.
 
    .EXAMPLE
    Import-BaselineIntoDb -Path $item.FullName -PolicyName $auditPolicyNameStr
 
    Imports one policy into the database, if not existant yet.
 
#>


    [cmdletbinding()]
    param (
        [Parameter(Mandatory = $true)]
        [string]$Path,
        [Parameter(Mandatory = $true)]
        [string]$PolicyName
    )

    $Query = "select name from baseline_main where name = '$PolicyName';"

    if (!(Invoke-SqliteQuery -Query $Query -DataSource $Database)){
        $settings = Import-Csv -Path $Path

        if ($settings) {
            $Query = "insert into baseline_main (name) values ('$PolicyName');SELECT last_insert_rowid();"
            $b_id = Invoke-SqliteQuery -Query $Query -DataSource $Database | Select-Object -ExpandProperty "last_insert_rowid()"

            ForEach ($setting in $settings){
                $policy_target = $($setting."Policy Target")
                $subcategory = $($setting."Subcategory")
                $subcategory_guid = $($setting."Subcategory GUID")
                $inclusion_setting = $($setting."Inclusion Setting")
                $exclusion_setting = $($setting."Exclusion Setting")
                $setting_value = $($setting."Setting Value")

                $Query = "insert into baseline_data (policy_target,subcategory,subcategory_guid,inclusion_setting,exclusion_setting,setting_value,b_id) values ('$policy_target','$subcategory','$subcategory_guid','$inclusion_setting','$exclusion_setting','$setting_value','$b_id');"
                Invoke-SqliteQuery -Query $Query -DataSource $Database
            }
        }
    }
    else {
        $wshell = New-Object -ComObject Wscript.Shell
        $wshell.Popup("Baseline $PolicyName was already imported",0,"Done",0x1)
    }




}

function Import-YamlCofigurationFiles {

<#
    .SYNOPSIS
    Imports one or more YAML configuration file(s) from a folder into the database.
 
    .DESCRIPTION
    Imports one or more YAML configuration file(s) from a folder into the database. YAML configurations can be found in the sigma GitHub repository.
 
    .EXAMPLE
    Import-YamlCofigurationFiles
 
    Imports one or more YAML configuration file(s) from a folder into the database.
 
#>


    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
    [CmdletBinding()]
    param ()

    $configFolder = Start-FilePicker -description "Select the directory where the YAML configuration files are located"
    if (![string]::IsNullOrEmpty($configFolder)) {
        Import-YamlCofigurationFromFolder -Path $configFolder
    }
    else {
        $wshell = New-Object -ComObject Wscript.Shell
        $wshell.Popup("No Folder was selected.",0,"Done",0x1)
    }

}

function Import-YamlCofigurationFromFolder {

<#
    .SYNOPSIS
    Imports one or more YAML configuration file(s) into the database.
 
    .DESCRIPTION
    Imports one or more YAML configuration file(s) into the database. YAML configurations can be found in the sigma GitHub repository.
 
    .PARAMETER Path
    Defines the path where the YAML configuration files are located.
 
    .PARAMETER Force
    If set, overwrites queries, that were already imported in the database.
 
    .EXAMPLE
    Import-YamlCofigurationFromFolder -Path "C:\tmp"
 
    Imports one or more YAML configuration file(s) from "C:\tmp" into the database.
 
#>


    [cmdletbinding()]
    param (
        [Parameter(Mandatory = $true)]
        [string]$Path,
        [switch]$Force
     )

    $YamlConfigFiles = Get-ChildItem -LiteralPath $Path -Recurse -ErrorAction SilentlyContinue -Force | Group-Object path


    foreach ($item in $YamlConfigFiles.Group) {
        if (![string]::IsNullOrEmpty($item.FullName)) {

            if ($item.Extension -match ".yml") {
                $rawYaml = get-content -raw $item.FullName
                $yamlObj = [pscustomobject](convertfrom-yaml $rawYaml)

                $delQuery = ""
                $tmpStr = ""
                $sqlStr = ""

