CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-06 09:12:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Automated update

Browse Source
This commit is contained in:
github-actions[bot]
2025-03-16 10:28:41 +00:00
parent a782842fc5
commit e92252fcd2
1 changed files with 149 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

298
config/security_rules.json
View File

@@ -118,8 +118,8 @@
"id": "de5ed02e-e7b5-47a0-a35c-06a907c988e4",
"level": "informational",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Task Deleted"
},
@@ -441,8 +441,8 @@
"id": "4574194d-e7ca-4356-a95c-21b753a1787e",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "User Guessing"
},
@@ -454,8 +454,8 @@
"id": "b2c74582-0d44-49fe-8faa-014dcdafee62",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logon - Non-Existent User"
},
@@ -503,8 +503,8 @@
"id": "a85096da-be85-48d7-8ad5-2f957cd74daa",
"level": "low",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Logon Failure (Unknown Reason)"
},
@@ -564,8 +564,8 @@
"id": "5b0b75dc-9190-4047-b9a8-14164cee8a31",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logon - Incorrect Password"
},
@@ -1068,8 +1068,8 @@
"id": "798c8f65-068a-0a31-009f-12739f547a2d",
"level": "critical",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "OilRig APT Schedule Task Persistence - Security"
},
@@ -1117,10 +1117,10 @@
"id": "82b185f4-cdcb-ba23-9fdb-dbc1a732e1a7",
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "ScreenConnect User Database Modification - Security"
},
@@ -1142,13 +1142,13 @@
{
"channel": "sec",
"event_ids": [
"4731",
"4737",
"4755",
"4728",
"4727",
"4754",
"4756"
"4755",
"4737",
"4756",
"4731",
"4728",
"4727"
],
"id": "2a451b93-9890-5cfe-38aa-1dc4f8f0fe0a",
"level": "high",
@@ -1767,10 +1767,10 @@
"id": "1aeb71a3-31b4-1a5e-85d8-1631c3a73d43",
"level": "critical",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "CVE-2023-23397 Exploitation Attempt"
},
@@ -1954,9 +1954,9 @@
{
"channel": "sec",
"event_ids": [
"4698",
"4699",
"4702",
"4699"
"4698"
],
"id": "ae16af08-e56e-414a-ceba-cb62e9f3a2ef",
"level": "high",
@@ -2776,11 +2776,11 @@
"id": "21ead34c-d2d4-2799-6318-2ff9e4aa9222",
"level": "high",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "BlueSky Ransomware Artefacts"
},
@@ -3155,8 +3155,8 @@
{
"channel": "sec",
"event_ids": [
"4624",
"4625"
"4625",
"4624"
],
"id": "35890fd4-9ed3-b244-0eff-91fe61e52f8b",
"level": "medium",
@@ -3195,15 +3195,15 @@
"channel": "sec",
"event_ids": [
"529",
"4624",
"4625",
"528",
"4624"
"528"
],
"id": "7298c707-7564-3229-7c76-ec514847d8c2",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
],
"title": "Interactive Logon to Server Systems"
},
@@ -18651,9 +18651,9 @@
"id": "4faa08cb-e57e-bb07-cfc2-2153a97a99bf",
"level": "medium",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "ISO Image Mounted"
@@ -18730,8 +18730,8 @@
"id": "a25c0c49-11f8-ace9-6bbd-80cfa6e2b2d7",
"level": "medium",
"subcategory_guids": [
"0CCE9229-69AE-11D9-BED3-505054503030",
"0CCE9228-69AE-11D9-BED3-505054503030"
"0CCE9228-69AE-11D9-BED3-505054503030",
"0CCE9229-69AE-11D9-BED3-505054503030"
],
"title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege"
},
@@ -18760,10 +18760,10 @@
{
"channel": "sec",
"event_ids": [
"4771",
"4769",
"675",
"4768",
"675"
"4769",
"4771"
],
"id": "978525c2-97aa-f0e4-8c11-3cf81ea3379b",
"level": "high",
@@ -18886,14 +18886,14 @@
{
"channel": "sec",
"event_ids": [
"4742",
"5136"
"5136",
"4742"
],
"id": "c800ccd5-5818-b0f5-1a12-f9c8bc24a433",
"level": "medium",
"subcategory_guids": [
"0CCE9236-69AE-11D9-BED3-505054503030",
"0CCE923C-69AE-11D9-BED3-505054503030"
"0CCE923C-69AE-11D9-BED3-505054503030",
"0CCE9236-69AE-11D9-BED3-505054503030"
],
"title": "Possible DC Shadow Attack"
},
@@ -18906,10 +18906,10 @@
"id": "c7f94c63-6fb7-9686-e2c2-2298c9f56ca9",
"level": "medium",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Potentially Suspicious AccessMask Requested From LSASS"
},
@@ -18928,8 +18928,8 @@
{
"channel": "sec",
"event_ids": [
"4656",
"4663"
"4663",
"4656"
],
"id": "321196fe-fb10-6b13-c611-3dfe40baa1af",
