From 4917f83c851c4b6a534666ad903d9108523ace19 Mon Sep 17 00:00:00 2001
From: root <root@wazuh.ccicm.lan>
Date: Thu, 9 Apr 2026 10:17:55 +0200
Subject: [PATCH] =?UTF-8?q?Cr=C3=A9ation=20r=C3=A8gle=20modif=20groupes=20?=
 =?UTF-8?q?windows?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Brut-force-linux.xml    |   4 +-
 Connexion-Linux-PBS.xml |  24 +++++++
 Connexion-admin.xml     |  26 +++++++
 Group-Windows.xml       | 155 ++++++++++++++++++++++++++++++++++++++++
 fim-fs17101.xml         |  15 +++-
 fortigate.xml           |   2 +-
 6 files changed, 220 insertions(+), 6 deletions(-)
 create mode 100644 Connexion-Linux-PBS.xml
 create mode 100644 Group-Windows.xml

diff --git a/Brut-force-linux.xml b/Brut-force-linux.xml
index f199a38..c4f092c 100644
--- a/Brut-force-linux.xml
+++ b/Brut-force-linux.xml
@@ -1,7 +1,7 @@
 <!-- Brut force SSH-tty PAM -->
 
 <group name="authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
-  <rule id="100153" level="15" frequency="8" timeframe="180">
+  <rule id="100153" level="15" frequency="8" timeframe="180" ignore="30">
     <if_matched_sid>5503</if_matched_sid>
     <same_field>srcip</same_field>
     <description>Brut force Linux</description>
@@ -12,7 +12,7 @@
 </group>
 
 <group name="authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
-  <rule id="100154" level="15" frequency="8" timeframe="180">
+  <rule id="100154" level="15" frequency="8" timeframe="180" ignore="30">
     <if_matched_sid>5503</if_matched_sid>
     <same_field>tty</same_field>
     <description>Brut force Linux</description>
diff --git a/Connexion-Linux-PBS.xml b/Connexion-Linux-PBS.xml
new file mode 100644
index 0000000..569fb70
--- /dev/null
+++ b/Connexion-Linux-PBS.xml
@@ -0,0 +1,24 @@
+<!-- Alertes en cas de connexion SSH PBS -->
+<!-- PBS LR -->
+<group name="authentication_success,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
+  <rule id="102500" level="15">
+    <if_sid>5501</if_sid>
+    <hostname>pbs</hostname>
+    <description>Connexion SSH sur PBS-LR</description>
+    <mitre>
+      <id>T1078</id>
+    </mitre>
+  </rule>
+</group>
+
+<!-- PBS LACT-->
+<group name="authentication_success,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
+  <rule id="102501" level="15">
+    <if_sid>5501</if_sid>
+    <hostname>pbs03</hostname>
+    <description>Connexion SSH sur PBS-LR</description>
+    <mitre>
+      <id>T1078</id>
+    </mitre>
+  </rule>
+</group>
\ No newline at end of file
diff --git a/Connexion-admin.xml b/Connexion-admin.xml
index 7a96df8..3795846 100644
--- a/Connexion-admin.xml
+++ b/Connexion-admin.xml
@@ -51,6 +51,32 @@
     </mitre>
   </rule>
 </group>
+
+<!-- Filtre anti bruit co sandbox -->
+<group name="authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.9,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
+  <rule id="100003" level="0">
+    <if_sid>60118</if_sid>
+    <field name="win.eventdata.targetUserName">^CodexSandboxOffline$</field>
+    <description>Filtre anti bruit pour co sandbox windows offline</description>
+    <options>no_full_log</options>
+    <mitre>
+      <id>T1078</id>
+    </mitre>
+  </rule>
+</group>
+
+<!-- Filtre anti bruit déco sandbox -->
+<group name="authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.9,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
+  <rule id="100006" level="0">
+    <if_sid>67023</if_sid>
+    <field name="win.eventdata.targetUserName">^CodexSandboxOffline$</field>
+    <description>Filtre anti bruit pour déco sandbox windows offline</description>
+    <options>no_full_log</options>
+    <mitre>
+      <id>T1078</id>
+    </mitre>
+  </rule>
+</group>
  
