Added "logsource" sections and new rule

rules/network/net_susp_network_scan.yml

@@ -1,5 +1,7 @@
 title: Network Scans
 description: Detects many failed connection attempts to different ports or hosts
+logsource:
+    type: firewall
 detection:
     selection:
         log: network

rules/web/web_multiple_suspicious_resp_codes_single_source.yml

@@ -1,10 +1,10 @@
 title: Multiple suspicious Response Codes caused by Single Client
 description: Detects possible exploitation activity or bugs in a web application
+author: Thomas Patzke
+logsource:
+    type: webserver
 detection:
     selection:
-        log: 
-          - access.log
-          - error.log
         response:
           - 400
           - 401

rules/web/web_webshell_keyword.yml

@@ -1,10 +1,9 @@
 title: Webshell Detection by Keyword
-description: Detects webshells that use GET requests by keyword sarches in URL strings 
+description: Detects webshells that use GET requests by keyword sarches in URL strings
+author: Florian Roth
+logsource:
+    type: webserver
 detection:
-    selection:
-        log: 
-          - access.log
-          - error.log
     keywords:
         - '=whoami'
         - '=net%20user'

rules/windows/builtin/win_alert_mimikatz_keywords.yml

@@ -1,5 +1,8 @@
 title: Mimikatz Usage
 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
+author: Florian Roth
+logsource:
+    - product: windows
 detection:
     selection:
         EventLog:

rules/windows/builtin/win_av_relevant_match.yml

@@ -1,5 +1,8 @@
 title: Relevant Anti-Virus Event
 description: This detection method points out highly relevant Antivirus events
+author: Florian Roth
+logsource:
+    - product: windows
 detection:
     selection:
         EventLog: Application

rules/windows/builtin/win_susp_eventlog_cleared.yml

@@ -1,13 +1,15 @@
 title: Eventlog Cleared
-description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities
+description: One of the Windows Eventlogs has been cleared
+reference: https://twitter.com/deviouspolack/status/832535435960209408
+author: Florian Roth
+logsource:
+    - product: windows
 detection:
     selection:
-        EventLog: Security
-        EventID:
-            - 517
-            - 1102
+        EventLog: System
+        EventID: 104
     condition: selection
 falsepositives:
-    - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
-    - System provisioning (system reset before the golden image creation)
-level: high
+    - Unknown
+level: medium
+

rules/windows/builtin/win_susp_failed_logon_reasons.yml

@@ -1,6 +1,8 @@
 title: Account Tampering - Suspicious Failed Logon Reasons
 description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
+author: Florian Roth
 logsource:
+    - product: windows
 detection:
     selection:
         EventLog: Security

rules/windows/builtin/win_susp_failed_logons_single_source.yml

@@ -1,5 +1,8 @@
 title: Multiple Failed Logins with Different Accounts from Single Source System
 description: Detects suspicious failed logins with different user accounts from a single source system 
+author: Florian Roth
+logsource:
+    - product: windows
 detection:
     selection:
         EventLog: Security

rules/windows/builtin/win_susp_kerberos_manipulation.yml

@@ -1,5 +1,8 @@
 title: Kerberos Manipulation
 description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
+author: Florian Roth
+logsource:
+    - product: windows
 detection:
     selection:
         EventLog: Security

rules/windows/builtin/win_susp_lsass_dump.yml

@@ -2,6 +2,8 @@ title: Password Dumper Activity on LSASS
 description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN 
 status: experimental
 reference: https://twitter.com/jackcr/status/807385668833968128
+logsource:
+    - product: windows
 detection:
     selection:
         EventLog: Security

rules/windows/builtin/win_susp_rc4_kerberos.yml

@@ -2,6 +2,8 @@ title: Suspicious Kerberos RC4 Ticket Encryption
 status: experimental
 reference: https://adsecurity.org/?p=3458
 description: Detects logons using RC4 encryption type 
+logsource:
+    - product: windows
 detection:
     selection:
         EventLog: Security

rules/windows/builtin/win_susp_security_eventlog_cleared.yml

@@ -0,0 +1,16 @@
+title: Security Eventlog Cleared
+description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities
+author: Florian Roth
+logsource:
+    - product: windows
+detection:
+    selection:
+        EventLog: Security
+        EventID:
+            - 517
+            - 1102
+    condition: selection
+falsepositives:
+    - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
+    - System provisioning (system reset before the golden image creation)
+level: high

rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml

@@ -2,6 +2,9 @@ title: Mimikatz Detection LSASS Access
 status: experimental
 description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ)
 reference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
+logsource:
+    - product: windows
+    - service: Microsoft-Windows-Sysmon
 detection:
     selection:
         - EventLog: Microsoft-Windows-Sysmon/Operational

rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml

@@ -2,6 +2,9 @@ title: Mimikatz In-Memory Detection
 status: experimental
 description: Detects certain DLL loads when Mimikatz gets executed
 reference: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/
+logsource:
+    - product: windows
+    - service: sysmon
 detection:
     dllload1:
         EventLog: Microsoft-Windows-Sysmon/Operational

rules/windows/sysmon/sysmon_password_dumper_lsass.yml

@@ -1,6 +1,9 @@
 title: Password Dumper Remote Thread in LSASS 
 description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundrets of events.
-reference: Internal research
+author: Thomas Patzke
+logsource:
+    - product: windows
+    - service: sysmon
 detection:
     selection:
         EventLog: Microsoft-Windows-Sysmon/Operational

rules/windows/sysmon/sysmon_susp_driver_load.yml

@@ -1,5 +1,9 @@
 title: Suspicious Driver Load from Temp
 description: Detetcs a driver load from a temporary directory
+author: Florian Roth
+logsource:
+    - product: windows
+    - service: sysmon
 detection:
     selection:
         EventLog: Microsoft-Windows-Sysmon/Operational

rules/windows/sysmon/sysmon_susp_mmc_source.yml

@@ -2,6 +2,9 @@ title: Proceses created by MMC
 status: experimental
 description: Processes started by MMC could by a sign of lateral movement using MMC application COM object 
 reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
+logsource:
+    - product: windows
+    - service: sysmon
 detection:
     selection:
         EventLog: Microsoft-Windows-Sysmon/Operational
@@ -13,4 +16,4 @@ detection:
     condition: selection and not exclusion
 falsepositives:
     - unknown
-level: high
+level: medium

rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml

@@ -1,5 +1,9 @@
 title: Java running with Remote Debugging
 description: Detcts a JAVA process running with remote debugging allowing more than just localhost to connect
+author: Florian Roth
+logsource:
+    - product: windows
+    - service: sysmon
 detection:
     selection:
         EventLog: Microsoft-Windows-Sysmon/Operational

rules/windows/sysmon/sysmon_webshell_detection.yml

@@ -1,5 +1,9 @@
 title: Webshell Detection With Command Line Keywords 
-description: Detects certain command line parameters often used during reconnissaince activity via web shells  
+description: Detects certain command line parameters often used during reconnissaince activity via web shells
+author: Florian Roth
+logsource:
+    - product: windows
+    - service: sysmon
 detection:
     selection:
         EventLog: Microsoft-Windows-Sysmon/Operational

rules/windows/sysmon/sysmon_webshell_spawn.yml

@@ -1,6 +1,10 @@
 title: Shells spawned by Web Servers
 status: experimental
 description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
+author: Thomas Patzke
+logsource:
+    - product: windows
+    - service: sysmon
 detection:
     selection:
         EventLog: Microsoft-Windows-Sysmon/Operational