Rule tuning

2021-11-18 10:31:28 +09:00
parent 771c86edbf
commit bad4429ad0
44 changed files with 137 additions and 112 deletions
--- a/rules-noisy/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml
+++ b/rules-noisy/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml
@@ -2,8 +2,7 @@ title: PowerShell Execution Remote Command
 title_jp: Powershellのリモートコマンドの実行
 description: Powershell command executed remotely.
 description_jp: Powershell command executed remotely.
-author: Eric Conrad
+author: Eric Conrad, Zach Mathis
 contributor: Zach Mathis
 mitre_attack: T1059
 level: medium
 detection:
@@ -15,7 +14,7 @@ detection:
    # condition: selection
 falsepositives:
    - normal system usage
-output: 'Command = %ScriptBlockText%'
+output: 'Command: %ScriptBlockText%'
-output: 'コマンド = %ScriptBlockText%'
+output: 'コマンド: %ScriptBlockText%'
 creation_date: 2020/11/08
 updated_date:  2021/11/06
--- a/rules-noisy/Security/4688.yml
+++ b/rules-noisy/Security/4688.yml
@@ -1,6 +1,6 @@
 title: Command Line Logging
-description: hogehoge
+description: Command line logging.
-author: DeepblueCLI, Zach Mathis
+author: Eric Conrad, Zach Mathis
 detection:
    selection:
        Channel: Security
@@ -9,6 +9,6 @@ detection:
    # condition: selection
 falsepositives:
    - unknown
-output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%'
+output: 'CommandLine:%CommandLine%  :  ParentProcessName:%ParentProcessName%'
 creation_date: 2020/11/8
-updated_date: 2020/11/8
+updated_date: 2021/11/8
--- a/rules-noisy/Sigma/already-have-hayabusa-rule/win_hidden_user_creation.yml
+++ b/rules-noisy/Sigma/already-have-hayabusa-rule/win_hidden_user_creation.yml
--- a/rules-noisy/Sigma/already-have-hayabusa-rule/win_user_added_to_local_administrators.yml
+++ b/rules-noisy/Sigma/already-have-hayabusa-rule/win_user_added_to_local_administrators.yml
--- a/rules-noisy/Sigma/already-have-hayabusa-rule/win_user_creation.yml
+++ b/rules-noisy/Sigma/already-have-hayabusa-rule/win_user_creation.yml
--- a/rules/alert-rules/hayabusa/BitsClientOperational/59_T1197_BitsJobCreation.yaml
+++ b/rules/alert-rules/hayabusa/BitsClientOperational/59_T1197_BitsJobCreation.yaml
@@ -12,7 +12,7 @@ detection:
        EventID: 59
 falsepositives:
    - normal system usage
-output: 'Job Title:%JobTitle% URL:%Url%'
+output: 'Job Title:%JobTitle%  :  URL:%Url%'
-output_jp: 'Job名:%JobTitle% URL:%Url%'
+output_jp: 'Job名:%JobTitle%  :  URL:%Url%'
 creation_date: 2021/07/15
-updated_date:  2021/11/06
+updated_date:  2021/11/18
--- a/rules/alert-rules/hayabusa/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml
+++ b/rules/alert-rules/hayabusa/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml
@@ -16,7 +16,7 @@ detection:
    # condition: selection
 falsepositives:
    - normal system usage
-output: 'Command = %CommandLine%'
+output: 'Command:%CommandLine%'
-output_jp: 'コマンド = %CommandLine%'
+output_jp: 'コマンド:%CommandLine%'
 creation_date: 2020/11/08
-updated_date:  2021/11/06
+updated_date:  2021/11/18
--- a/rules/alert-rules/hayabusa/Security/1102_T1070.001_SecurityLogCleared.yml
+++ b/rules/alert-rules/hayabusa/Security/1102_T1070.001_SecurityLogCleared.yml
@@ -2,7 +2,7 @@ title: Security log was cleared
 title_jp: セキュリティログがクリアされた
 description: Somebody has cleared the Security event log.