 <!-- Déco utilisateur -->
 <group name="pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">  
diff --git a/Group-Windows.xml b/Group-Windows.xml
new file mode 100644
index 0000000..ed03d6b
--- /dev/null
+++ b/Group-Windows.xml
@@ -0,0 +1,155 @@
+<!-- Modification de groupe windows -->
+
+<!-- Critique : Modif groupe Administrateurs -->
+
+<!-- Règles native : modifier pour seulement Ajout utilisateur -->
+<group name="windows,windows_security,">
+  
+  <rule id="60154" level="15" overwrite="yes">
+    <if_sid>60144,60145</if_sid>
+    <field name="win.eventdata.targetSid">^S-1-5-32-544$</field>
+    <field name="win.system.eventID">^636$|^4732$</field>
+    <description>Ajout membre Administrateurs </description>
+    <options>no_full_log</options>
+    <group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
+    <mitre>
+      <id>T1484</id>
+    </mitre>
+  </rule>
+ 
+ <!-- Suppression membre groupe Administrateurs --> 
+   <rule id="102100" level="12">
+    <if_sid>60145</if_sid>
+    <field name="win.eventdata.targetSid">^S-1-5-32-544$</field>
+    <field name="win.system.eventID">^637$|^4733$</field>
+    <description>Suppression membre Administrateurs </description>
+    <options>no_full_log</options>
+    <group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
+    <mitre>
+      <id>T1484</id>
+    </mitre>
+  </rule>
+  
+
+<!-- Critique : Modif groupe Administrateurs clés -->
+
+<!-- Ajout membre -->
+  <rule id="102101" level="15">
+    <if_sid>60141</if_sid>
+    <field name="win.eventdata.targetSid">^S-1-5-21-888472903-3453034670-1221216045-526$</field>
+    <description>Ajout membre Administrateurs clés</description>
+    <options>no_full_log</options>
+    <group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
+    <mitre>
+      <id>T1484</id>
+    </mitre>
+  </rule>
+
+<!-- Suppression membre -->
+  <rule id="102102" level="12">
+    <if_sid>60142</if_sid>
+    <field name="win.eventdata.targetSid">^S-1-5-21-888472903-3453034670-1221216045-526$</field>
+    <description>Suppression membre Administrateurs clés</description>
+    <options>no_full_log</options>
+    <group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
+    <mitre>
+      <id>T1484</id>
+    </mitre>
+  </rule>
+
+
+<!-- Critique : Modif groupe Administrateurs clés Entreprise -->
+
+<!-- Ajout membre -->
+  <rule id="102103" level="15">
+    <if_sid>60151</if_sid>
+    <field name="win.eventdata.targetSid">^S-1-5-21-888472903-3453034670-1221216045-527$</field>
+    <description>Ajout membre Administrateurs clés Entreprise</description>
+    <options>no_full_log</options>
+    <group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
+    <mitre>
+      <id>T1484</id>
+    </mitre>
+  </rule>
+
+<!-- Suppression membre -->
+  <rule id="102104" level="12">
+    <if_sid>60152</if_sid>
+    <field name="win.eventdata.targetSid">^S-1-5-21-888472903-3453034670-1221216045-527$</field>
+    <description>Suppression membre Administrateurs clés Entreprise</description>
+    <options>no_full_log</options>
+    <group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
+    <mitre>
+      <id>T1484</id>
+    </mitre>
+  </rule>
+  
+  
+<!-- Critique : Modif groupe Administrateurs de l'entreprise -->
+
+<!-- Règle native : Modification groupe (cré, suppr, ajout..) -->
+  <rule id="60167" level="15" overwrite="yes">
+    <if_sid>60149,60150,60151,60152</if_sid>
+    <field name="win.eventdata.targetSid">^S-1-5-\S+-519$</field>
+    <description>Groupe Administrateurs de l'entreprise modifié</description>
+    <options>no_full_log</options>
+    <group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
+    <mitre>
+      <id>T1484</id>
+    </mitre>
+  </rule>
+
+  
+  
+<!-- Critique : Modif groupe Administrateurs du schéma -->
+
+<!-- Règle native : Modification groupe (cré, suppr, ajout..) -->
+  <rule id="60166" level="15" overwrite="yes">
+    <if_sid>60149,60150,60151,60152</if_sid>
+    <field name="win.eventdata.targetSid">^S-1-5-\S+-518$</field>
+    <description>Groupe Administrateurs du schéma modifié</description>
+    <options>no_full_log</options>
+    <group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
+    <mitre>
+      <id>T1484</id>
+    </mitre>
+  </rule>
+  
+
+<!-- Critique : Modif groupe Admins du domaine -->
+
+<!-- Règle native : Ajout utilisateur -->
+  <rule id="60159" level="15" overwrite="yes">
+    <if_sid>60141,60142</if_sid>
+    <field name="win.eventdata.targetSid">^S-1-5-\S+-512$</field>
+    <field name="win.system.eventID">^632$|^4728$</field>
+    <description>Ajout membre Admins du domaine</description>
+    <options>no_full_log</options>
+    <group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
+    <mitre>
+      <id>T1484</id>
+    </mitre>
+  </rule>
+  
+<!-- Suppression membre -->
+  <rule id="102105" level="12">
+    <if_sid>60142</if_sid>
+    <field name="win.eventdata.targetSid">^S-1-5-\S+-512$</field>
+    <field name="win.system.eventID">^633$|^4729$</field>
+    <description>Ajout membre Admins du domaine </description>
+    <options>no_full_log</options>
+    <group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
+    <mitre>
+      <id>T1484</id>
+    </mitre>
+  </rule>
+
+
+
+
+
+
+
+
+
+  </group>
\ No newline at end of file
diff --git a/fim-fs17101.xml b/fim-fs17101.xml
index f5d44c2..af48aa0 100644
--- a/fim-fs17101.xml
+++ b/fim-fs17101.xml
@@ -22,6 +22,15 @@
 <!-- Filtre accès objet win - Supression/modif/créa -->
 <group name="windows,windows_security,">
   <rule id="100102" level="0">
+    <if_sid>100100</if_sid>
+    <field type="pcre2" name="win.eventdata.objectName">.db$</field>
+    <description>Filtre modif fichier temporaire</description>
+  </rule>
+</group>
+
+<!-- Filtre accès objet win - Supression/modif/créa -->
+<group name="windows,windows_security,">
+  <rule id="100103" level="0">
     <if_sid>100100</if_sid>
     <field type="pcre2" name="win.eventdata.objectName">Zone.Identifier$</field>
     <description>Filtre modif fichier temporaire</description>
@@ -30,7 +39,7 @@
 
