valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
80e8f0e5fa
SigmaHQ/rules/compliance/group_modification_logging.yml
Thomas Patzke 0592cbb67a Added UUIDs to rules
2019-11-12 23:12:27 +01:00

62 lines
2.4 KiB
YAML
Raw Blame History

title: Group Modification Logging
id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
description: "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects\
\ Event ID 4728 indicates a \u2018Member is added to a Security Group\u2019. Event ID 4729 indicates a \u2018Member is removed from a Security enabled-group\u2019\
. Event ID 4730 indicates a\u2018Security Group is deleted\u2019. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2\
\ and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP."
author: Alexandr Yampolskyi, SOC Prime
status: stable
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
date: 2019/03/26
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4728
- 4729
- 4730
- 633
- 632
- 634
condition: selection
falsepositives:
- unknown
level: low
tags:
- CSC4
- CSC4.8
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- PCI DSS 3.2 2.1
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7
Reference in New Issue View Git Blame Copy Permalink