CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-07 09:42:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Automated update

Browse Source
This commit is contained in:
github-actions[bot]
2025-03-16 10:12:15 +00:00
parent a3bd7c512c
commit 03360185b7
1 changed files with 138 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

276
config/security_rules.json
View File

@@ -105,8 +105,8 @@
"id": "60d768ca-33e8-4f34-b967-14fd7aa18a22",
"level": "informational",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Task Created"
},
@@ -441,8 +441,8 @@
"id": "4574194d-e7ca-4356-a95c-21b753a1787e",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "User Guessing"
},
@@ -564,8 +564,8 @@
"id": "5b0b75dc-9190-4047-b9a8-14164cee8a31",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logon - Incorrect Password"
},
@@ -910,8 +910,8 @@
"id": "5b6e58ee-c231-4a54-9eee-af2577802e08",
"level": "medium",
"subcategory_guids": [
"0CCE9229-69AE-11D9-BED3-505054503030",
"0CCE9228-69AE-11D9-BED3-505054503030"
"0CCE9228-69AE-11D9-BED3-505054503030",
"0CCE9229-69AE-11D9-BED3-505054503030"
],
"title": "Process Ran With High Privilege"
},
@@ -1117,10 +1117,10 @@
"id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "ScreenConnect User Database Modification - Security"
},
@@ -1142,13 +1142,13 @@
{
"channel": "sec",
"event_ids": [
"4727",
"4731",
"4756",
"4728",
"4737",
"4754",
"4755"
"4728",
"4755",
"4756",
"4731",
"4727"
],
"id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a",
"level": "high",
@@ -1261,8 +1261,8 @@
"id": "fa0084fc-2105-cdc9-c7c1-1752bbb2e4d2",
"level": "high",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Kapeka Backdoor Scheduled Task Creation"
},
@@ -1767,10 +1767,10 @@
"id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2023-23397 Exploitation Attempt"
},
@@ -1886,8 +1886,8 @@
"id": "05731ce3-cfda-dbba-3792-c17794a22cf7",
"level": "critical",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Diamond Sleet APT Scheduled Task Creation"
},
@@ -1955,8 +1955,8 @@
"channel": "sec",
"event_ids": [
"4702",
"4698",
"4699"
"4699",
"4698"
],
"id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef",
"level": "high",
@@ -2769,18 +2769,18 @@
{
"channel": "sec",
"event_ids": [
"4656",
"4663",
"5145",
"4656"
"5145"
],
"id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "BlueSky Ransomware Artefacts"
},
@@ -3161,8 +3161,8 @@
"id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Potential Pass the Hash Activity"
},
@@ -3181,8 +3181,8 @@
{
"channel": "sec",
"event_ids": [
"4964",
"4672"
"4672",
"4964"
],
"id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1",
"level": "low",
@@ -3195,9 +3195,9 @@
"channel": "sec",
"event_ids": [
"4625",
"528",
"4624",
"529"
"529",
"528"
],
"id": "7298c707-7564-3229-7c76-ec514847d8c2",
"level": "medium",
@@ -16355,8 +16355,8 @@
"id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3",
"level": "low",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Scheduled Task Deletion"
},
@@ -16368,10 +16368,10 @@
"id": "7619b716-8052-6323-d9c7-87923ef591e6",
"level": "low",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Access To Browser Credential Files By Uncommon Applications - Security"
},
@@ -18651,10 +18651,10 @@
"id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf",
"level": "medium",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "ISO Image Mounted"
},
@@ -18666,8 +18666,8 @@
"id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Scheduled Task Creation"
},
@@ -18699,8 +18699,8 @@
{
"channel": "sec",
"event_ids": [
"4738",
"4765",
"4738",
"4766"