 <!-- Règle alerte lors de la modification d'un fichier -->
 <group name="windows,windows_security,">
-  <rule id="100103" level="5">
+  <rule id="100104" level="5">
     <if_sid>100100</if_sid>
     <field name="win.system.eventID">^4663$</field>
     <description>Alerte fichier modifié</description>
@@ -40,7 +49,7 @@
 
 <!-- Règle alerte lors de la suppression d'un fichier -->
 <group name="windows,windows_security,">
-  <rule id="100104" level="5">
+  <rule id="100105" level="5">
     <if_sid>100100</if_sid>
     <field name="win.system.eventID">^4659$</field>
     <description>Alerte fichier supprimé</description>
@@ -50,7 +59,7 @@
 
 <!-- Règle alerte lors de la création d'un fichier -->
 <group name="windows,windows_security,">
-  <rule id="100105" level="5">
+  <rule id="100106" level="5">
     <if_sid>100100</if_sid>
     <field name="win.system.message">Écriture données (ou ajout fichier)</field>
     <description>Alerte fichier Créé</description>
diff --git a/fortigate.xml b/fortigate.xml
index e4bfc0f..e721096 100644
--- a/fortigate.xml
+++ b/fortigate.xml
@@ -33,7 +33,7 @@
   <!-- 4. Alerte 1GB critique -->
   <rule id="100254" level="8">
     <if_sid>100251</if_sid>
-    <field type="pcre2" name="sentbyte">^\d{10,}$</field>
+    <field type="pcre2" name="sentbyte">^(?:[1-9]\d{9})$</field>
     <description>CRITICAL - Fortigate: Massive outbound transfer 1GB from $(srcip) to $(dstip)</description>
   </rule>