diff --git a/config/security_rules.json b/config/security_rules.json index a4bf127e..e196aabb 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -105,8 +105,8 @@ "id": "60d768ca-33e8-4f34-b967-14fd7aa18a22", "level": "informational", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Task Created" }, @@ -118,8 +118,8 @@ "id": "de5ed02e-e7b5-47a0-a35c-06a907c988e4", "level": "informational", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Task Deleted" }, @@ -503,8 +503,8 @@ "id": "a85096da-be85-48d7-8ad5-2f957cd74daa", "level": "low", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Logon Failure (Unknown Reason)" }, @@ -675,8 +675,8 @@ "id": "35e8a0fc-60c2-46d7-ba39-aafb15b9854e", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "PW Guessing" }, @@ -1043,8 +1043,8 @@ "id": "e4c7a334-7ecb-ef93-85dd-49185891fb7a", "level": "medium", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Defrag Deactivation - Security" }, @@ -1117,9 +1117,9 @@ "id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7", "level": "medium", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "ScreenConnect User Database Modification - Security" @@ -1132,23 +1132,23 @@ "id": "74d067bc-3f42-3855-c13d-771d589cf11c", "level": "critical", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security" }, { "channel": "sec", "event_ids": [ - "4756", - "4755", "4731", + "4727", + "4755", "4728", "4737", - "4727", - "4754" + "4754", + "4756" ], "id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a", "level": "high", @@ -1767,10 +1767,10 @@ "id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43", "level": "critical", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "CVE-2023-23397 Exploitation Attempt" }, @@ -1886,8 +1886,8 @@ "id": "05731ce3-cfda-dbba-3792-c17794a22cf7", "level": "critical", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Diamond Sleet APT Scheduled Task Creation" }, @@ -1961,8 +1961,8 @@ "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef", "level": "high", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor" }, @@ -2769,18 +2769,18 @@ { "channel": "sec", "event_ids": [ - "4663", "5145", + "4663", "4656" ], "id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222", "level": "high", "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "BlueSky Ransomware Artefacts" }, @@ -3155,14 +3155,14 @@ { "channel": "sec", "event_ids": [ - "4624", - "4625" + "4625", + "4624" ], "id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b", "level": "medium", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Potential Pass the Hash Activity" }, @@ -3181,8 +3181,8 @@ { "channel": "sec", "event_ids": [ - "4964", - "4672" + "4672", + "4964" ], "id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1", "level": "low", @@ -3194,16 +3194,16 @@ { "channel": "sec", "event_ids": [ - "528", "4625", "529", + "528", "4624" ], "id": "7298c707-7564-3229-7c76-ec514847d8c2", "level": "medium", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Interactive Logon to Server Systems" }, @@ -16368,10 +16368,10 @@ "id": "7619b716-8052-6323-d9c7-87923ef591e6", "level": "low", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Access To Browser Credential Files By Uncommon Applications - Security" }, @@ -18651,9 +18651,9 @@ "id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf", "level": "medium", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "ISO Image Mounted" @@ -18666,8 +18666,8 @@ "id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba", "level": "high", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Scheduled Task Creation" }, @@ -18699,9 +18699,9 @@ { "channel": "sec", "event_ids": [ - "4738", + "4765", "4766", - "4765" + "4738" ], "id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad", "level": "medium", @@ -18730,8 +18730,8 @@ "id": "a25c0c49-11f8-ace9-6bbd-80cfa6e2b2d7", "level": "medium", "subcategory_guids": [ - "0CCE9229-69AE-11D9-BED3-505054503030", - "0CCE9228-69AE-11D9-BED3-505054503030" + "0CCE9228-69AE-11D9-BED3-505054503030", + "0CCE9229-69AE-11D9-BED3-505054503030" ], "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" }, @@ -18760,8 +18760,8 @@ { "channel": "sec", "event_ids": [ - "4768", "4771", + "4768", "4769", "675" ], @@ -18892,24 +18892,24 @@ "id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433", "level": "medium", "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9236-69AE-11D9-BED3-505054503030" + "0CCE9236-69AE-11D9-BED3-505054503030", + "0CCE923C-69AE-11D9-BED3-505054503030" ], "title": "Possible DC Shadow Attack" }, { "channel": "sec", "event_ids": [ - "4663", - "4656" + "4656", + "4663" ], "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Potentially Suspicious AccessMask Requested From LSASS" }, @@ -18928,15 +18928,15 @@ { "channel": "sec", "event_ids": [ - "4656", - "4663" + "4663", + "4656" ], "id": "321196fe-fb10-6b13-c611-3dfe40baa1af", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Azure AD Health Monitoring Agent Registry Keys Access" @@ -18980,8 +18980,8 @@ { "channel": "sec", "event_ids": [ - "5145", - "5136" + "5136", + "5145" ], "id": "01628b51-85e1-4088-9432-a11cba9f3ebd", "level": "high", @@ -19095,8 +19095,8 @@ "level": "medium", "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE923F-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE923F-69AE-11D9-BED3-505054503030" ], "title": "Account Tampering - Suspicious Failed Logon Reasons" }, @@ -19109,9 +19109,9 @@ "id": "249d836c-8857-1b98-5d7b-050c2d34e275", "level": "high", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Sysmon Channel Reference Deletion" @@ -19119,9 +19119,9 @@ { "channel": "sec", "event_ids": [ + "4657", "4663", - "4656", - "4657" + "4656" ], "id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67", "level": "medium", @@ -19136,16 +19136,16 @@ { "channel": "sec", "event_ids": [ - "4656", - "4663" + "4663", + "4656" ], "id": "63308dbe-54a4-9c70-cc90-6d15e10f3505", "level": "high", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "SysKey Registry Keys Access" }, @@ -19194,8 +19194,8 @@ "id": "232ecd79-c09d-1323-8e7e-14322b766855", "level": "high", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" }, @@ -19214,8 +19214,8 @@ { "channel": "sec", "event_ids": [ - "4729", - "633" + "633", + "4729" ], "id": "6e0f860b-3678-7396-a4a3-7cf55f7bb01c", "level": "low", @@ -19361,16 +19361,16 @@ { "channel": "sec", "event_ids": [ - "4663", - "4656" + "4656", + "4663" ], "id": "de10da38-ee60-f6a4-7d70-4d308558158b", "level": "critical", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "WCE wceaux.dll Access" }, @@ -19395,9 +19395,9 @@ "level": "high", "subcategory_guids": [ "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Teams Application Related ObjectAcess Event" }, @@ -19421,8 +19421,8 @@ "id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7", "level": "high", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Scheduled Task Update" }, @@ -19441,8 +19441,8 @@ { "channel": "sec", "event_ids": [ - "4647", - "4634" + "4634", + "4647" ], "id": "73f64ce7-a76d-0208-ea75-dd26a09d719b", "level": "informational", @@ -19584,16 +19584,16 @@ { "channel": "sec", "event_ids": [ - "4658", + "4663", "4656", - "4663" + "4658" ], "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7", "level": "medium", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9223-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030" ], @@ -19631,10 +19631,10 @@ "id": "d7742b08-730d-3624-df95-cc3c6eaa3a39", "level": "high", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "SAM Registry Hive Handle Request" }, @@ -19647,8 +19647,8 @@ "id": "bc613d09-5a80-cad3-6f65-c5020f960511", "level": "medium", "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030", - "0CCE923C-69AE-11D9-BED3-505054503030" + "0CCE923C-69AE-11D9-BED3-505054503030", + "0CCE9244-69AE-11D9-BED3-505054503030" ], "title": "Startup/Logon Script Added to Group Policy Object" }, @@ -19705,8 +19705,8 @@ { "channel": "sec", "event_ids": [ - "5447", - "5441" + "5441", + "5447" ], "id": "4d56e133-40b5-5b28-07b5-bab0913fc338", "level": "high", @@ -19895,8 +19895,8 @@ "id": "827aa6c1-1507-3f0a-385a-ade5251bfd71", "level": "high", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030", "0CCE923F-69AE-11D9-BED3-505054503030" ], "title": "Metasploit SMB Authentication" @@ -19983,8 +19983,8 @@ "level": "medium", "subcategory_guids": [ "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "LSASS Access From Non System Account" @@ -20019,10 +20019,10 @@ "id": "474caaa9-3115-c838-1509-59ffb6caecfc", "level": "medium", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "SCM Database Handle Failure" }, @@ -20082,34 +20082,34 @@ "id": "d1909400-93d7-de3c-ba13-153c64499c7c", "level": "low", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Service Registry Key Read Access Request" }, { "channel": "sec", "event_ids": [ - "4663", - "4656" + "4656", + "4663" ], "id": "777523b0-14f8-1ca2-12c9-d668153661ff", "level": "medium", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Windows Defender Exclusion Registry Key - Write Access Requested" }, { "channel": "sec", "event_ids": [ - "4899", - "4898" + "4898", + "4899" ], "id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b", "level": "high", @@ -20121,8 +20121,8 @@ { "channel": "sec", "event_ids": [ - "1102", - "517" + "517", + "1102" ], "id": "9b14c9d8-6b61-e49f-f8a8-0836d0ad98c9", "level": "high", @@ -20171,15 +20171,15 @@ { "channel": "sec", "event_ids": [ - "4776", "4625", + "4776", "4624" ], "id": "8b40829b-4556-9bec-a8ad-905688497639", "level": "high", "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE923F-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Hacktool Ruler" @@ -20229,10 +20229,10 @@ "id": "d81faa44-ff28-8f61-097b-92727b8af44b", "level": "high", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Password Dumper Activity on LSASS" }, @@ -20271,23 +20271,23 @@ "id": "c9123898-04d5-2d3b-5e2b-7c0c92111480", "level": "high", "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9235-69AE-11D9-BED3-505054503030" + "0CCE9235-69AE-11D9-BED3-505054503030", + "0CCE923C-69AE-11D9-BED3-505054503030" ], "title": "Active Directory User Backdoors" }, { "channel": "sec", "event_ids": [ - "4656", - "4663" + "4663", + "4656" ], "id": "763d50d7-9452-0146-18a1-9ca65e3a2f73", "level": "medium", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Azure AD Health Service Agents Registry Keys Access" @@ -20363,8 +20363,8 @@ { "channel": "sec", "event_ids": [ - "4743", - "4741" + "4741", + "4743" ], "id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d", "level": "low", @@ -20478,8 +20478,8 @@ "id": "7bd85790-c82a-56af-7127-f257e5ef6c6f", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Windows Defender Exclusion Deleted" @@ -21276,10 +21276,10 @@ "channel": "sec", "event_ids": [ "632", - "634", - "4729", "4730", + "634", "633", + "4729", "4728" ], "id": "506379d9-8545-c010-e9a3-693119ab9261", @@ -21594,16 +21594,16 @@ { "channel": "sec", "event_ids": [ + "4624", "4698", - "4702", - "4624" + "4702" ], "id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc", "level": "medium", "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Remote Schtasks Creation" }, @@ -21640,8 +21640,8 @@ "id": "89ed0fbe-11b8-ce3c-e025-59925225ee99", "level": "low", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Rare Schtasks Creations" }, @@ -21699,10 +21699,10 @@ "id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be", "level": "high", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Stored Credentials in Fake Files" }, @@ -21765,10 +21765,10 @@ "id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995", "level": "medium", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Multiple File Rename Or Delete Occurred" }, @@ -22183,8 +22183,8 @@ { "channel": "sec", "event_ids": [ - "13", "4657", + "13", "12" ], "id": "46595663-e666-c413-ccf4-028a618ca712",