                $query = "select * from queries_data_yaml_main where title = '" + (ConvertTo-PSSQLString -Text $yamlObj.title) + "';"

                if ($Force) {
                    $m_id = Invoke-SqliteQuery -Query $query -DataSource $database | Select-Object -ExpandProperty "id"

                    if ($m_id -gt 0) {
                        $delQuery = "delete from queries_data_yaml_tags where m_id = '$m_id'; "
                    }

                    $delQuery = $delQuery + "delete from queries_data_yaml_main where title = '" + (ConvertTo-PSSQLString -Text $yamlObj.title) + "';"
                    Invoke-SqliteQuery -Query $delQuery -DataSource $database
                }

                if (!(Invoke-SqliteQuery -Query $query -DataSource $database)) {
                    $sqlStr = "insert into queries_data_yaml_main (title, description, status, date, author, raw_yaml, level, filename) values ('" + (ConvertTo-PSSQLString -Text $yamlObj.title) + "', '" + (ConvertTo-PSSQLString -Text $yamlObj.description) + "', '" + (ConvertTo-PSSQLString -Text $yamlObj.status) + "', '" + (ConvertTo-PSSQLString -Text $yamlObj.date) + "', '" + (ConvertTo-PSSQLString -Text $yamlObj.author) + "', '" + (ConvertTo-PSSQLString -Text $rawYaml) + "', '" + (ConvertTo-PSSQLString -Text $yamlObj.level) + "', '" + (ConvertTo-PSSQLString -Text $item.name) + "'); select last_insert_rowid();"
                    $m_id = Invoke-SqliteQuery -Query $sqlStr -DataSource $database | Select-Object -ExpandProperty "last_insert_rowid()"

                    foreach ($item in $yamlObj.tags) {
                        $technique_id = 0
                        $area_id = 0
                        $tag_category = ($item.split("."))[0]
                        $tag_name = ($item.split("."))[1] -replace "_", " "

                        if ($tag_category -eq "attack") {
                            if ($tag_name.SubString(0,1) -eq "t") {
                                $query = "SELECT * FROM mitre_techniques WHERE technique_id = '$tag_name' COLLATE NOCASE;"
                                $technique_id = Invoke-SqliteQuery -Query $query -DataSource $database | Select-Object -ExpandProperty "id"
                            }
                            else {
                                $query = "SELECT * FROM mitre_areas WHERE area_name = '$tag_name' COLLATE NOCASE;"
                                $area_id = Invoke-SqliteQuery -Query $query -DataSource $database | Select-Object -ExpandProperty "id"

                                if (!($technique_id) -or ($technique_id -eq 0)) {
                                    $query = "SELECT * FROM mitre_techniques WHERE technique_name = '$tag_name' COLLATE NOCASE;"
                                    $technique_id = Invoke-SqliteQuery -Query $query -DataSource $database | Select-Object -ExpandProperty "id"
                                }
                            }
                        }

                        if (!$technique_id) {
                            $technique_id = 0
                        }

                        if (!$area_id) {
                            $area_id = 0
                        }

                        $tmpStr = "insert into queries_data_yaml_tags (tag_name, m_id, full_tag_name, category, mitre_area_id, mitre_technique_id) values ('$tag_name', '$m_id', '$item', '$tag_category', '$area_id', '$technique_id');"

                        if (![string]::IsNullOrEmpty(($tmpStr))) {
                            Invoke-SqliteQuery -Query $tmpStr -DataSource $database
                        }
                    }
                }

            }
        }
    }

}

function Remove-AllBaselines {

<#
    .SYNOPSIS
    Deletes all imported baselines from the database.
 
    .DESCRIPTION
    Deletes all imported baselines from the database.
 
    .PARAMETER Confirm
    Prompts you for confirmation before executing the command.
 
    .PARAMETER WhatIf
    Displays a message that describes the effect of the command, instead of executing the command.
 
    .EXAMPLE
    Remove-AllBaselines
 
    Deletes all imported baselines from the database.
 
#>


    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
    [CmdletBinding(SupportsShouldProcess)]
    param ()

    $Query = "delete from baseline_data; delete from baseline_main;"

    Invoke-SqliteQuery -Query $Query -DataSource $Database
    $wshell = New-Object -ComObject Wscript.Shell
    $wshell.Popup("All baselines were successfully deleted.",0,"Done",0x1)

}

function Remove-AllYamlConfigurations {

<#
    .SYNOPSIS
    Deletes all imported YAML configuration files from the database.
 
