valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
88270fcf2d
SigmaHQ/rules/windows/builtin/win_susp_eventlog_cleared.yml
Thomas Patzke 88270fcf2d Rule review and cleanup 
* removed unnecessary one element lists from definitions
* converted some lists of one element maps to maps because the resulting
  OR linkage would cause wrong result.
2017-02-15 23:53:08 +01:00

14 lines
462 B
YAML
Raw Blame History

title: Eventlog Cleared
description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities
detection:
selection:
EventLog: Security
EventID:
- 517
- 1102
condition: selection
falsepositives:
- Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
- System provisioning (system reset before the golden image creation)
level: 70
Reference in New Issue View Git Blame Copy Permalink