Merge pull request #54 from YamatoSecurity/feature/eventkey_alias

eventkey_alias の精査 / #51
2021-02-26 09:06:08 +09:00
parent 631dda679a a77edfb311
commit 382a48edfc
13 changed files with 34 additions and 18 deletions
--- a/config/eventkey_alias.txt
+++ b/config/eventkey_alias.txt
@@ -14,6 +14,11 @@ ImagePath,Event.EventData.ImagePath
 ContextInfo,Event.EventData.ContextInfo
 Path,Event.EventData.Path
 ScriptBlockText,Event.EventData.ScriptBlockText
-MemberName,Event.EventData.SubjectUserName
-MemberSid,Event.EventData.SubjectUserSid
+MemberName,Event.EventData.MemberName
+MemberSid,Event.EventData.MemberSid
 TargetSid,Event.EventData.TargetSid
+LogFileCleared,Event.UserData.LogFileCleared.SubjectUserName
+LogFileClearedSubjectUserName,Event.UserData.SubjectUserName
+SubjectUserName,Event.EventData.SubjectUserName
+SubjectUserSid,Event.EventData.SubjectUserSid
+DomainName,Event.EventData.SubjectDomainName
--- a/rules/deep_blue_cli/powershell/4103.yml
+++ b/rules/deep_blue_cli/powershell/4103.yml
@@ -6,7 +6,7 @@ logsource:
    product: windows
 detection:
    selection:
-        Channel: PowerShell
+        Channel: Microsoft-Windows-PowerShell/Operational
        EventID: 4103
        ContextInfo:
            - Host Application
@@ -17,4 +17,4 @@ falsepositives:
 level: medium
 output: 'command=%CommandLine%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8
--- a/rules/deep_blue_cli/security/1102.yml
+++ b/rules/deep_blue_cli/security/1102.yml
@@ -12,6 +12,9 @@ detection:
 falsepositives:
    - unknown
 level: medium
-output: 'Audit Log Clear¥n The Audit log was cleared.¥m%user_data.log_file_cleared%%user_data.subject_user_name%'
+output: |
+    Audit Log Clear 
+    The Audit log was cleared.
+    Security ID: %LogFileCleared%%LogFileClearedSubjectUserName%
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8
--- a/rules/deep_blue_cli/security/4673.yml
+++ b/rules/deep_blue_cli/security/4673.yml
@@ -12,6 +12,9 @@ detection:
 falsepositives:
    - unknown
 level: medium
-output: 'Sensitive Privilege Use Exceeds Threshold¥n Potentially indicative of Mimikatz, multiple sensitive priviledge calls have been made.¥nUserName:SubjectUserName% Domain Name:%DomainName%'
+output: |
+    Sensitive Privilege Use Exceeds Threshold
+    Potentially indicative of Mimikatz, multiple sensitive priviledge calls have been made.
+    UserName:%SubjectUserName% Domain Name:%DomainName%
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8
--- a/rules/deep_blue_cli/security/4674.yml
+++ b/rules/deep_blue_cli/security/4674.yml
@@ -14,6 +14,11 @@ detection:
 falsepositives:
    - unknown
 level: medium
-output: 'Possible Hidden Service Attempt¥nUser requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view.¥nUser: %SubjectUserName%¥nTarget service:%ObjectName¥nDesired Access:WRITE_DAC'
+output: |
+    Possible Hidden Service Attempt
+    User requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view.
+    User: %SubjectUserName%
+    Target service:%ObjectName
+    Desired Access:WRITE_DAC
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8
--- a/rules/deep_blue_cli/security/4688.yml
+++ b/rules/deep_blue_cli/security/4688.yml
@@ -15,4 +15,4 @@ falsepositives:
 level: medium
 output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8
--- a/rules/deep_blue_cli/security/4720.yml
+++ b/rules/deep_blue_cli/security/4720.yml
@@ -14,4 +14,4 @@ falsepositives:
 level: low
 output: 'New User Created UserName:%TargetUserName% SID:%TargetSid%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8
--- a/rules/deep_blue_cli/security/4728.yml
+++ b/rules/deep_blue_cli/security/4728.yml
@@ -15,4 +15,4 @@ falsepositives:
 level: low
 output: 'user added to global Administrators UserName: %MemberName% SID: %MemberSid%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8
--- a/rules/deep_blue_cli/security/4732.yml
+++ b/rules/deep_blue_cli/security/4732.yml
@@ -15,4 +15,4 @@ falsepositives:
 level: low
 output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8
--- a/rules/deep_blue_cli/security/4756.yml
+++ b/rules/deep_blue_cli/security/4756.yml
@@ -15,4 +15,4 @@ falsepositives:
 level: low
 output: 'user added to universal Administrators UserName: %MemberName% SID: %MemberSid%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8
--- a/rules/deep_blue_cli/security/_4625.yml
+++ b/rules/deep_blue_cli/security/_4625.yml
@@ -14,4 +14,4 @@ falsepositives:
 level: medium
 output: 'High number of logon failures for one account UserName:%event_data.SubjectUserName% Total logon faiures:%count%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8
--- a/rules/deep_blue_cli/security/_4648.yml
+++ b/rules/deep_blue_cli/security/_4648.yml
@@ -14,4 +14,4 @@ falsepositives:
 level: High
 output: 'Distributed Account Explicit Credential Use (Password Spray Attack)¥n The use of multiple user account access attempts with explicit credentials is ¥nan indicator of a password spray attack.¥nTarget Usernames:%TargetUserName$¥nAccessing Username: %SubjectUserName%¥nAccessing Host Name: %SubjectDomainName%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8
--- a/rules/deep_blue_cli/security/_4672.yml
+++ b/rules/deep_blue_cli/security/_4672.yml
@@ -16,4 +16,4 @@ falsepositives:
 level: medium
 output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8