    .DESCRIPTION
    Deletes all imported YAML configuration files from the database.
 
    .PARAMETER Confirm
    Prompts you for confirmation before executing the command.
 
    .PARAMETER WhatIf
    Displays a message that describes the effect of the command, instead of executing the command.
 
    .EXAMPLE
    Remove-AllYamlConfigurations
 
    Deletes all imported YAML configuration files from the database.
 
#>


    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
    [CmdletBinding(SupportsShouldProcess)]
    param ()

    $Query = "delete from queries_data_yaml_main; delete from queries_data_yaml_tags;"

    Invoke-SqliteQuery -Query $Query -DataSource $Database
    $wshell = New-Object -ComObject Wscript.Shell
    $wshell.Popup("All YAML configurations were successfully deleted.",0,"Done",0x1)
}

function Remove-EventListConfiguration {

<#
    .SYNOPSIS
    Deletes all existent EventList configurations from the database.
 
    .DESCRIPTION
    Deletes all existent EventList configurations from the database.
 
    .PARAMETER sigmaPath
    Defines the path where sigmac is located.
 
    .PARAMETER Confirm
    Prompts you for confirmation before executing the command.
 
    .PARAMETER WhatIf
    Displays a message that describes the effect of the command, instead of executing the command.
 
    .EXAMPLE
    Remove-EventListConfiguration -sigmaPath
 
    Deletes all existent EventList configurations from the database.
 
#>

    [CmdletBinding(SupportsShouldProcess)]
    param(
        [switch]$sigmaPath
    )

    if ($sigmaPath) {
        $query = "Update EventList_configuration set sigma_path='' where id=1;"
    }

    if ($query) {
        Invoke-SqliteQuery -Query $query -DataSource $database
    }
}

function Remove-OneBaseline {

<#
    .SYNOPSIS
    Removes one imported baseline from the database.
 
    .DESCRIPTION
    Removes one imported baseline from the database.
 
    .PARAMETER BaselineName
    Defines the name of the baseline.
 
    .PARAMETER Confirm
    Prompts you for confirmation before executing the command.
 
    .PARAMETER WhatIf
    Displays a message that describes the effect of the command, instead of executing the command.
 
    .EXAMPLE
    Remove-OneBaseline -BaselineName "SCM Windows 10 - Computer"
 
    Removes one imported baseline from the database.
 
#>

    [CmdletBinding(SupportsShouldProcess)]
    Param (
        [string]$BaselineName
    )

    $valuesFromDb = Get-BaselineNamesFromDB

    if (($BaselineName -eq "No Baselines imported") -or ($BaselineName -eq "Select Baseline") -or [string]::IsNullOrEmpty($BaselineName)) {
        $wshell = New-Object -ComObject Wscript.Shell
        $wshell.Popup("No Baseline was selected.",0,"Delete selected baseline",0x1)
    }
    else {
        If ($BaselineName -in $valuesFromDb) {
            $query = "select id from baseline_main where name like '$BaselineName' ;"
            $id = Invoke-SqliteQuery -Query $query -DataSource $database | Select-Object -ExpandProperty id

            $query = "delete from baseline_data where b_id = $id ; delete from baseline_main where id = $id ;"
            Invoke-SqliteQuery -Query $query -DataSource $database

            $wshell = New-Object -ComObject Wscript.Shell
            $wshell.Popup("Baseline $BaselineName was deleted successfully.",0,"Delete selected baseline",0x1)
        }
    }
}

function Reset-MitreCheckboxes {

<#
    .SYNOPSIS
    Unchecks all checked MITRE ATT&CK technique & area checkboxes.
 
    .DESCRIPTION
    Unchecks all checked MITRE ATT&CK technique & area checkboxes. Also resets the baseline combobox selection.
 
    .PARAMETER Confirm
    Prompts you for confirmation before executing the command.
 
    .PARAMETER WhatIf
    Displays a message that describes the effect of the command, instead of executing the command.
 
