ExtractDriversFromAuditLogs.ps1

# Create a temp dir in which to copy the drivers to whitelist
mkdir ScanMe

Get-WinEvent -LogName 'Microsoft-Windows-CodeIntegrity/Operational' -FilterXPath '*[System[EventID=3076]]' | ForEach-Object {
    $DriverPath = $_.Properties[1].Value

    # Normalize the paths
    switch -Wildcard ($DriverPath) {
        '\Device\HarddiskVolume4\*' { $DriverPath = "C:\$($DriverPath.Replace('\Device\HarddiskVolume4\', ''))" }
        'System32*'                 { $DriverPath = "C:\Windows\$DriverPath" }
    }
    
    # Copy each driver to the new directory. We'll build the new policy rules from the drivers in here.
    Copy-Item -Path $DriverPath -Destination ScanMe
}

# Get the signer info for all the 
$NewDrivers = Get-SystemDriver -ScanPath .\ScanMe\ -NoShadowCopy
# Build policy rules based on those drivers
$NewDriverRules = New-CIPolicyRule -DriverFiles $NewDrivers -Level WHQLFilePublisher -Fallback FilePublisher

# Merge the original blank policy with the new one.
Merge-CIPolicy -OutputFilePath WhitelistPolicyDevRound1.xml -PolicyPaths Default_Deny_All_Audit_Drivers.xml -Rules $NewDriverRules

ConvertFrom-CIPolicy -XmlFilePath WhitelistPolicyDevRound1.xml -BinaryFilePath C:\Windows\System32\CodeIntegrity\SIPolicy.p7b