Automated update

2025-12-21 16:33:09 +01:00 · 2025-03-14 14:04:15 +00:00
parent f2ec67e0ab
commit bf81d5f652
1 changed files with 159 additions and 159 deletions
--- a/config/security_rules.json
+++ b/config/security_rules.json
@@ -411,8 +411,8 @@
    "id": "4574194d-e7ca-4356-a95c-21b753a1787e",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE9217-69AE-11D9-BED3-505054503030",
+      "0CCE9215-69AE-11D9-BED3-505054503030",
-      "0CCE9215-69AE-11D9-BED3-505054503030"
+      "0CCE9217-69AE-11D9-BED3-505054503030"
    ],
    "title": "User Guessing"
  },
@@ -424,8 +424,8 @@
    "id": "b2c74582-0d44-49fe-8faa-014dcdafee62",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE9217-69AE-11D9-BED3-505054503030",
+      "0CCE9215-69AE-11D9-BED3-505054503030",
-      "0CCE9215-69AE-11D9-BED3-505054503030"
+      "0CCE9217-69AE-11D9-BED3-505054503030"
    ],
    "title": "Failed Logon - Non-Existent User"
  },
@@ -559,8 +559,8 @@
    "id": "8afa97ce-a217-4f7c-aced-3e320a57756d",
    "level": "low",
    "subcategory_guids": [
-      "0CCE9215-69AE-11D9-BED3-505054503030",
+      "0CCE9217-69AE-11D9-BED3-505054503030",
-      "0CCE9217-69AE-11D9-BED3-505054503030"
+      "0CCE9215-69AE-11D9-BED3-505054503030"
    ],
    "title": "Logon Failure (User Does Not Exist)"
  },
@@ -620,8 +620,8 @@
    "id": "e87bd730-df45-4ae9-85de-6c75369c5d29",
    "level": "low",
    "subcategory_guids": [
-      "0CCE9215-69AE-11D9-BED3-505054503030",
+      "0CCE9217-69AE-11D9-BED3-505054503030",
-      "0CCE9217-69AE-11D9-BED3-505054503030"
+      "0CCE9215-69AE-11D9-BED3-505054503030"
    ],
    "title": "Logon Failure (Wrong Password)"
  },
@@ -1013,8 +1013,8 @@
    "id": "e4c7a334-7ecb-ef93-85dd-49185891fb7a",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE9226-69AE-11D9-BED3-505054503030",
+      "0CCE9227-69AE-11D9-BED3-505054503030",
-      "0CCE9227-69AE-11D9-BED3-505054503030"
+      "0CCE9226-69AE-11D9-BED3-505054503030"
    ],
    "title": "Defrag Deactivation - Security"
  },
@@ -1102,23 +1102,23 @@
    "id": "74d067bc-3f42-3855-c13d-771d589cf11c",
    "level": "critical",
    "subcategory_guids": [
      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
-      "0CCE921F-69AE-11D9-BED3-505054503030"
+      "0CCE921E-69AE-11D9-BED3-505054503030"
    ],
    "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security"
  },
  {
    "channel": "sec",
    "event_ids": [
      "4737",
      "4754",
      "4755",
      "4756",
      "4727",
      "4728",
-      "4756",
+      "4731"
      "4754",
      "4731",
      "4737",
      "4755"
    ],
    "id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a",
    "level": "high",
@@ -1231,8 +1231,8 @@
    "id": "fa0084fc-2105-cdc9-c7c1-1752bbb2e4d2",
    "level": "high",
    "subcategory_guids": [
-      "0CCE9226-69AE-11D9-BED3-505054503030",
+      "0CCE9227-69AE-11D9-BED3-505054503030",
-      "0CCE9227-69AE-11D9-BED3-505054503030"
+      "0CCE9226-69AE-11D9-BED3-505054503030"
    ],
    "title": "Kapeka Backdoor Scheduled Task Creation"
  },
@@ -1731,16 +1731,16 @@
  {
    "channel": "sec",
    "event_ids": [
-      "4663",
+      "4656",
-      "4656"
+      "4663"
    ],
    "id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43",
    "level": "critical",
    "subcategory_guids": [
      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE921F-69AE-11D9-BED3-505054503030"
+      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030"
    ],
    "title": "CVE-2023-23397 Exploitation Attempt"
  },
@@ -1836,8 +1836,8 @@
    "id": "05731ce3-cfda-dbba-3792-c17794a22cf7",
    "level": "critical",
    "subcategory_guids": [