 description_jp: 誰かがセキュリティログをクリアした。
-author: Eric Contrad
+author: Eric Conrad
 contributor: Zach Mathis, Akira Nishikawa, James Takai
 mitre_attack: T1070.001
 level: high
--- a/rules/alert-rules/hayabusa/Security/4673.yml
+++ b/rules/alert-rules/hayabusa/Security/4673.yml
@@ -1,6 +1,7 @@
 title: Sensitive Privilede Use (Mimikatz)
 description: hogehoge
-author: DeepblueCLI, Zach Mathis
+author: Eric Conrad, Zach Mathis
 level: medium
 detection:
    selection:
        Channel: Security
--- a/rules/alert-rules/hayabusa/Security/4674.yml
+++ b/rules/alert-rules/hayabusa/Security/4674.yml
@@ -1,6 +1,7 @@
-title: An Operation was attempted on a privileged object
+title: An operation was attempted on a privileged object
 description: hogehoge
-author: DeepblueCLI, Zach Mathis
+author: Eric Conrad, Zach Mathis
 level: informational
 detection:
    selection:
        Channel: Security
--- a/rules/alert-rules/hayabusa/Security/4720.yml
+++ b/rules/alert-rules/hayabusa/Security/4720.yml
@@ -1,13 +0,0 @@
 title: A user account was created.
 description: hogehoge
 author: DeepblueCLI, Zach Mathis
 detection:
    selection:
        Channel: Security
        EventID: 4720
    # condition: selection
 falsepositives:
    - unknown
 output: 'New User Created UserName:%TargetUserName% SID:%TargetSid%'
 creation_date: 2020/11/8
 updated_date: 2020/11/8
--- a/rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalComputerAccountCreated.yml
+++ b/rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalComputerAccountCreated.yml
@@ -0,0 +1,15 @@
 title: Hidden computer account created! (Possible Backdoor)
 description: A local user account was created
 author: Eric Conrad, Zach Mathis
 level: high
 detection:
    selection:
        Channel: Security
        EventID: 4720
        TargetUserName|endswith: "$"
 falsepositives:
    - unknown
 output: 'User: %TargetUserName%  :  SID:%TargetSid%'
 creation_date: 2020/11/8
 updated_date: 2021/11/18
--- a/rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalUserAccountCreated.yml
+++ b/rules/alert-rules/hayabusa/Security/4720_T1136.001_LocalUserAccountCreated.yml
@@ -0,0 +1,16 @@
 title: User account created
 description: A local user account was created
 author: Eric Conrad, Zach Mathis
 level: low
 detection:
    selection:
        Channel: Security
        EventID: 4720
    filter:
        TargetUserName|endswith: "$"
    condition: selection and not filter
 falsepositives:
    - unknown
 output: 'User: %TargetUserName%  :  SID:%TargetSid%'
 creation_date: 2020/11/8
 updated_date: 2021/11/18
--- a/rules/alert-rules/hayabusa/Security/4728.yml
+++ b/rules/alert-rules/hayabusa/Security/4728.yml
@@ -1,6 +1,7 @@
-title: A member was added to a security-enabled global group.
+title: User added to local Administrators group
-description: hogehoge
+description: A user was added to a group.
-author: DeepblueCLI, Zach Mathis
+author: Eric Conrad, Zach Mathis
 level: high
 detection:
    selection:
        Channel: Security
@@ -9,6 +10,6 @@ detection:
    # condition: selection
 falsepositives:
    - unknown
-output: 'user added to global Administrators UserName: %MemberName% SID: %MemberSid%'
+output: 'User: %MemberName%  :  SID: %MemberSid%'
 creation_date: 2020/11/8
-updated_date: 2020/11/8
+updated_date: 2021/11/18
--- a/rules/alert-rules/hayabusa/Security/4732.yml
+++ b/rules/alert-rules/hayabusa/Security/4732.yml
@@ -1,6 +1,7 @@
-title: A member was added to a security-enabled local group.
+title: User added to local Administrators group
-description: hogehoge
+description: User added to local Administrators group
-author: DeepblueCLI, Zach Mathis
+author: Eric Conrad, Zach Mathis
 level: high
 detection:
    selection:
        Channel: Security
@@ -9,6 +10,6 @@ detection:
    # condition: selection
 falsepositives:
    - unknown
-output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
+output: 'UserName: %MemberName%  :  SID: %MemberSid%'
 creation_date: 2020/11/8
-updated_date: 2020/11/8
+updated_date: 2021/11/18
--- a/rules/alert-rules/hayabusa/Security/4756.yml
+++ b/rules/alert-rules/hayabusa/Security/4756.yml
@@ -1,6 +1,7 @@
-title: A member was added to a security-enabled universal group.
