mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 01:15:17 +00:00
16 lines
677 B
YAML
16 lines
677 B
YAML
alert:
|
|
- debug
|
|
description: A login from a public IP can indicate a misconfigured firewall or network boundary.
|
|
filter:
|
|
- query:
|
|
query_string:
|
|
query: (data.win.system.eventID:"4625" AND (NOT ((src_ip_addr.keyword:*\-* OR src_ip_addr.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.* OR 169.254.*) OR src_ip_addr:"\:\:1" OR src_ip_addr.keyword:(fe80\:\:* OR fc00\:\:*)))))
|
|
index: wazuh-alerts-3.x-*
|
|
name: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1_0
|
|
priority: 3
|
|
realert:
|
|
minutes: 0
|
|
type: any
|
|
|
|
|