diff --git a/config/security_rules.json b/config/security_rules.json index 9b3dc94f..3de5207b 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -88,8 +88,8 @@ "id": "de5ed02e-e7b5-47a0-a35c-06a907c988e4", "level": "informational", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Task Deleted" }, @@ -424,8 +424,8 @@ "id": "b2c74582-0d44-49fe-8faa-014dcdafee62", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Failed Logon - Non-Existent User" }, @@ -473,8 +473,8 @@ "id": "a85096da-be85-48d7-8ad5-2f957cd74daa", "level": "low", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Logon Failure (Unknown Reason)" }, @@ -534,8 +534,8 @@ "id": "5b0b75dc-9190-4047-b9a8-14164cee8a31", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Failed Logon - Incorrect Password" }, @@ -620,8 +620,8 @@ "id": "e87bd730-df45-4ae9-85de-6c75369c5d29", "level": "low", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Logon Failure (Wrong Password)" }, @@ -645,8 +645,8 @@ "id": "35e8a0fc-60c2-46d7-ba39-aafb15b9854e", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "PW Guessing" }, @@ -1087,10 +1087,10 @@ "id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7", "level": "medium", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "ScreenConnect User Database Modification - Security" }, @@ -1102,9 +1102,9 @@ "id": "74d067bc-3f42-3855-c13d-771d589cf11c", "level": "critical", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security" @@ -1112,13 +1112,13 @@ { "channel": "sec", "event_ids": [ - "4737", - "4755", - "4756", - "4727", - "4728", "4754", - "4731" + "4755", + "4737", + "4731", + "4728", + "4727", + "4756" ], "id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a", "level": "high", @@ -1731,16 +1731,16 @@ { "channel": "sec", "event_ids": [ - "4663", - "4656" + "4656", + "4663" ], "id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43", "level": "critical", "subcategory_guids": [ "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "CVE-2023-23397 Exploitation Attempt" }, @@ -1904,8 +1904,8 @@ { "channel": "sec", "event_ids": [ - "4698", "4699", + "4698", "4702" ], "id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef", @@ -2706,11 +2706,11 @@ "id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222", "level": "high", "subcategory_guids": [ + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE9244-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "BlueSky Ransomware Artefacts" }, @@ -3065,8 +3065,8 @@ { "channel": "sec", "event_ids": [ - "4625", - "4624" + "4624", + "4625" ], "id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b", "level": "medium", @@ -3091,8 +3091,8 @@ { "channel": "sec", "event_ids": [ - "4964", - "4672" + "4672", + "4964" ], "id": "b3d10465-f171-0ef7-d28e-8ef2f9409cf1", "level": "low", @@ -3104,10 +3104,10 @@ { "channel": "sec", "event_ids": [ - "528", "529", + "4625", "4624", - "4625" + "528" ], "id": "7298c707-7564-3229-7c76-ec514847d8c2", "level": "medium", @@ -16179,8 +16179,8 @@ "level": "low", "subcategory_guids": [ "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Access To Browser Credential Files By Uncommon Applications - Security" @@ -16521,10 +16521,10 @@ "id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf", "level": "medium", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "ISO Image Mounted" }, @@ -16536,8 +16536,8 @@ "id": "cd7d9f05-3bf6-21f6-6686-e602ab6d72ba", "level": "high", "subcategory_guids": [ - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9226-69AE-11D9-BED3-505054503030", + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Scheduled Task Creation" }, @@ -16569,9 +16569,9 @@ { "channel": "sec", "event_ids": [ - "4765", "4766", - "4738" + "4738", + "4765" ], "id": "5335aea0-f1b4-e120-08b6-c80fe4bf99ad", "level": "medium", @@ -16630,16 +16630,16 @@ { "channel": "sec", "event_ids": [ - "675", - "4768", "4771", - "4769" + "4769", + "4768", + "675" ], "id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b", "level": "high", "subcategory_guids": [ - "0CCE9240-69AE-11D9-BED3-505054503030", - "0CCE9242-69AE-11D9-BED3-505054503030" + "0CCE9242-69AE-11D9-BED3-505054503030", + "0CCE9240-69AE-11D9-BED3-505054503030" ], "title": "Kerberos Manipulation" }, @@ -16712,8 +16712,8 @@ "id": "93c95eee-748a-e1db-18a5-f40035167086", "level": "high", "subcategory_guids": [ - "0CCE923B-69AE-11D9-BED3-505054503030", - "0CCE9220-69AE-11D9-BED3-505054503030" + "0CCE9220-69AE-11D9-BED3-505054503030", + "0CCE923B-69AE-11D9-BED3-505054503030" ], "title": "AD