+title: User added to Administrators universal group.
 description: hogehoge
-author: DeepblueCLI, Zach Mathis
+author: Eric Conrad, Zach Mathis
 level: high
 detection:
    selection:
        Channel: Security
@@ -9,6 +10,6 @@ detection:
    # condition: selection
 falsepositives:
    - unknown
-output: 'user added to universal Administrators UserName: %MemberName% SID: %MemberSid%'
+output: 'UserName: %MemberName%  :  SID: %MemberSid%'
 creation_date: 2020/11/8
-updated_date: 2020/11/8
+updated_date: 2021/11/8
--- a/rules/alert-rules/hayabusa/Security/4768_T1558.004_AS-REP-Roasting.yml
+++ b/rules/alert-rules/hayabusa/Security/4768_T1558.004_AS-REP-Roasting.yml
@@ -1,5 +1,5 @@
-title: AS-REP Roasting
+title: Possible AS-REP Roasting
-title_jp: AS-REPロースティング
+title_jp: AS-REPロースティングの可能性
 description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
 description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
 author: Matsui
--- a/rules/alert-rules/hayabusa/Security/_4625.yml
+++ b/rules/alert-rules/hayabusa/Security/_4625.yml
@@ -1,7 +1,7 @@
 title: An account failed to log on
-description: hogehoge
+description: Logon Failure
 ignore: true
-author: DeepblueCLI, Zach Mathis
+author: Eric Conrad, Zach Mathis
 detection:
    selection:
        Channel: Security
--- a/rules/alert-rules/hayabusa/Security/_4648.yml
+++ b/rules/alert-rules/hayabusa/Security/_4648.yml
@@ -1,7 +1,7 @@
 title: An account failed to log on
 description: hogehoge
 ignore: true
-author: DeepblueCLI, Zach Mathis
+author: Eric Conrad, Zach Mathis
 detection:
    selection:
        Channel: Security
--- a/rules/alert-rules/hayabusa/Security/_4672.yml
+++ b/rules/alert-rules/hayabusa/Security/_4672.yml
@@ -1,7 +1,7 @@
 title: Command Line Logging
-description: hogehoge
+description: Command Line Logging
 ignore: true
-author: DeepblueCLI, Zach Mathis
+author: Eric Conrad, Zach Mathis
 detection:
    selection:
        Channel: Security
@@ -10,6 +10,6 @@ detection:
    # condition: selection
 falsepositives:
    - unknown
-output: 'CommandLine:%CommandLine% ParentProcessName:%ParentProcessName%'
+output: 'CommandLine:%CommandLine%  :  ParentProcessName:%ParentProcessName%'
 creation_date: 2020/11/8
 updated_date: 2020/11/8
--- a/rules/alert-rules/hayabusa/Sysmon/1.yml
+++ b/rules/alert-rules/hayabusa/Sysmon/1.yml
@@ -1,6 +1,6 @@
-title: Sysmon Check command lines
+title: Command line execution
-description: hogehoge
+description: Command line execution
-author: DeepblueCLI, Zach Mathis
+author: Eric Conrad, Zach Mathis
 detection:
    selection:
        Channel: Sysmon
@@ -9,7 +9,7 @@ detection:
    # condition: selection
 falsepositives:
    - unknown
-output: 'CommandLine=%CommandLine%¥nParentImage=%ParentImage%'
+output: 'CommandLine: %CommandLine%  :  ParentImage:%ParentImage%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+uodated_date: 2021/11/8
--- a/rules/alert-rules/hayabusa/Sysmon/7.yml
+++ b/rules/alert-rules/hayabusa/Sysmon/7.yml
@@ -1,6 +1,6 @@
-title: Check for unsigned EXEs/DLLs
+title: Unsigned EXEs/DLLs
-description: hogehoge
+description: Detects usage of unsigned exe and dlls.
-author: DeepblueCLI, Zach Mathis
+author: Eric Conrad, Zach Mathis
 detection:
    selection:
        Channel: Sysmon
@@ -9,6 +9,6 @@ detection:
    # condition: selection
 falsepositives:
    - unknown
-output: 'Message: Unsigned Image(DLL)¥n Result : Loaded by: %event_data.Image%¥nCommand : %event_data.ImageLoaded%'
+output: 'Unsigned Image(DLL): %event_data.Image  :  Command: %event_data.ImageLoaded%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+uodated_date: 2021/11/8
--- a/rules/alert-rules/hayabusa/System/7030.yml
+++ b/rules/alert-rules/hayabusa/System/7030.yml
@@ -1,6 +1,7 @@
-title: This service may not function properly
+title: Interactive service may not function properly
-description: hogehoge
+description: Uses a blocklist of suspicious services to detect malware. 7030 happens when a service is marked as an interactive service but the system is not configured to allow interactive services so it might not function properly.
