Rule tuning

rules/timeline-rules/Logons/4624-Logon-Type-0-System.yml

@@ -1,7 +1,7 @@
 title: Logon Type 0 - System
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security

rules/timeline-rules/Logons/4624-Logon-Type-10-RemoteInteractive.yml

@@ -1,7 +1,7 @@
 title: Logon Type 10 - RDP (Remote Interactive)
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security
@@ -10,6 +10,6 @@ detection:
 
 falsepositives:
     - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%  :  (Warning: Credentials are stored in memory.)'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4624-Logon-Type-11-CachedInteractive.yml

@@ -1,7 +1,7 @@
 title: Logon Type 11 - CachedInteractive
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security
@@ -10,6 +10,6 @@ detection:
 
 falsepositives:
     - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%  :  (Warning: Credentials are stored in memory.)'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4624-Logon-Type-12-CachedRemoteInteractive.yml

@@ -1,7 +1,7 @@
 title: Logon Type 12 - CachedRemoteInteractive
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security
@@ -10,6 +10,6 @@ detection:
 
 falsepositives:
     - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%  :  (Warning: Credentials are stored in memory.)'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4624-Logon-Type-13-CachedUnlock.yml

@@ -1,7 +1,7 @@
 title: Logon Type 13 - CachedUnlock
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security
@@ -10,6 +10,6 @@ detection:
 
 falsepositives:
     - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%  :  (Warning: Credentials are stored in memory.)'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4624-Logon-Type-2-Interactive.yml

@@ -1,7 +1,7 @@
 title: Logon Type 2 - Interactive
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security
@@ -10,6 +10,6 @@ detection:
 
 falsepositives:
     - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%  :  (Warning: Credentials are stored in memory.)'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4624-Logon-Type-3-Network.yml

@@ -1,7 +1,7 @@
 title: Logon Type 3 - Network
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security
@@ -17,6 +17,6 @@ detection:
 
 falsepositives:
     - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4624-Logon-Type-4-Batch.yml

@@ -1,7 +1,7 @@
 title: Logon Type 4 - Batch
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security
@@ -10,6 +10,6 @@ detection:
 
 falsepositives:
     - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4624-Logon-Type-5-Service.yml

@@ -1,7 +1,7 @@
 title: Logon Type 5 - Service
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security
@@ -17,6 +17,6 @@ detection:
 
 falsepositives:
     - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4624-Logon-Type-7-Unlock.yml

@@ -1,7 +1,7 @@
 title: Logon Type 7 - Unlock
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security
@@ -10,6 +10,6 @@ detection:
 
 falsepositives:
     - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4624-Logon-Type-8-NetworkCleartext.yml

@@ -10,6 +10,6 @@ detection:
 
 falsepositives:
     - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4624-Logon-Type-9-NewInteractive.yml

@@ -1,7 +1,7 @@
 title: Logon Type 9 - NewCredentials
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security
@@ -10,6 +10,6 @@ detection:
 
 falsepositives:
     - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%  :  (Warning: Credentials are stored in memory.)'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4625-Logon-Failure.yml

@@ -9,6 +9,6 @@ detection:
 
 falsepositives:
     - normal system usage
-output: 'User: %TargetUserName% Type: %LogonType% Workstation: %Workstation% IP Address: %IpAddress% SubStatus: %SubStatus% AuthPackage: %AuthenticationPackageName%'
+output: 'User: %TargetUserName%  :  Type: %LogonType%  :  Workstation: %Workstation%  :  IP Address: %IpAddress%  :  SubStatus: %SubStatus%  :  AuthPackage: %AuthenticationPackageName%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4634-Logoff.yml

@@ -1,7 +1,7 @@
 title: Logoff
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security
@@ -14,6 +14,6 @@ detection:
     
 falsepositives:
     - normal system usage
-output: 'Username: %TargetUserName% LogonID: %TargetLogonId%'
+output: 'Username: %TargetUserName%  :  LogonID: %TargetLogonId%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4647-Logoff-User-Initiated.yml

@@ -1,7 +1,7 @@
 title: Logoff - User Initiated
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security
@@ -9,6 +9,6 @@ detection:
     
 falsepositives:
     - normal system usage
-output: 'Username: %TargetUserName% LogonID: %TargetLogonId%'
+output: 'Username: %TargetUserName%  :  LogonID: %TargetLogonId%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4672-Admin-Logon.yml

@@ -1,7 +1,7 @@
 title: Admin Logon
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security
@@ -17,6 +17,6 @@ detection:
 
 falsepositives:
     - normal system usage
-output: 'User: %SubjectUserName% LogonID: %SubjectLogonId%'
+output: 'User: %SubjectUserName%  :  LogonID: %SubjectLogonId%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4768-Kerberos-TGT-Request.yml

@@ -1,7 +1,7 @@
 title: Kerberos TGT was requested
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security
@@ -9,6 +9,6 @@ detection:
 
 falsepositives:
     - normal system usage
-output: 'tUsername: %TargetUserName% Service Name: %ServiceName% IP Address: %IpAddress% Status: %Status% PreAuthType: %PreAuthType%'
+output: 'User: %TargetUserName%  :  Service: %ServiceName%  :  IP Address: %IpAddress%  :  Status: %Status%  :  PreAuthType: %PreAuthType%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4769-Kerberos-Service-Ticket-Request.yml

@@ -1,7 +1,7 @@
 title: Kerberos Service Ticket Requested
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security
@@ -9,6 +9,6 @@ detection:
 
 falsepositives:
     - normal system usage
-output: 'tUsername: %TargetUserName% Service Name: %ServiceName% IP Address: %IpAddress% Status: %Status%'
+output: 'User: %TargetUserName%  :  Service: %ServiceName%  :  IP Address: %IpAddress%  :  Status: %Status%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17

rules/timeline-rules/Logons/4776-NTLM-Logon-to-Local-Account.yml

@@ -1,7 +1,7 @@
 title: NTLM Logon to Local Account
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
     selection:
         Channel: Security
@@ -9,6 +9,6 @@ detection:
 
 falsepositives:
     - normal system usage
-output: 'Username: %TargetUserName% Workstation %WorkstationName% Status: %Status%'
+output: 'User: %TargetUserName%  :  Workstation %WorkstationName%  :  Status: %Status%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17