-      "0CCE9226-69AE-11D9-BED3-505054503030",
+      "0CCE9227-69AE-11D9-BED3-505054503030",
-      "0CCE9227-69AE-11D9-BED3-505054503030"
+      "0CCE9226-69AE-11D9-BED3-505054503030"
    ],
    "title": "Diamond Sleet APT Scheduled Task Creation"
  },
@@ -1911,8 +1911,8 @@
    "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef",
    "level": "high",
    "subcategory_guids": [
-      "0CCE9226-69AE-11D9-BED3-505054503030",
+      "0CCE9227-69AE-11D9-BED3-505054503030",
-      "0CCE9227-69AE-11D9-BED3-505054503030"
+      "0CCE9226-69AE-11D9-BED3-505054503030"
    ],
    "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor"
  },
@@ -2700,17 +2700,17 @@
    "channel": "sec",
    "event_ids": [
      "5145",
-      "4656",
+      "4663",
-      "4663"
+      "4656"
    ],
    "id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222",
    "level": "high",
    "subcategory_guids": [
      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE9244-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030"
+      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE9244-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030"
    ],
    "title": "BlueSky Ransomware Artefacts"
  },
@@ -3065,14 +3065,14 @@
  {
    "channel": "sec",
    "event_ids": [
-      "4624",
+      "4625",
-      "4625"
+      "4624"
    ],
    "id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE9217-69AE-11D9-BED3-505054503030",
+      "0CCE9215-69AE-11D9-BED3-505054503030",
-      "0CCE9215-69AE-11D9-BED3-505054503030"
+      "0CCE9217-69AE-11D9-BED3-505054503030"
    ],
    "title": "Potential Pass the Hash Activity"
  },
@@ -3091,8 +3091,8 @@
  {
    "channel": "sec",
    "event_ids": [
-      "4672",
+      "4964",
-      "4964"
+      "4672"
    ],
    "id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1",
    "level": "low",
@@ -3106,8 +3106,8 @@
    "event_ids": [
      "528",
      "4625",
-      "4624",
+      "529",
-      "529"
+      "4624"
    ],
    "id": "7298c707-7564-3229-7c76-ec514847d8c2",
    "level": "medium",
@@ -16165,8 +16165,8 @@
    "id": "68d6fb03-e325-2ed1-a429-abac7adf7ba3",
    "level": "low",
    "subcategory_guids": [
-      "0CCE9226-69AE-11D9-BED3-505054503030",
+      "0CCE9227-69AE-11D9-BED3-505054503030",
-      "0CCE9227-69AE-11D9-BED3-505054503030"
+      "0CCE9226-69AE-11D9-BED3-505054503030"
    ],
    "title": "Scheduled Task Deletion"
  },
@@ -16178,10 +16178,10 @@
    "id": "7619b716-8052-6323-d9c7-87923ef591e6",
    "level": "low",
    "subcategory_guids": [
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE921D-69AE-11D9-BED3-505054503030",
+      "0CCE921D-69AE-11D9-BED3-505054503030"
      "0CCE9245-69AE-11D9-BED3-505054503030"
    ],
    "title": "Access To Browser Credential Files By Uncommon Applications - Security"
  },
@@ -16522,8 +16522,8 @@
    "level": "medium",
    "subcategory_guids": [
      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030"
    ],
    "title": "ISO Image Mounted"
@@ -16561,17 +16561,17 @@
    "id": "1085e6d3-6691-5713-42ba-ba8933a6b2d0",
    "level": "low",
    "subcategory_guids": [
-      "0CCE9210-69AE-11D9-BED3-505054503030",
+      "69979849-797A-11D9-BED3-505054503030",
-      "69979849-797A-11D9-BED3-505054503030"
+      "0CCE9210-69AE-11D9-BED3-505054503030"
    ],
    "title": "Unauthorized System Time Modification"
  },
  {
    "channel": "sec",
    "event_ids": [
      "4765",
      "4766",
-      "4738",
+      "4738"
      "4765"
    ],
    "id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad",
    "level": "medium",
@@ -16600,8 +16600,8 @@