-author: DeepblueCLI, Zach Mathis
+author: Eric Conrad, Zach Mathis
 level: low
 detection:
    selection:
        Channel: System
@@ -10,6 +11,6 @@ detection:
    # condition: selection
 falsepositives:
    - unknown
-output: 'Interactive service warning¥nService name: %ServiceName%¥nMalware (and some third party software) trigger this warning'
+output: 'Service: %ServiceName%'
 creation_date: 2020/11/8
 uodated_date: 2020/11/8
--- a/rules/alert-rules/hayabusa/System/7040.yml
+++ b/rules/alert-rules/hayabusa/System/7040.yml
@@ -1,6 +1,7 @@
-title: The start type of the Windows Event Log service was changed from auto start to disabled
+title: Windows Event Log service start type changed from auto start to disabled
-description: hogehoge
+description: Possible anti-forensics disabling the log service.
-author: DeepblueCLI, Zach Mathis
+author: Eric Conrad, Zach Mathis
 level: high
 detection:
    selection:
        Channel: System
@@ -12,6 +13,6 @@ detection:
    condition: selection
 falsepositives:
    - unknown
-output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
+output: 'Service: %param1%'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+uodated_date: 2021/11/8
--- a/rules/alert-rules/hayabusa/System/7045.yml
+++ b/rules/alert-rules/hayabusa/System/7045.yml
@@ -1,6 +1,7 @@
-title: A service was installed in the system
+title: Service installed
-description: hogehoge
+description: A service was installed. Malware often will install itself as malware.
-author: DeepblueCLI, Zach Mathis
+author: Eric Conrad, Zach Mathis
 level: low
 detection:
    selection:
        Channel: System
@@ -13,6 +14,6 @@ detection:
    condition: selection
 falsepositives:
    - unknown
-output: 'New Service Created¥n%ImagePath¥nService name: %ServiceName%'
+output: 'Service: %ServiceName%  :  Image path: %ImagePath'
 creation_date: 2020/11/8
-uodated_date: 2020/11/8
+uodated_date: 2021/11/8
--- a/rules/timeline-rules/Logons/4624-Logon-Type-0-System.yml
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-0-System.yml
@@ -1,7 +1,7 @@
 title: Logon Type 0 - System
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
--- a/rules/timeline-rules/Logons/4624-Logon-Type-10-RemoteInteractive.yml
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-10-RemoteInteractive.yml
@@ -1,7 +1,7 @@
 title: Logon Type 10 - RDP (Remote Interactive)
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
@@ -10,6 +10,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%  :  (Warning: Credentials are stored in memory.)'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4624-Logon-Type-11-CachedInteractive.yml
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-11-CachedInteractive.yml
@@ -1,7 +1,7 @@
 title: Logon Type 11 - CachedInteractive
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
@@ -10,6 +10,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%  :  (Warning: Credentials are stored in memory.)'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4624-Logon-Type-12-CachedRemoteInteractive.yml
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-12-CachedRemoteInteractive.yml
@@ -1,7 +1,7 @@
 title: Logon Type 12 - CachedRemoteInteractive
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
@@ -10,6 +10,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%  :  (Warning: Credentials are stored in memory.)'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4624-Logon-Type-13-CachedUnlock.yml
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-13-CachedUnlock.yml
@@ -1,7 +1,7 @@
 title: Logon Type 13 - CachedUnlock
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
@@ -10,6 +10,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%  :  (Warning: Credentials are stored in memory.)'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4624-Logon-Type-2-Interactive.yml
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-2-Interactive.yml
@@ -1,7 +1,7 @@
 title: Logon Type 2 - Interactive
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
@@ -10,6 +10,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%  :  (Warning: Credentials are stored in memory.)'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4624-Logon-Type-3-Network.yml
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-3-Network.yml
@@ -1,7 +1,7 @@
 title: Logon Type 3 - Network
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
@@ -17,6 +17,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4624-Logon-Type-4-Batch.yml
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-4-Batch.yml
@@ -1,7 +1,7 @@
 title: Logon Type 4 - Batch
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
@@ -10,6 +10,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4624-Logon-Type-5-Service.yml
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-5-Service.yml
@@ -1,7 +1,7 @@
 title: Logon Type 5 - Service
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
@@ -17,6 +17,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4624-Logon-Type-7-Unlock.yml
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-7-Unlock.yml
@@ -1,7 +1,7 @@
 title: Logon Type 7 - Unlock
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
@@ -10,6 +10,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4624-Logon-Type-8-NetworkCleartext.yml
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-8-NetworkCleartext.yml
@@ -10,6 +10,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId%'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4624-Logon-Type-9-NewInteractive.yml
+++ b/rules/timeline-rules/Logons/4624-Logon-Type-9-NewInteractive.yml
@@ -1,7 +1,7 @@
 title: Logon Type 9 - NewCredentials
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
@@ -10,6 +10,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'User: %TargetUserName% Workstation: %WorkstationName% IP Address: %IpAddress% Port: %IpPort% LogonID: %TargetLogonId% (Warning: Credentials are stored in memory.)'
