SigmaHQ/tools/config/logpoint-windows-all.yml
Thomas Patzke a3e02ea70f Various rule fixes
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
2018-03-27 14:35:49 +02:00

139 lines
3.1 KiB
YAML

logsources:
windows-security:
product: windows
service: security
conditions:
event_source: 'Microsoft-Windows-Security-Auditing'
windows-system:
product: windows
service: system
conditions:
event_source: 'Microsoft-Windows-Security-Auditing'
windows-dns-server:
product: windows
service: dns-server
conditions:
event_source: 'DNS Server'
windows-driver-framework:
product: windows
service: driver-framework
conditions:
source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
fieldmappings:
EventID: event_id
FailureCode: result_code
GroupName: group_name
KeyLength: key_length
LogonProcessName: logon_process
LogonType: logon_type
ServiceName: service
SubjectAccountName:
EventID=4611:
- user
EventID=4624:
- target_user
- caller_user
EventID=4625:
- target_user
- caller_user
EventID=4634:
- user
EventID=4648:
- target_user
- caller_user
EventID=4662:
- user
EventID=4672:
- user
EventID=4688:
- user
EventID=4719:
- user
EventID=4720:
- target_user
- caller_user
EventID=4722:
- target_user
- caller_user
EventID=4723:
- target_user
- caller_user
EventID=4724:
- target_user
- caller_user
EventID=4728:
- user
- member
EventID=4729:
- user
- member
EventID=4731:
- user
EventID=4732:
- user
- member
EventID=4735:
- user
EventID=4737:
- user
EventID=4738:
- target_user
- caller_user
EventID=4740:
- target_user
- caller_user
EventID=4742:
- target_user
- caller_user
EventID=4755:
- user
EventID=4756:
- user
- member
EventID=4757:
- user
- member
EventID=4767:
- target_user
- caller_user
EventID=4768:
- user
EventID=4769:
- user
EventID=4770:
- user
EventID=4771:
- user
EventID=4774:
- user
EventID=4776:
- user
EventID=4781:
- target_user
- caller_user
EventID=4904:
- user
EventID=4905:
- user
EventID=5061:
- user
EventID=5136:
- user
EventID=5137:
- user
default:
- caller_user
- target_user
- user
- member
TicketOptions: ticket_options
TicketEnctyption: ticket_encryption
Type: event_type
UserName:
default:
- caller_user
- target_user
- user
- member
SourceWorkstation: workstation