    "id": "a25c0c49-11f8-ace9-6bbd-80cfa6e2b2d7",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE9229-69AE-11D9-BED3-505054503030",
+      "0CCE9228-69AE-11D9-BED3-505054503030",
-      "0CCE9228-69AE-11D9-BED3-505054503030"
+      "0CCE9229-69AE-11D9-BED3-505054503030"
    ],
    "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege"
  },
@@ -16630,16 +16630,16 @@
  {
    "channel": "sec",
    "event_ids": [
-      "4771",
+      "4769",
      "675",
      "4768",
-      "4769"
+      "4771"
    ],
    "id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b",
    "level": "high",
    "subcategory_guids": [
-      "0CCE9240-69AE-11D9-BED3-505054503030",
+      "0CCE9242-69AE-11D9-BED3-505054503030",
-      "0CCE9242-69AE-11D9-BED3-505054503030"
+      "0CCE9240-69AE-11D9-BED3-505054503030"
    ],
    "title": "Kerberos Manipulation"
  },
@@ -16712,8 +16712,8 @@
    "id": "93c95eee-748a-e1db-18a5-f40035167086",
    "level": "high",
    "subcategory_guids": [
-      "0CCE923B-69AE-11D9-BED3-505054503030",
+      "0CCE9220-69AE-11D9-BED3-505054503030",
-      "0CCE9220-69AE-11D9-BED3-505054503030"
+      "0CCE923B-69AE-11D9-BED3-505054503030"
    ],
    "title": "AD Privileged Users or Groups Reconnaissance"
  },
@@ -16756,8 +16756,8 @@
  {
    "channel": "sec",
    "event_ids": [
-      "4742",
+      "5136",
-      "5136"
+      "4742"
    ],
    "id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433",
    "level": "medium",
@@ -16776,10 +16776,10 @@
    "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9",
    "level": "medium",
    "subcategory_guids": [
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE921D-69AE-11D9-BED3-505054503030"
+      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030"
    ],
    "title": "Potentially Suspicious AccessMask Requested From LSASS"
  },
@@ -16805,9 +16805,9 @@
    "level": "medium",
    "subcategory_guids": [
      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030"
+      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030"
    ],
    "title": "Azure AD Health Monitoring Agent Registry Keys Access"
  },
@@ -16958,48 +16958,48 @@
  {
    "channel": "sec",
    "event_ids": [
-      "4625",
+      "4776",
-      "4776"
+      "4625"
    ],
    "id": "655eb351-553b-501f-186e-aa9af13ecf43",
    "level": "medium",
    "subcategory_guids": [
      "0CCE9215-69AE-11D9-BED3-505054503030",
      "0CCE9217-69AE-11D9-BED3-505054503030",
-      "0CCE923F-69AE-11D9-BED3-505054503030"
+      "0CCE923F-69AE-11D9-BED3-505054503030",
      "0CCE9215-69AE-11D9-BED3-505054503030"
    ],
    "title": "Account Tampering - Suspicious Failed Logon Reasons"
  },
  {
    "channel": "sec",
    "event_ids": [
-      "4657",
+      "4663",
-      "4663"
+      "4657"
    ],
    "id": "249d836c-8857-1b98-5d7b-050c2d34e275",
    "level": "high",
    "subcategory_guids": [
      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
-      "0CCE921F-69AE-11D9-BED3-505054503030"
+      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030"
    ],
    "title": "Sysmon Channel Reference Deletion"
  },
  {
    "channel": "sec",
    "event_ids": [
      "4657",
      "4656",
-      "4663",
+      "4663"
      "4657"
    ],
    "id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67",
    "level": "medium",
    "subcategory_guids": [
      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
-      "0CCE921E-69AE-11D9-BED3-505054503030"
+      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030"
    ],
    "title": "Processes Accessing the Microphone and Webcam"
  },
@@ -17013,9 +17013,9 @@
    "level": "high",