+output: 'User: %TargetUserName%  :  Workstation: %WorkstationName%  :  IP Address: %IpAddress%  :  Port: %IpPort%  :  LogonID: %TargetLogonId%  :  (Warning: Credentials are stored in memory.)'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4625-Logon-Failure.yml
+++ b/rules/timeline-rules/Logons/4625-Logon-Failure.yml
@@ -9,6 +9,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'User: %TargetUserName% Type: %LogonType% Workstation: %Workstation% IP Address: %IpAddress% SubStatus: %SubStatus% AuthPackage: %AuthenticationPackageName%'
+output: 'User: %TargetUserName%  :  Type: %LogonType%  :  Workstation: %Workstation%  :  IP Address: %IpAddress%  :  SubStatus: %SubStatus%  :  AuthPackage: %AuthenticationPackageName%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4634-Logoff.yml
+++ b/rules/timeline-rules/Logons/4634-Logoff.yml
@@ -1,7 +1,7 @@
 title: Logoff
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
@@ -14,6 +14,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'Username: %TargetUserName% LogonID: %TargetLogonId%'
+output: 'Username: %TargetUserName%  :  LogonID: %TargetLogonId%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4647-Logoff-User-Initiated.yml
+++ b/rules/timeline-rules/Logons/4647-Logoff-User-Initiated.yml
@@ -1,7 +1,7 @@
 title: Logoff - User Initiated
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
@@ -9,6 +9,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'Username: %TargetUserName% LogonID: %TargetLogonId%'
+output: 'Username: %TargetUserName%  :  LogonID: %TargetLogonId%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4672-Admin-Logon.yml
+++ b/rules/timeline-rules/Logons/4672-Admin-Logon.yml
@@ -1,7 +1,7 @@
 title: Admin Logon
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
@@ -17,6 +17,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'User: %SubjectUserName% LogonID: %SubjectLogonId%'
+output: 'User: %SubjectUserName%  :  LogonID: %SubjectLogonId%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4768-Kerberos-TGT-Request.yml
+++ b/rules/timeline-rules/Logons/4768-Kerberos-TGT-Request.yml
@@ -1,7 +1,7 @@
 title: Kerberos TGT was requested
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
@@ -9,6 +9,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'tUsername: %TargetUserName% Service Name: %ServiceName% IP Address: %IpAddress% Status: %Status% PreAuthType: %PreAuthType%'
+output: 'User: %TargetUserName%  :  Service: %ServiceName%  :  IP Address: %IpAddress%  :  Status: %Status%  :  PreAuthType: %PreAuthType%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4769-Kerberos-Service-Ticket-Request.yml
+++ b/rules/timeline-rules/Logons/4769-Kerberos-Service-Ticket-Request.yml
@@ -1,7 +1,7 @@
 title: Kerberos Service Ticket Requested
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
@@ -9,6 +9,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'tUsername: %TargetUserName% Service Name: %ServiceName% IP Address: %IpAddress% Status: %Status%'
+output: 'User: %TargetUserName%  :  Service: %ServiceName%  :  IP Address: %IpAddress%  :  Status: %Status%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17
--- a/rules/timeline-rules/Logons/4776-NTLM-Logon-to-Local-Account.yml
+++ b/rules/timeline-rules/Logons/4776-NTLM-Logon-to-Local-Account.yml
@@ -1,7 +1,7 @@
 title: NTLM Logon to Local Account
 description: Prints logon information
 author: Zach Mathis
-level: info
+level: informational
 detection:
    selection:
        Channel: Security
@@ -9,6 +9,6 @@ detection:
 falsepositives:
    - normal system usage
-output: 'Username: %TargetUserName% Workstation %WorkstationName% Status: %Status%'
+output: 'User: %TargetUserName%  :  Workstation %WorkstationName%  :  Status: %Status%'
 creation_date: 2021/11/17
 updated_date: 2021/11/17