    .EXAMPLE
    Reset-MitreCheckboxes
 
    Unchecks all checked MITRE ATT&CK technique & area checkboxes.
 
#>


    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseDeclaredVarsMoreThanAssignments", "")]
    [CmdletBinding(SupportsShouldProcess)]
    param ()

    foreach ($key in $CheckBox.keys) {
        for ($i=0; $i -lt $CheckBox[$key].Items.count; $i++) {
            $CheckBox[$key].SetItemChecked($i, $false)
        }
    }

    foreach ($key in $CheckBoxArea.keys) {
        $($CheckBoxArea[$key]).checked = $false
    }

    $ComboBox1Value = ""
    $ComboBox1.text = "Select Baseline"
}

function Select-AllCheckboxesFromOneArea {

<#
    .SYNOPSIS
    Selects all Checkboxes of the techniques mapped to an area.
 
    .DESCRIPTION
    Selects all Checkboxes of the techniques mapped to an area.
 
    .PARAMETER AreaName
    The name of the area.
 
    .EXAMPLE
    Select-AllCheckboxesFromOneArea -AreaName "Initial Access"
 
    Selects all Checkboxes of the techniques mapped to an area.
 
#>

    [CmdletBinding()]
    param (
        [string]$AreaName
    )

        if ($CheckBoxArea[$AreaName].checked) {
            $isChecked = $true
        }
        else {
            $isChecked = $false
        }

        for ($i=0; $i -lt $CheckBox[$AreaName].Items.count; $i++) {
            $CheckBox[$AreaName].SetItemChecked($i, $isChecked)
        }

}

Function Start-FilePicker{

<#
    .SYNOPSIS
    Lets the user select a folder and returns the path.
 
    .DESCRIPTION
    Lets the user select a folder and returns the path.
 
    .PARAMETER description
    Specifies the description dialog which is shown to the user
 
    .PARAMETER Confirm
    Prompts you for confirmation before executing the command.
 
    .PARAMETER WhatIf
    Displays a message that describes the effect of the command, instead of executing the command.
 
    .EXAMPLE
    Start-FilePicker -description "Select a file or directory"
 
    Lets the user select a folder and returns the path. and displays the description "Select a file or directory"
 
#>

    [CmdletBinding(SupportsShouldProcess)]
param(
    [string]$description = "Select a file or directory"
)

    $browse = New-Object System.Windows.Forms.FolderBrowserDialog
    $browse.SelectedPath = "$ENV:UserProfile\Downloads"
    $browse.Description = $description

    $show = $browse.ShowDialog()

    if ($show -eq "OK") {
        $test = $browse.SelectedPath | Out-String
        $test = $test -replace "`n|`r"
        return $test
    }
}

function Sync-ComboBox
{
<#
    .SYNOPSIS
        This functions helps you load baselines into a ComboBox.
 
    .DESCRIPTION
        Use this function to dynamically load baselines into the ComboBox control.
 
    .PARAMETER ComboBox
        The ComboBox control you want to add items to.
 
    .PARAMETER Items
        The object or objects you wish to load into the ComboBox's Items collection.
 
    .PARAMETER DisplayMember
        Indicates the property to display for the items in this control.
 
    .PARAMETER Append
        Adds the item(s) to the ComboBox without clearing the Items collection.
 
    .EXAMPLE
        Sync-ComboBox -ComboBox $ComboBox1 -Items $baselineNames
 
        Loads baselines into a ComboBox.
 
#>

    [CmdletBinding()]
    Param (
            [ValidateNotNull()]
            [Parameter(Mandatory=$true)]
            [System.Windows.Forms.ComboBox]$ComboBox,
            $Items,
            [string]$DisplayMember,
            [switch]$Append
        )

   if(-not$Append)
    {
        $ComboBox.Items.Clear()
        $ComboBox.text = "No Baselines imported"
    }

    if($Items-is [Object[]])
    {
        $ComboBox.Items.AddRange($Items)
        $ComboBox.text = "Select Baseline"
    }
    elseif ($Items-is [Array])
    {
        $ComboBox.BeginUpdate()
        foreach($obj in $Items)
        {
            $ComboBox.Items.Add($obj)
            $ComboBox.text = "Select Baseline"
        }
        $ComboBox.EndUpdate()
    }
    elseif (![string]::IsNullOrEmpty($Items))
    {
        $ComboBox.Items.Add($Items)
        $ComboBox.text = "Select Baseline"
    }

    $ComboBox.DisplayMember =$DisplayMember
}

function Sync-MitreCheckboxes {

<#
    .SYNOPSIS
    Syncs all Mitre Checkboxes according to the selected baseline.
 