    "subcategory_guids": [
      "0CCE921D-69AE-11D9-BED3-505054503030",
-      "0CCE921E-69AE-11D9-BED3-505054503030",
+      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
-      "0CCE921F-69AE-11D9-BED3-505054503030"
+      "0CCE921E-69AE-11D9-BED3-505054503030"
    ],
    "title": "SysKey Registry Keys Access"
  },
@@ -17206,8 +17206,8 @@
  {
    "channel": "sec",
    "event_ids": [
-      "632",
+      "4728",
-      "4728"
+      "632"
    ],
    "id": "26767093-828c-2f39-bdd8-d0439e87307c",
    "level": "low",
@@ -17231,16 +17231,16 @@
  {
    "channel": "sec",
    "event_ids": [
-      "4656",
+      "4663",
-      "4663"
+      "4656"
    ],
    "id": "de10da38-ee60-f6a4-7d70-4d308558158b",
    "level": "critical",
    "subcategory_guids": [
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
-      "0CCE921F-69AE-11D9-BED3-505054503030",
+      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE921E-69AE-11D9-BED3-505054503030"
+      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030"
    ],
    "title": "WCE wceaux.dll Access"
  },
@@ -17454,18 +17454,18 @@
  {
    "channel": "sec",
    "event_ids": [
      "4658",
      "4656",
-      "4663"
+      "4663",
      "4658"
    ],
    "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7",
    "level": "medium",
    "subcategory_guids": [
      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE9223-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030"
+      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030"
    ],
    "title": "Potential Secure Deletion with SDelete"
  },
@@ -17501,18 +17501,18 @@
    "id": "d7742b08-730d-3624-df95-cc3c6eaa3a39",
    "level": "high",
    "subcategory_guids": [
-      "0CCE921E-69AE-11D9-BED3-505054503030",
+      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
-      "0CCE921D-69AE-11D9-BED3-505054503030"
+      "0CCE921E-69AE-11D9-BED3-505054503030"
    ],
    "title": "SAM Registry Hive Handle Request"
  },
  {
    "channel": "sec",
    "event_ids": [
-      "5145",
+      "5136",
-      "5136"
+      "5145"
    ],
    "id": "bc613d09-5a80-cad3-6f65-c5020f960511",
    "level": "medium",
@@ -17543,8 +17543,8 @@
    "id": "5ac4b7f8-9412-f919-220c-aa8a1867b1ef",
    "level": "high",
    "subcategory_guids": [
-      "0CCE923B-69AE-11D9-BED3-505054503030",
+      "0CCE9220-69AE-11D9-BED3-505054503030",
-      "0CCE9220-69AE-11D9-BED3-505054503030"
+      "0CCE923B-69AE-11D9-BED3-505054503030"
    ],
    "title": "Reconnaissance Activity"
  },
@@ -17575,8 +17575,8 @@
  {
    "channel": "sec",
    "event_ids": [
-      "5447",
+      "5441",
-      "5441"
+      "5447"
    ],
    "id": "4d56e133-40b5-5b28-07b5-bab0913fc338",
    "level": "high",
@@ -17606,8 +17606,8 @@
    "id": "9bcf333e-fc4c-5912-eeba-8a0cefe21be4",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE9220-69AE-11D9-BED3-505054503030",
+      "0CCE923B-69AE-11D9-BED3-505054503030",
-      "0CCE923B-69AE-11D9-BED3-505054503030"
+      "0CCE9220-69AE-11D9-BED3-505054503030"
    ],
    "title": "Password Policy Enumerated"
  },
@@ -17759,15 +17759,15 @@
    "channel": "sec",
    "event_ids": [
      "4776",
-      "4624",
+      "4625",
-      "4625"
+      "4624"
    ],
    "id": "827aa6c1-1507-3f0a-385a-ade5251bfd71",
    "level": "high",
    "subcategory_guids": [
      "0CCE923F-69AE-11D9-BED3-505054503030",
      "0CCE9215-69AE-11D9-BED3-505054503030",
-      "0CCE9217-69AE-11D9-BED3-505054503030"
+      "0CCE9217-69AE-11D9-BED3-505054503030",
      "0CCE923F-69AE-11D9-BED3-505054503030"
    ],
    "title": "Metasploit SMB Authentication"
  },
@@ -17846,16 +17846,16 @@
  {