],
"id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad",
@@ -18760,10 +18760,10 @@
{
"channel": "sec",
"event_ids": [
"4768",
"675",
"4769",
"4771",
"4768"
"4769"
],
"id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b",
"level": "high",
@@ -18886,8 +18886,8 @@
{
"channel": "sec",
"event_ids": [
"5136",
"4742"
"4742",
"5136"
],
"id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433",
"level": "medium",
@@ -18900,16 +18900,16 @@
{
"channel": "sec",
"event_ids": [
"4656",
"4663"
"4663",
"4656"
],
"id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious AccessMask Requested From LSASS"
},
@@ -18935,9 +18935,9 @@
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Azure AD Health Monitoring Agent Registry Keys Access"
},
@@ -18986,8 +18986,8 @@
"id": "01628b51-85e1-4088-9432-a11cba9f3ebd",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030",
"0CCE923C-69AE-11D9-BED3-505054503030"
"0CCE923C-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Persistence and Execution at Scale via GPO Scheduled Task"
},
@@ -19088,30 +19088,30 @@
{
"channel": "sec",
"event_ids": [
"4776",
"4625"
"4625",
"4776"
],
"id": "655eb351-553b-501f-186e-aa9af13ecf43",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Account Tampering - Suspicious Failed Logon Reasons"
},
{
"channel": "sec",
"event_ids": [
"4663",
"4657"
"4657",
"4663"
],
"id": "249d836c-8857-1b98-5d7b-050c2d34e275",
"level": "high",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Sysmon Channel Reference Deletion"
@@ -19120,16 +19120,16 @@
"channel": "sec",
"event_ids": [
"4656",
"4663",
"4657"
"4657",
"4663"
],
"id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67",
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Processes Accessing the Microphone and Webcam"
},
@@ -19142,9 +19142,9 @@
"id": "63308dbe-54a4-9c70-cc90-6d15e10f3505",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "SysKey Registry Keys Access"
@@ -19181,8 +19181,8 @@
"id": "6bcac9cb-eeee-9f45-c5c1-0daaf023ac12",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logon From Public IP"
},
@@ -19194,8 +19194,8 @@
"id": "232ecd79-c09d-1323-8e7e-14322b766855",
"level": "high",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln"
},
@@ -19323,8 +19323,8 @@
{
"channel": "sec",
"event_ids": [
"634",
"4730"
"4730",
"634"
],
"id": "ae7d8d1c-f75b-d952-e84e-a7981b861590",
"level": "low",
@@ -19367,10 +19367,10 @@
"id": "de10da38-ee60-f6a4-7d70-4d308558158b",
"level": "critical",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "WCE wceaux.dll Access"
},
@@ -19395,8 +19395,8 @@
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Teams Application Related ObjectAcess Event"
@@ -19421,8 +19421,8 @@
"id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7",
"level": "high",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Scheduled Task Update"
},
@@ -19592,10 +19592,10 @@
"level": "medium",
"subcategory_guids": [
"0CCE9223-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potential Secure Deletion with SDelete"
},
@@ -19631,10 +19631,10 @@
"id": "d7742b08-730d-3624-df95-cc3c6eaa3a39",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "SAM Registry Hive Handle Request"
},
@@ -19655,8 +19655,8 @@
{
"channel": "sec",
"event_ids": [
"4898",
"4899"
"4899",
"4898"
],
"id": "3a655a7c-a830-77ad-fc8b-f054fb713304",
"level": "low",
@@ -19673,8 +19673,8 @@
"id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef",
"level": "high",
"subcategory_guids": [
"0CCE923B-69AE-11D9-BED3-505054503030",
"0CCE9220-69AE-11D9-BED3-505054503030"
"0CCE9220-69AE-11D9-BED3-505054503030",
