valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Further improved Windows user creation rule

Browse Source 
* Decreased level
* Fixed field names
* Added false positive possibility
This commit is contained in:
Thomas Patzke 2019-04-21 23:54:18 +02:00
parent 80f45349ed
commit 765fe9dcd9
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/windows/builtin/win_user_creation.yml
View File

@ -16,10 +16,11 @@ detection:
condition: selection
fields:
- EventCode
- Account_Name
- Account_Domain
- AccountName
- AccountDomain
falsepositives:
- Domain Controller Logs
level: high
- Local accounts managed by privileged account management tools
level: low