    .DESCRIPTION
    Syncs all Mitre Checkboxes according to the selected baseline.
 
    .PARAMETER BaselineName
    Defines the baseline for which the MITRE ATT&CK Checkboxes should be synced.
 
    .EXAMPLE
    Sync-MitreCheckboxes -BaselineName "SCM Windows 10 - Computer"
 
    Syncs all Mitre Checkboxes according to the selected baseline.
 
#>

    
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
    [CmdletBinding()]
    param (
        [string]$BaselineName
    )

    if (![string]::IsNullOrEmpty($BaselineName)) {

        $query = "select distinct a.area_name as area_name, a.area_id as area_id, a.technique_name as technique_name, a.technique_id as technique_id, b.baseline_name as baseline_name from ( select * from v_mitre_matches_baseline ) a left join ( select * from v_mitre_matches_baseline where baseline_name = '" + $BaselineName + "' ) b on a.technique_id = b.technique_id order by a.area_id, a.technique_name;"
        $results = Invoke-SqliteQuery -Query $Query -DataSource $Database

            $i=0

            foreach ($result in $results) {

                if (($old_area_name) -and ($old_area_name -ne $result.area_name)) {
                    if ($i -eq $cntChecked) {
                        $CheckBoxArea[$old_area_name].checked = $true
                    }
                    else {
                        $CheckBoxArea[$old_area_name].checked = $false
                    }

                    $i = 0
                    $cntChecked = 0
                }

                if (![string]::IsNullOrEmpty($result.baseline_name)) {
                    $CheckBox[$result.area_name].SetItemChecked($i, $true)
                    $cntChecked = $cntChecked + 1
                }
                else {
                    $CheckBox[$result.area_name].SetItemChecked($i, $false)
                }
                $old_area_name = $result.area_name


                $i = $i + 1
            }

    }
}

function Open-GUI {

<#
    .SYNOPSIS
    Opens the EventList GUI.
 
    .DESCRIPTION
    Opens the EventList GUI.
 
    .EXAMPLE
    Open-GUI
 
    Opens the EventList GUI.
 
#>


    $GuiWidth = 1535
    $GuiHeight = 1000

    $ButtonWidth = 200
    $ButtonHeight = 30
    $ButtonXDistance = 215
    $ButtonYDistance = 40

    $ButtonPanelDistance = 1305

    $ComboboxWidth = 420

    $x = 10
    $y = 20 + 60

    $Script:database = "$ModuleRoot\internal\data\EventList.db"

    Add-Type -AssemblyName System.Windows.Forms
    [System.Windows.Forms.Application]::EnableVisualStyles()


    $Form                            = New-Object system.Windows.Forms.Form
    $Form.ClientSize                 = "$GuiWidth,$GuiHeight"
    $Form.text                       = "EventList"
    $Form.TopMost                    = $false

    #Panel oben mit Baseline Auswahl
    $Panel1                          = New-Object system.Windows.Forms.Panel
    $Panel1.height                   = 50
    $Panel1.width                    = 2000
    $Panel1.BackColor                = "#9b9b9b"
    $Panel1.location                 = New-Object System.Drawing.Point(0,0)

    #Panel an der Seite mit Buttons
    $Panel2                          = New-Object system.Windows.Forms.Panel
    $Panel2.height                   = 2000
    $Panel2.width                    = 235
    $Panel2.BackColor                = "#9b9b9b"
    $Panel2.location                 = New-Object System.Drawing.Point($ButtonPanelDistance,0)