"level": "medium",
@@ -18980,14 +18980,14 @@
{
"channel": "sec",
"event_ids": [
"5145",
"5136"
"5136",
"5145"
],
"id": "01628b51-85e1-4088-9432-a11cba9f3ebd",
"level": "high",
"subcategory_guids": [
"0CCE9244-69AE-11D9-BED3-505054503030",
"0CCE923C-69AE-11D9-BED3-505054503030"
"0CCE923C-69AE-11D9-BED3-505054503030",
"0CCE9244-69AE-11D9-BED3-505054503030"
],
"title": "Persistence and Execution at Scale via GPO Scheduled Task"
},
@@ -19088,15 +19088,15 @@
{
"channel": "sec",
"event_ids": [
"4625",
"4776"
"4776",
"4625"
],
"id": "655eb351-553b-501f-186e-aa9af13ecf43",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030"
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Account Tampering - Suspicious Failed Logon Reasons"
},
@@ -19109,26 +19109,26 @@
"id": "249d836c-8857-1b98-5d7b-050c2d34e275",
"level": "high",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Sysmon Channel Reference Deletion"
},
{
"channel": "sec",
"event_ids": [
"4657",
"4663",
"4656",
"4663"
"4657"
],
"id": "32337bc9-8e75-bdaf-eaf4-d3b19ee08a67",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Processes Accessing the Microphone and Webcam"
@@ -19136,15 +19136,15 @@
{
"channel": "sec",
"event_ids": [
"4656",
"4663"
"4663",
"4656"
],
"id": "63308dbe-54a4-9c70-cc90-6d15e10f3505",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "SysKey Registry Keys Access"
@@ -19214,8 +19214,8 @@
{
"channel": "sec",
"event_ids": [
"4729",
"633"
"633",
"4729"
],
"id": "6e0f860b-3678-7396-a4a3-7cf55f7bb01c",
"level": "low",
@@ -19323,8 +19323,8 @@
{
"channel": "sec",
"event_ids": [
"4730",
"634"
"634",
"4730"
],
"id": "ae7d8d1c-f75b-d952-e84e-a7981b861590",
"level": "low",
@@ -19361,16 +19361,16 @@
{
"channel": "sec",
"event_ids": [
"4663",
"4656"
"4656",
"4663"
],
"id": "de10da38-ee60-f6a4-7d70-4d308558158b",
"level": "critical",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "WCE wceaux.dll Access"
},
@@ -19395,9 +19395,9 @@
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Teams Application Related ObjectAcess Event"
},
@@ -19421,8 +19421,8 @@
"id": "d74b03af-7e5f-bc5b-9e84-9d44af3d61b7",
"level": "high",
"subcategory_guids": [
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Scheduled Task Update"
},
@@ -19584,18 +19584,18 @@
{
"channel": "sec",
"event_ids": [
"4656",
"4663",
"4658",
"4656"
"4658"
],
"id": "70c3269a-a7f2-49bd-1e28-a0921f353db7",
"level": "medium",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9223-69AE-11D9-BED3-505054503030"
"0CCE9223-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Potential Secure Deletion with SDelete"
},
@@ -19631,10 +19631,10 @@
"id": "d7742b08-730d-3624-df95-cc3c6eaa3a39",
"level": "high",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "SAM Registry Hive Handle Request"
},
@@ -19711,8 +19711,8 @@
"id": "4d56e133-40b5-5b28-07b5-bab0913fc338",
"level": "high",
"subcategory_guids": [
"0CCE9234-69AE-11D9-BED3-505054503030",
"0CCE9233-69AE-11D9-BED3-505054503030"
"0CCE9233-69AE-11D9-BED3-505054503030",
"0CCE9234-69AE-11D9-BED3-505054503030"
],
"title": "HackTool - EDRSilencer Execution - Filter Added"
},
@@ -19888,15 +19888,15 @@
{
"channel": "sec",
"event_ids": [
"4625",
"4624",
"4776"
"4776",
"4625"
],
"id": "827aa6c1-1507-3f0a-385a-ade5251bfd71",
"level": "high",
"subcategory_guids": [
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Metasploit SMB Authentication"
@@ -19982,10 +19982,10 @@
"id": "06b8bcc0-326b-518a-3868-fe0721488fb8",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "LSASS Access From Non System Account"
},
@@ -20019,10 +20019,10 @@
"id": "474caaa9-3115-c838-1509-59ffb6caecfc",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "SCM Database Handle Failure"
},
@@ -20082,10 +20082,10 @@
"id": "d1909400-93d7-de3c-ba13-153c64499c7c",
"level": "low",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Service Registry Key Read Access Request"
},
@@ -20098,18 +20098,18 @@
"id": "777523b0-14f8-1ca2-12c9-d668153661ff",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Windows Defender Exclusion Registry Key - Write Access Requested"
