regex rule implemented

2020-11-21 22:56:21 +09:00
parent 1abdbafb5a
commit d976ddc4d0
31 changed files with 675 additions and 1809 deletions
@@ -0,0 +1,17 @@
+title: An account failed to log on
+description: hogehoge
+enabled: false
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Security
+        EventID: 4648
+    # condition: selection | count(TargetUserName) > 3
+falsepositives:
+    - unknown
+level: High
+output: 'Distributed Account Explicit Credential Use (Password Spray Attack)¥n The use of multiple user account access attempts with explicit credentials is ¥nan indicator of a password spray attack.¥nTarget Usernames:%TargetUserName$¥nAccessing Username: %SubjectUserName%¥nAccessing Host Name: %SubjectDomainName%'
+creation_date: 2020/11/8
+uodated_date: 2020/11/8