Privileged Users or Groups Reconnaissance" }, @@ -16770,14 +16770,14 @@ { "channel": "sec", "event_ids": [ - "4656", - "4663" + "4663", + "4656" ], "id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9", "level": "medium", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030" ], @@ -16805,9 +16805,9 @@ "level": "medium", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Azure AD Health Monitoring Agent Registry Keys Access" }, @@ -16850,14 +16850,14 @@ { "channel": "sec", "event_ids": [ - "5136", - "5145" + "5145", + "5136" ], "id": "01628b51-85e1-4088-9432-a11cba9f3ebd", "level": "high", "subcategory_guids": [ - "0CCE923C-69AE-11D9-BED3-505054503030", - "0CCE9244-69AE-11D9-BED3-505054503030" + "0CCE9244-69AE-11D9-BED3-505054503030", + "0CCE923C-69AE-11D9-BED3-505054503030" ], "title": "Persistence and Execution at Scale via GPO Scheduled Task" }, @@ -16965,23 +16965,23 @@ "level": "medium", "subcategory_guids": [ "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE923F-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE923F-69AE-11D9-BED3-505054503030" ], "title": "Account Tampering - Suspicious Failed Logon Reasons" }, { "channel": "sec", "event_ids": [ - "4663", - "4657" + "4657", + "4663" ], "id": "249d836c-8857-1b98-5d7b-050c2d34e275", "level": "high", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Sysmon Channel Reference Deletion" @@ -16989,17 +16989,17 @@ { "channel": "sec", "event_ids": [ - "4657", + "4663", "4656", - "4663" + "4657" ], "id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67", "level": "medium", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Processes Accessing the Microphone and Webcam" }, @@ -17013,9 +17013,9 @@ "level": "high", "subcategory_guids": [ "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "SysKey Registry Keys Access" }, @@ -17051,8 +17051,8 @@ "id": "6bcac9cb-eeee-9f45-c5c1-0daaf023ac12", "level": "medium", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Failed Logon From Public IP" }, @@ -17064,8 +17064,8 @@ "id": "232ecd79-c09d-1323-8e7e-14322b766855", "level": "high", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" }, @@ -17206,8 +17206,8 @@ { "channel": "sec", "event_ids": [ - "4728", - "632" + "632", + "4728" ], "id": "26767093-828c-2f39-bdd8-d0439e87307c", "level": "low", @@ -17231,16 +17231,16 @@ { "channel": "sec", "event_ids": [ - "4663", - "4656" + "4656", + "4663" ], "id": "de10da38-ee60-f6a4-7d70-4d308558158b", "level": "critical", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "WCE wceaux.dll Access" }, @@ -17264,9 +17264,9 @@ "id": "04a055ea-ffa9-540b-e1d2-d5c1bfd5bc7b", "level": "high", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Teams Application Related ObjectAcess Event" @@ -17311,8 +17311,8 @@ { "channel": "sec", "event_ids": [ - "4634", - "4647" + "4647", + "4634" ], "id": "73f64ce7-a76d-0208-ea75-dd26a09d719b", "level": "informational", @@ -17454,18 +17454,18 @@ { "channel": "sec", "event_ids": [ + "4658", "4656", - "4663", - "4658" + "4663" ], "id": "70c3269a-a7f2-49bd-1e28-a0921f353db7", "level": "medium", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9223-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Potential Secure Deletion with SDelete" }, @@ -17502,9 +17502,9 @@ "level": "high", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE9245-69AE-11D9-BED3-505054503030" + "0CCE9245-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "SAM Registry Hive Handle Request" }, @@ -17852,9 +17852,9 @@ "id": "06b8bcc0-326b-518a-3868-fe0721488fb8", "level": "medium", "subcategory_guids": [ - "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030" ], "title": "LSASS Access From Non System Account" @@ -17889,10 +17889,10 @@ "id": "474caaa9-3115-c838-1509-59ffb6caecfc", "level": "medium", "subcategory_guids": [ + "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "SCM Database Handle Failure" }, @@ -17953,33 +17953,33 @@ "level": "low", "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Service Registry Key Read Access Request" }, { "channel": "sec", "event_ids": [ - "4656", - "4663" + "4663", + "4656" ], "id": "777523b0-14f8-1ca2-12c9-d668153661ff", "level": "medium", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Windows Defender Exclusion Registry Key - Write Access Requested" }, { "channel": "sec", "event_ids": [ - "4899", - "4898" + "4898", + "4899" ], "id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b", "level": "high", @@ -18008,8 +18008,8 @@ "id": "22d4af9f-97d9-4827-7209-c451ff7f43c6", "level": "high", "subcategory_guids": [ - "0CCE9234-69AE-11D9-BED3-505054503030", - "0CCE9233-69AE-11D9-BED3-505054503030" + "0CCE9233-69AE-11D9-BED3-505054503030", + "0CCE9234-69AE-11D9-BED3-505054503030" ], "title": "HackTool - NoFilter Execution" }, @@ -18041,16 +18041,16 @@ { "channel": "sec", "event_ids": [ - "4625", "4776", - "4624" + "4624", + "4625" ], "id": "8b40829b-4556-9bec-a8ad-905688497639", "level": "high", "subcategory_guids": [ - "0CCE923F-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE923F-69AE-11D9-BED3-505054503030" ], "title": "Hacktool Ruler" }, @@ -18099,18 +18099,18 @@ "id": "d81faa44-ff28-8f61-097b-92727b8af44b", "level": "high", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Password Dumper Activity on LSASS" }, { "channel": "sec", "event_ids": [ - "4699", - "4701" + "4701", + "4699" ], "id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3", "level": "high", @@ -18135,8 +18135,8 @@ { "channel": "sec", "event_ids": [ - "4738", - "5136" + "5136", + "4738" ], "id": "c9123898-04d5-2d3b-5e2b-7c0c92111480", "level": "high", @@ -18149,15 +18149,15 @@ { "channel": "sec", "event_ids": [ - "4656", - "4663" + "4663", + "4656" ], "id": "763d50d7-9452-0146-18a1-9ca65e3a2f73", "level": "medium", "subcategory_guids": [ + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], "title": "Azure AD Health Service Agents Registry Keys Access" @@ -18233,8 +18233,8 @@ { "channel": "sec", "event_ids": [ - "4741", - "4743" + "4743", + "4741" ], "id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d", "level": "low", @@ -18348,8 +18348,8 @@ "id": "7bd85790-c82a-56af-7127-f257e5ef6c6f", "level": "medium", "subcategory_guids": [ - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Windows Defender Exclusion Deleted" @@ -19053,10 +19053,10 @@ "event_ids": [ "4728", "4729", - "633", - "632", + "4730", "634", - "4730" + "633", + "632" ], "id": "506379d9-8545-c010-e9a3-693119ab9261", "level": "low", @@ -19332,16 +19332,16 @@ { "channel": "sec", "event_ids": [ + "4698", "4702", - "4624", - "4698" + "4624" ], "id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc", "level": "medium", "subcategory_guids": [ + "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030", - "0CCE9226-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030" ], "title": "Remote Schtasks Creation" }, @@ -19365,8 +19365,8 @@ "id": "84202b5b-54c1-473b-4568-e10da23b3eb8", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Multiple Users Failing to Authenticate from Single Process" }, @@ -19378,8 +19378,8 @@ "id": "89ed0fbe-11b8-ce3c-e025-59925225ee99", "level": "low", "subcategory_guids": [ - "0CCE9226-69AE-11D9-BED3-505054503030", - "0CCE9227-69AE-11D9-BED3-505054503030" + "0CCE9227-69AE-11D9-BED3-505054503030", + "0CCE9226-69AE-11D9-BED3-505054503030" ], "title": "Rare Schtasks Creations" }, @@ -19427,10 +19427,10 @@ "id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be", "level": "high", "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030", - "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921D-69AE-11D9-BED3-505054503030" + "0CCE921F-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030", + "0CCE921E-69AE-11D9-BED3-505054503030" ], "title": "Stored Credentials in Fake Files" }, @@ -19442,8 +19442,8 @@ "id": "30e70d43-6368-123c-a3c8-d23309a3ff97", "level": "medium", "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" + "0CCE9217-69AE-11D9-BED3-505054503030", + "0CCE9215-69AE-11D9-BED3-505054503030" ], "title": "Multiple Users Remotely Failing To Authenticate From Single Source" }, @@ -19480,8 +19480,8 @@ "id": "428d3964-3241-1ceb-8f93-b31d8490c822", "level": "medium", "subcategory_guids": [ - "0CCE9217-69AE-11D9-BED3-505054503030", - "0CCE9215-69AE-11D9-BED3-505054503030" + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" ], "title": "Failed Logins with Different Accounts from Single Source System" }, @@ -19493,10 +19493,10 @@ "id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995", "level": "medium", "subcategory_guids": [ - "0CCE921D-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030", - "0CCE921E-69AE-11D9-BED3-505054503030" + "0CCE921E-69AE-11D9-BED3-505054503030", + "0CCE921D-69AE-11D9-BED3-505054503030" ], "title": "Suspicious Multiple File Rename Or Delete Occurred" }, @@ -19911,9 +19911,9 @@ { "channel": "sec", "event_ids": [ - "13", "12", - "4657" + "4657", + "13" ], "id": "46595663-e666-c413-ccf4-028a618ca712", "level": "critical",