Rule tuning
This commit is contained in:
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 0 - System
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 10 - RDP (Remote Interactive)
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 11 - CachedInteractive
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 12 - CachedRemoteInteractive
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 13 - CachedUnlock
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 2 - Interactive
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 3 - Network
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -17,6 +17,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 4 - Batch
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 5 - Service
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -17,6 +17,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 7 - Unlock
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logon Type 9 - NewCredentials
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -10,6 +10,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
|
||||
output: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : Port: %IpPort% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory.)'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -9,6 +9,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %TargetUserName% Type: %LogonType% Workstation: %Workstation% IP Address: %IpAddress% SubStatus: %SubStatus% AuthPackage: %AuthenticationPackageName%'
|
||||
output: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %Workstation% : IP Address: %IpAddress% : SubStatus: %SubStatus% : AuthPackage: %AuthenticationPackageName%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logoff
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -14,6 +14,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'Username: %TargetUserName% LogonID: %TargetLogonId%'
|
||||
output: 'Username: %TargetUserName% : LogonID: %TargetLogonId%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Logoff - User Initiated
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -9,6 +9,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'Username: %TargetUserName% LogonID: %TargetLogonId%'
|
||||
output: 'Username: %TargetUserName% : LogonID: %TargetLogonId%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Admin Logon
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -17,6 +17,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'User: %SubjectUserName% LogonID: %SubjectLogonId%'
|
||||
output: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Kerberos TGT was requested
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -9,6 +9,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'tUsername: %TargetUserName% Service Name: %ServiceName% IP Address: %IpAddress% Status: %Status% PreAuthType: %PreAuthType%'
|
||||
output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Kerberos Service Ticket Requested
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -9,6 +9,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'tUsername: %TargetUserName% Service Name: %ServiceName% IP Address: %IpAddress% Status: %Status%'
|
||||
output: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
@@ -1,7 +1,7 @@
|
||||
title: NTLM Logon to Local Account
|
||||
description: Prints logon information
|
||||
author: Zach Mathis
|
||||
level: info
|
||||
level: informational
|
||||
detection:
|
||||
selection:
|
||||
Channel: Security
|
||||
@@ -9,6 +9,6 @@ detection:
|
||||
|
||||
falsepositives:
|
||||
- normal system usage
|
||||
output: 'Username: %TargetUserName% Workstation %WorkstationName% Status: %Status%'
|
||||
output: 'User: %TargetUserName% : Workstation %WorkstationName% : Status: %Status%'
|
||||
creation_date: 2021/11/17
|
||||
updated_date: 2021/11/17
|
||||
Reference in New Issue
Block a user