},
{
"channel": "sec",
"event_ids": [
"4898",
"4899"
"4899",
"4898"
],
"id": "aa2d5bf7-bc73-068e-a4df-a887cc3aba2b",
"level": "high",
@@ -20132,8 +20132,8 @@
{
"channel": "sec",
"event_ids": [
"5449",
"5447"
"5447",
"5449"
],
"id": "22d4af9f-97d9-4827-7209-c451ff7f43c6",
"level": "high",
@@ -20163,24 +20163,24 @@
"id": "cd93b6ed-961d-ed36-92db-bd44bccda695",
"level": "high",
"subcategory_guids": [
"0CCE9228-69AE-11D9-BED3-505054503030",
"0CCE9229-69AE-11D9-BED3-505054503030"
"0CCE9229-69AE-11D9-BED3-505054503030",
"0CCE9228-69AE-11D9-BED3-505054503030"
],
"title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'"
},
{
"channel": "sec",
"event_ids": [
"4776",
"4624",
"4776",
"4625"
],
"id": "8b40829b-4556-9bec-a8ad-905688497639",
"level": "high",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE923F-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
"0CCE923F-69AE-11D9-BED3-505054503030"
],
"title": "Hacktool Ruler"
},
@@ -20229,18 +20229,18 @@
"id": "d81faa44-ff28-8f61-097b-92727b8af44b",
"level": "high",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Password Dumper Activity on LSASS"
},
{
"channel": "sec",
"event_ids": [
"4701",
"4699"
"4699",
"4701"
],
"id": "9ce591d7-6b6d-444a-8c27-8ca626dddad3",
"level": "high",
@@ -20279,16 +20279,16 @@
{
"channel": "sec",
"event_ids": [
"4663",
"4656"
"4656",
"4663"
],
"id": "763d50d7-9452-0146-18a1-9ca65e3a2f73",
"level": "medium",
"subcategory_guids": [
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030"
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
],
"title": "Azure AD Health Service Agents Registry Keys Access"
},
@@ -20363,8 +20363,8 @@
{
"channel": "sec",
"event_ids": [
"4743",
"4741"
"4741",
"4743"
],
"id": "b607775d-e3fe-3fb8-c40e-4e52b3fbe44d",
"level": "low",
@@ -20478,9 +20478,9 @@
"id": "7bd85790-c82a-56af-7127-f257e5ef6c6f",
"level": "medium",
"subcategory_guids": [
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030"
"0CCE921F-69AE-11D9-BED3-505054503030"
],
"title": "Windows Defender Exclusion Deleted"
},
@@ -21276,11 +21276,11 @@
"channel": "sec",
"event_ids": [
"633",
"4730",
"4728",
"632",
"634",
"4730",
"4729",
"634"
"4728"
],
"id": "506379d9-8545-c010-e9a3-693119ab9261",
"level": "low",
@@ -21594,16 +21594,16 @@
{
"channel": "sec",
"event_ids": [
"4698",
"4624",
"4702"
"4702",
"4698"
],
"id": "bc42c437-1ea8-fd0f-d964-e37a58d861fc",
"level": "medium",
"subcategory_guids": [
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030"
],
"title": "Remote Schtasks Creation"
},
@@ -21640,8 +21640,8 @@
"id": "89ed0fbe-11b8-ce3c-e025-59925225ee99",
"level": "low",
"subcategory_guids": [
"0CCE9227-69AE-11D9-BED3-505054503030",
"0CCE9226-69AE-11D9-BED3-505054503030"
"0CCE9226-69AE-11D9-BED3-505054503030",
"0CCE9227-69AE-11D9-BED3-505054503030"
],
"title": "Rare Schtasks Creations"
},
@@ -21699,10 +21699,10 @@
"id": "888d3e17-a1ed-6b11-895c-e1f9b96b35be",
"level": "high",
"subcategory_guids": [
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030"
"0CCE921D-69AE-11D9-BED3-505054503030"
],
"title": "Stored Credentials in Fake Files"
},
@@ -21746,14 +21746,14 @@
{
"channel": "sec",
"event_ids": [
"529",
"4625"
"4625",
"529"
],
"id": "428d3964-3241-1ceb-8f93-b31d8490c822",
"level": "medium",
"subcategory_guids": [
"0CCE9217-69AE-11D9-BED3-505054503030",
"0CCE9215-69AE-11D9-BED3-505054503030"
"0CCE9215-69AE-11D9-BED3-505054503030",
"0CCE9217-69AE-11D9-BED3-505054503030"
],
"title": "Failed Logins with Different Accounts from Single Source System"
},
@@ -21765,9 +21765,9 @@
"id": "a4504cb2-23f6-6d94-5ae6-d6013cf1d995",
"level": "medium",
"subcategory_guids": [
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE921E-69AE-11D9-BED3-505054503030",
"0CCE921F-69AE-11D9-BED3-505054503030",
"0CCE921D-69AE-11D9-BED3-505054503030",
"0CCE9245-69AE-11D9-BED3-505054503030"
],
"title": "Suspicious Multiple File Rename Or Delete Occurred"
@@ -22183,9 +22183,9 @@
{
"channel": "sec",
"event_ids": [
"12",
"4657",
"13",
"4657"
"12"
],
"id": "46595663-e666-c413-ccf4-028a618ca712",
"level": "critical",