"0CCE923B-69AE-11D9-BED3-505054503030"
],
"title": "Reconnaissance Activity"
},
@@ -19705,8 +19705,8 @@
{
"channel": "sec",
"event_ids": [
"5447",
"5441"
"5441",
"5447"
],
"id": "4d56e133-40b5-5b28-07b5-bab0913fc338",
"level": "high",
@@ -19888,9 +19888,9 @@
{
"channel": "sec",
"event_ids": [
"4624",
"4776",
"4625",
"4624"
"4625"
],
"id": "827aa6c1-1507-3f0a-385a-ade5251bfd71",
"level": "high",
@@ -19982,10 +19982,10 @@
"id": "06b8bcc0-326b-518a-3868-fe0721488fb8",
"level": "medium",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "LSASS Access From Non System Account"
},
@@ -20019,10 +20019,10 @@
"id": "474caaa9-3115-c838-1509-59ffb6caecfc",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "SCM Database Handle Failure"
},
@@ -20082,9 +20082,9 @@
"id": "d1909400-93d7-de3c-ba13-153c64499c7c",
"level": "low",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Service Registry Key Read Access Request"
@@ -20132,8 +20132,8 @@
{
"channel": "sec",
"event_ids": [
"5447",
"5449"
"5449",
"5447"
],
"id": "22d4af9f-97d9-4827-7209-c451ff7f43c6",
"level": "high",
@@ -20163,24 +20163,24 @@
"id": "cd93b6ed-961d-ed36-92db-bd44bccda695",
"level": "high",
"subcategory_guids": [
"0CCE9229-69AE-11D9-BED3-505054503030",
"0CCE9228-69AE-11D9-BED3-505054503030"
"0CCE9228-69AE-11D9-BED3-505054503030",
"0CCE9229-69AE-11D9-BED3-505054503030"
],
"title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'"
},
{
"channel": "sec",
"event_ids": [
"4776",
"4624",
"4625"
"4625",
"4776"
],
"id": "8b40829b-4556-9bec-a8ad-905688497639",
"level": "high",
"subcategory_guids": [
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE923F-69AE-11D9-BED3-505054503030"
],
"title": "Hacktool Ruler"
},
@@ -20211,8 +20211,8 @@
{
"channel": "sec",
"event_ids": [
"4781",
"4720"
"4720",
"4781"
],
"id": "ec77919c-1169-6640-23e7-91c6f27ddc91",
"level": "medium",
@@ -20229,10 +20229,10 @@
"id": "d81faa44-ff28-8f61-097b-92727b8af44b",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Password Dumper Activity on LSASS"
},
@@ -20287,8 +20287,8 @@
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Azure AD Health Service Agents Registry Keys Access"
},
@@ -20376,8 +20376,8 @@
{
"channel": "sec",
"event_ids": [
"4905",
"4904"
"4904",
"4905"
],
"id": "00f253a0-1035-e450-7f6e-e2291dee27ec",
"level": "informational",
@@ -21275,12 +21275,12 @@
{
"channel": "sec",
"event_ids": [
"4729",
"633",
"632",
"4728",
"634",
"4730",
"634"
"4729",
"4728",
"632",
"633"
],
"id": "506379d9-8545-c010-e9a3-693119ab9261",
"level": "low",
@@ -21594,8 +21594,8 @@
{
"channel": "sec",
"event_ids": [
"4698",
"4702",
"4698",
"4624"
],
"id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc",
@@ -21627,8 +21627,8 @@
"id": "84202b5b-54c1-473b-4568-e10da23b3eb8",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Multiple Users Failing to Authenticate from Single Process"
},
@@ -21699,10 +21699,10 @@
"id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be",
"level": "high",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Stored Credentials in Fake Files"
},
@@ -21746,14 +21746,14 @@
{
"channel": "sec",
"event_ids": [
"4625",
"529"
"529",
"4625"
],
"id": "428d3964-3241-1ceb-8f93-b31d8490c822",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logins with Different Accounts from Single Source System"
},
@@ -21765,10 +21765,10 @@
"id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Multiple File Rename Or Delete Occurred"
},
@@ -22184,8 +22184,8 @@
"channel": "sec",
"event_ids": [
"13",
"4657",
"12"
"12",
"4657"
],
"id": "46595663-e666-c413-ccf4-028a618ca712",
"level": "critical",