    Add-MitreCheckboxes

    $x = $ButtonPanelDistance + 10
    $y = 60

    $ButtonShowEvts                         = New-Object system.Windows.Forms.Button
    $ButtonShowEvts.BackColor               = "#d5d8d7"
    $ButtonShowEvts.text                    = "Generate Event List"
    $ButtonShowEvts.width                   = $ButtonWidth
    $ButtonShowEvts.height                  = $ButtonHeight
    $ButtonShowEvts.location                = New-Object System.Drawing.Point($x,$y)
    $ButtonShowEvts.Font                    = 'Microsoft Sans Serif,11'
    $Form.controls.AddRange(@($ButtonShowEvts))
    $ButtonShowEvts.Add_Click({
        Get-EventListSelect
     })

    $y = $y + $ButtonYDistance

    $ButtonAgentCfg                         = New-Object system.Windows.Forms.Button
    $ButtonAgentCfg.BackColor               = "#d5d8d7"
    $ButtonAgentCfg.text                    = "Generate Agent Config"
    $ButtonAgentCfg.width                   = $ButtonWidth
    $ButtonAgentCfg.height                  = $ButtonHeight
    $ButtonAgentCfg.location                = New-Object System.Drawing.Point($x,$y)
    $ButtonAgentCfg.Font                    = 'Microsoft Sans Serif,11'
    $Form.controls.AddRange(@($ButtonAgentCfg))
    $ButtonAgentCfg.Add_Click({ Get-AgentConfigSelect })

    $y = $y + $ButtonYDistance

    $ButtonExportQueries                         = New-Object system.Windows.Forms.Button
    $ButtonExportQueries.BackColor               = "#d5d8d7"
    $ButtonExportQueries.text                    = "Generate Queries"
    $ButtonExportQueries.width                   = $ButtonWidth
    $ButtonExportQueries.height                  = $ButtonHeight
    $ButtonExportQueries.location                = New-Object System.Drawing.Point($x,$y)
    $ButtonExportQueries.Font                    = 'Microsoft Sans Serif,11'
    $Form.controls.AddRange(@($ButtonExportQueries))
    $ButtonExportQueries.Add_Click({
        Get-QueriesSelect
    })

    $y = $y + $ButtonYDistance

    $ButtonExportGPO                         = New-Object system.Windows.Forms.Button
    $ButtonExportGPO.BackColor               = "#d5d8d7"
    $ButtonExportGPO.text                    = "Generate GPO"
    $ButtonExportGPO.width                   = $ButtonWidth
    $ButtonExportGPO.height                  = $ButtonHeight
    $ButtonExportGPO.location                = New-Object System.Drawing.Point($x,$y)
    $ButtonExportGPO.Font                    = 'Microsoft Sans Serif,11'
    $Form.controls.AddRange(@($ButtonExportGPO))
    $ButtonExportGPO.Add_Click({ Get-PolicyFromEvents })

    $y = $GuiHeight - 50

    $ButtonExit                         = New-Object system.Windows.Forms.Button
    $ButtonExit.BackColor               = "#C0C0C0"
    $ButtonExit.text                    = "Close"
    $ButtonExit.width                   = $ButtonWidth
    $ButtonExit.height                  = $ButtonHeight
    $ButtonExit.location                = New-Object System.Drawing.Point($x,$y)
    $ButtonExit.Font                    = [System.Drawing.Font]::new("Microsoft Sans Serif", 11, [System.Drawing.FontStyle]::Bold)
    $Form.controls.AddRange(@($ButtonExit))
    $ButtonExit.Add_Click({ Close-Form -Form $Form })

    $Script:ComboBox1                       = New-Object system.Windows.Forms.ComboBox
    $baselineNames = Get-BaselineNamesFromDB
    if ([string]::IsNullOrEmpty($baselineNames)) {
        $ComboBox1.text = "No Baselines imported"
    }
    else {
        $ComboBox1.text = "Select Baseline"
    }


    $ComboBox1.width                 = $ComboboxWidth
    $ComboBox1.height                = 40

    $x = 20
    $y = 10

    Get-BaselineNamesFromDB | ForEach-Object {[void] $ComboBox1.Items.Add($_)}
    $ComboBox1.location              = New-Object System.Drawing.Point($x,($y+2))
    $ComboBox1.Font                  = 'Microsoft Sans Serif,11'