    "channel": "sec",
    "event_ids": [
-      "4663",
+      "4656",
-      "4656"
+      "4663"
    ],
    "id": "06b8bcc0-326b-518a-3868-fe0721488fb8",
    "level": "medium",
    "subcategory_guids": [
      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030"
+      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030"
    ],
    "title": "LSASS Access From Non System Account"
  },
@@ -17889,10 +17889,10 @@
    "id": "474caaa9-3115-c838-1509-59ffb6caecfc",
    "level": "medium",
    "subcategory_guids": [
      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
-      "0CCE921F-69AE-11D9-BED3-505054503030",
+      "0CCE9245-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030"
+      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030"
    ],
    "title": "SCM Database Handle Failure"
  },
@@ -17952,10 +17952,10 @@
    "id": "d1909400-93d7-de3c-ba13-153c64499c7c",
    "level": "low",
    "subcategory_guids": [
      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE9245-69AE-11D9-BED3-505054503030"
+      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030"
    ],
    "title": "Service Registry Key Read Access Request"
  },
@@ -17968,10 +17968,10 @@
    "id": "777523b0-14f8-1ca2-12c9-d668153661ff",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE921D-69AE-11D9-BED3-505054503030",
+      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
-      "0CCE921E-69AE-11D9-BED3-505054503030"
+      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030"
    ],
    "title": "Windows Defender Exclusion Registry Key - Write Access Requested"
  },
@@ -17991,8 +17991,8 @@
  {
    "channel": "sec",
    "event_ids": [
-      "1102",
+      "517",
-      "517"
+      "1102"
    ],
    "id": "9b14c9d8-6b61-e49f-f8a8-0836d0ad98c9",
    "level": "high",
@@ -18033,23 +18033,23 @@
    "id": "cd93b6ed-961d-ed36-92db-bd44bccda695",
    "level": "high",
    "subcategory_guids": [
-      "0CCE9228-69AE-11D9-BED3-505054503030",
+      "0CCE9229-69AE-11D9-BED3-505054503030",
-      "0CCE9229-69AE-11D9-BED3-505054503030"
+      "0CCE9228-69AE-11D9-BED3-505054503030"
    ],
    "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'"
  },
  {
    "channel": "sec",
    "event_ids": [
      "4624",
      "4776",
      "4624",
      "4625"
    ],
    "id": "8b40829b-4556-9bec-a8ad-905688497639",
    "level": "high",
    "subcategory_guids": [
      "0CCE9215-69AE-11D9-BED3-505054503030",
      "0CCE9217-69AE-11D9-BED3-505054503030",
      "0CCE9215-69AE-11D9-BED3-505054503030",
      "0CCE923F-69AE-11D9-BED3-505054503030"
    ],
    "title": "Hacktool Ruler"
@@ -18081,8 +18081,8 @@
  {
    "channel": "sec",
    "event_ids": [
-      "4720",
+      "4781",
-      "4781"
+      "4720"
    ],
    "id": "ec77919c-1169-6640-23e7-91c6f27ddc91",
    "level": "medium",
@@ -18099,9 +18099,9 @@
    "id": "d81faa44-ff28-8f61-097b-92727b8af44b",
    "level": "high",
    "subcategory_guids": [
      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030"
    ],
    "title": "Password Dumper Activity on LSASS"
@@ -18109,8 +18109,8 @@
  {
    "channel": "sec",
    "event_ids": [
-      "4701",
+      "4699",
-      "4699"
+      "4701"
    ],
    "id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3",
    "level": "high",
@@ -18141,24 +18141,24 @@
    "id": "c9123898-04d5-2d3b-5e2b-7c0c92111480",
    "level": "high",
    "subcategory_guids": [
-      "0CCE9235-69AE-11D9-BED3-505054503030",
+      "0CCE923C-69AE-11D9-BED3-505054503030",
-      "0CCE923C-69AE-11D9-BED3-505054503030"
+      "0CCE9235-69AE-11D9-BED3-505054503030"
    ],
    "title": "Active Directory User Backdoors"
