#51 resolved

rules/deep_blue_cli/security/1102.yml

@@ -12,6 +12,9 @@ detection:
 falsepositives:
     - unknown
 level: medium
-output: 'Audit Log Clear¥n The Audit log was cleared.¥m%user_data.log_file_cleared%%user_data.subject_user_name%'
+output: |
+    Audit Log Clear 
+    The Audit log was cleared.
+    Security ID: %LogFileCleared%%LogFileClearedSubjectUserName%
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8

rules/deep_blue_cli/security/4673.yml

@@ -12,6 +12,9 @@ detection:
 falsepositives:
     - unknown
 level: medium
-output: 'Sensitive Privilege Use Exceeds Threshold¥n Potentially indicative of Mimikatz, multiple sensitive priviledge calls have been made.¥nUserName:SubjectUserName% Domain Name:%DomainName%'
+output: |
+    Sensitive Privilege Use Exceeds Threshold
+    Potentially indicative of Mimikatz, multiple sensitive priviledge calls have been made.
+    UserName:%SubjectUserName% Domain Name:%DomainName%
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8

rules/deep_blue_cli/security/4674.yml

@@ -14,6 +14,11 @@ detection:
 falsepositives:
     - unknown
 level: medium
-output: 'Possible Hidden Service Attempt¥nUser requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view.¥nUser: %SubjectUserName%¥nTarget service:%ObjectName¥nDesired Access:WRITE_DAC'
+output: |
+    Possible Hidden Service Attempt
+    User requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view.
+    User: %SubjectUserName%
+    Target service:%ObjectName
+    Desired Access:WRITE_DAC
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8

rules/deep_blue_cli/security/4688.yml

@@ -15,4 +15,4 @@ falsepositives:
 level: medium
 output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8

rules/deep_blue_cli/security/4720.yml

@@ -14,4 +14,4 @@ falsepositives:
 level: low
 output: 'New User Created UserName:%TargetUserName% SID:%TargetSid%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8

rules/deep_blue_cli/security/4728.yml

@@ -15,4 +15,4 @@ falsepositives:
 level: low
 output: 'user added to global Administrators UserName: %MemberName% SID: %MemberSid%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8

rules/deep_blue_cli/security/4732.yml

@@ -15,4 +15,4 @@ falsepositives:
 level: low
 output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8

rules/deep_blue_cli/security/4756.yml

@@ -15,4 +15,4 @@ falsepositives:
 level: low
 output: 'user added to universal Administrators UserName: %MemberName% SID: %MemberSid%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8

rules/deep_blue_cli/security/_4625.yml

@@ -14,4 +14,4 @@ falsepositives:
 level: medium
 output: 'High number of logon failures for one account UserName:%event_data.SubjectUserName% Total logon faiures:%count%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8

rules/deep_blue_cli/security/_4648.yml

@@ -14,4 +14,4 @@ falsepositives:
 level: High
 output: 'Distributed Account Explicit Credential Use (Password Spray Attack)¥n The use of multiple user account access attempts with explicit credentials is ¥nan indicator of a password spray attack.¥nTarget Usernames:%TargetUserName$¥nAccessing Username: %SubjectUserName%¥nAccessing Host Name: %SubjectDomainName%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8

rules/deep_blue_cli/security/_4672.yml

@@ -16,4 +16,4 @@ falsepositives:
 level: medium
 output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+updated_date: 2020/11/8