    $ComboBox1.Add_SelectedValueChanged({
        $Script:ComboBox1Value = $ComboBox1.Text
        Sync-MitreCheckboxes -BaselineName $ComboBox1Value
    })

    $Form.controls.AddRange(@($ComboBox1))

    $x = $x + $ComboboxWidth + 15

    $ButtonImportBsl                         = New-Object system.Windows.Forms.Button
    $ButtonImportBsl.BackColor               = "#d5d8d7"
    $ButtonImportBsl.text                    = "Import Baseline(s)"
    $ButtonImportBsl.width                   = $ButtonWidth
    $ButtonImportBsl.height                  = $ButtonHeight
    $ButtonImportBsl.location                = New-Object System.Drawing.Point($x,$y)
    $ButtonImportBsl.Font                    = 'Microsoft Sans Serif,11'
    $Form.controls.AddRange(@($ButtonImportBsl))
    $ButtonImportBsl.Add_Click({
        Get-ImportSelect
    })

    $x = $x + $ButtonXDistance

    $ButtonDelOneBaseline                         = New-Object system.Windows.Forms.Button
    $ButtonDelOneBaseline.BackColor               = "#d5d8d7"
    $ButtonDelOneBaseline.text                    = "Delete baseline(s)"
    $ButtonDelOneBaseline.width                   = $ButtonWidth
    $ButtonDelOneBaseline.height                  = $ButtonHeight
    $ButtonDelOneBaseline.location                = New-Object System.Drawing.Point($x,$y)
    $ButtonDelOneBaseline.Font                    = 'Microsoft Sans Serif,11'
    $Form.controls.AddRange(@($ButtonDelOneBaseline))
    $ButtonDelOneBaseline.Add_Click({
        Get-DeleteBaselineSelect
     })

     $x = $x + $ButtonXDistance

     $ButtonResetCheckboxes                         = New-Object system.Windows.Forms.Button
     $ButtonResetCheckboxes.BackColor               = "#d5d8d7"
     $ButtonResetCheckboxes.text                    = "Reset Checkboxes"
     $ButtonResetCheckboxes.width                   = $ButtonWidth
     $ButtonResetCheckboxes.height                  = $ButtonHeight
     $ButtonResetCheckboxes.location                = New-Object System.Drawing.Point($x,$y)
     $ButtonResetCheckboxes.Font                    = 'Microsoft Sans Serif,11'
     $Form.controls.AddRange(@($ButtonResetCheckboxes))
     $ButtonResetCheckboxes.Add_Click({
         Reset-MitreCheckboxes
     })

     $x = $x + $ButtonXDistance

     $ButtonImportYaml                         = New-Object system.Windows.Forms.Button
     $ButtonImportYaml.BackColor               = "#d5d8d7"
     $ButtonImportYaml.text                    = "YAML Admin"
     $ButtonImportYaml.width                   = $ButtonWidth
     $ButtonImportYaml.height                  = $ButtonHeight
     $ButtonImportYaml.location                = New-Object System.Drawing.Point($x,$y)
     $ButtonImportYaml.Font                    = 'Microsoft Sans Serif,11'
     $Form.controls.AddRange(@($ButtonImportYaml))
     $ButtonImportYaml.Add_Click({
        Get-YamlAdminSelect
     })

     $x = $x + $ButtonXDistance

     $ButtonConfig                         = New-Object system.Windows.Forms.Button
     $ButtonConfig.BackColor               = "#C0C0C0"
     $ButtonConfig.text                    = "Configure EventList"
     $ButtonConfig.width                   = $ButtonWidth
     $ButtonConfig.height                  = $ButtonHeight
     $ButtonConfig.location                = New-Object System.Drawing.Point($x,$y)
     $ButtonConfig.Font                    = [System.Drawing.Font]::new("Microsoft Sans Serif", 11, [System.Drawing.FontStyle]::Bold)
     $Form.controls.AddRange(@($ButtonConfig))
     $ButtonConfig.Add_Click({
        Get-EventListConfigSelect
     })

    Sync-ComboBox -ComboBox $ComboBox1 -Items $baselineNames

    $Form.controls.AddRange(@($Panel1,$Panel2))

    [void]$Form.ShowDialog()

}