  },
  {
    "channel": "sec",
    "event_ids": [
-      "4656",
+      "4663",
-      "4663"
+      "4656"
    ],
    "id": "763d50d7-9452-0146-18a1-9ca65e3a2f73",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE921F-69AE-11D9-BED3-505054503030",
+      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
-      "0CCE921E-69AE-11D9-BED3-505054503030"
+      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030"
    ],
    "title": "Azure AD Health Service Agents Registry Keys Access"
  },
@@ -18233,8 +18233,8 @@
  {
    "channel": "sec",
    "event_ids": [
-      "4743",
+      "4741",
-      "4741"
+      "4743"
    ],
    "id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d",
    "level": "low",
@@ -18348,9 +18348,9 @@
    "id": "7bd85790-c82a-56af-7127-f257e5ef6c6f",
    "level": "medium",
    "subcategory_guids": [
      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
-      "0CCE921F-69AE-11D9-BED3-505054503030"
+      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030"
    ],
    "title": "Windows Defender Exclusion Deleted"
  },
@@ -19051,12 +19051,12 @@
  {
    "channel": "sec",
    "event_ids": [
      "4728",
      "4730",
      "633",
      "634",
-      "4729",
+      "632",
-      "632"
+      "4728",
      "4729"
    ],
    "id": "506379d9-8545-c010-e9a3-693119ab9261",
    "level": "low",
@@ -19332,16 +19332,16 @@
  {
    "channel": "sec",
    "event_ids": [
      "4702",
      "4624",
-      "4698",
+      "4698"
      "4702"
    ],
    "id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc",
    "level": "medium",
    "subcategory_guids": [
      "0CCE9226-69AE-11D9-BED3-505054503030",
      "0CCE9215-69AE-11D9-BED3-505054503030",
-      "0CCE9227-69AE-11D9-BED3-505054503030",
+      "0CCE9227-69AE-11D9-BED3-505054503030"
      "0CCE9226-69AE-11D9-BED3-505054503030"
    ],
    "title": "Remote Schtasks Creation"
  },
@@ -19378,8 +19378,8 @@
    "id": "89ed0fbe-11b8-ce3c-e025-59925225ee99",
    "level": "low",
    "subcategory_guids": [
-      "0CCE9227-69AE-11D9-BED3-505054503030",
+      "0CCE9226-69AE-11D9-BED3-505054503030",
-      "0CCE9226-69AE-11D9-BED3-505054503030"
+      "0CCE9227-69AE-11D9-BED3-505054503030"
    ],
    "title": "Rare Schtasks Creations"
  },
@@ -19427,9 +19427,9 @@
    "id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be",
    "level": "high",
    "subcategory_guids": [
      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030"
    ],
    "title": "Stored Credentials in Fake Files"
@@ -19474,14 +19474,14 @@
  {
    "channel": "sec",
    "event_ids": [
-      "529",
+      "4625",
-      "4625"
+      "529"
    ],
    "id": "428d3964-3241-1ceb-8f93-b31d8490c822",
    "level": "medium",
    "subcategory_guids": [
-      "0CCE9217-69AE-11D9-BED3-505054503030",
+      "0CCE9215-69AE-11D9-BED3-505054503030",
-      "0CCE9215-69AE-11D9-BED3-505054503030"
+      "0CCE9217-69AE-11D9-BED3-505054503030"
    ],
    "title": "Failed Logins with Different Accounts from Single Source System"
  },
@@ -19493,8 +19493,8 @@
    "id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995",
    "level": "medium",
    "subcategory_guids": [
      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921E-69AE-11D9-BED3-505054503030",
      "0CCE921D-69AE-11D9-BED3-505054503030",
      "0CCE921F-69AE-11D9-BED3-505054503030",
      "0CCE9245-69AE-11D9-BED3-505054503030"
    ],
@@ -19911,9 +19911,9 @@
  {
    "channel": "sec",
    "event_ids": [
      "13",
      "4657",
-      "12"
+      "12",
      "13"
    ],
    "id": "46595663-e666-c413-ccf4-028a618ca712",
    "level": "critical",