l.bourdin
/
Wazuh-Custom-rules
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Création règle modif groupes windows

This commit is contained in:
root 2026-04-09 10:17:55 +02:00
parent ce8ad9f5a2
commit 4917f83c85
6 changed files with 220 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Brut-force-linux.xml
View File

@ -1,7 +1,7 @@
<!-- Brut force SSH-tty PAM --> <!-- Brut force SSH-tty PAM -->
<group name="authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,"> <group name="authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
<rule id="100153" level="15" frequency="8" timeframe="180"> <rule id="100153" level="15" frequency="8" timeframe="180" ignore="30">
<if_matched_sid>5503</if_matched_sid> <if_matched_sid>5503</if_matched_sid>
<same_field>srcip</same_field> <same_field>srcip</same_field>
<description>Brut force Linux</description> <description>Brut force Linux</description>
@ -12,7 +12,7 @@
</group> </group>
<group name="authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,"> <group name="authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
<rule id="100154" level="15" frequency="8" timeframe="180"> <rule id="100154" level="15" frequency="8" timeframe="180" ignore="30">
<if_matched_sid>5503</if_matched_sid> <if_matched_sid>5503</if_matched_sid>
<same_field>tty</same_field> <same_field>tty</same_field>
<description>Brut force Linux</description> <description>Brut force Linux</description>

24
Connexion-Linux-PBS.xml Normal file
View File

@ -0,0 +1,24 @@
<!-- Alertes en cas de connexion SSH PBS -->
<!-- PBS LR -->
<group name="authentication_success,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
<rule id="102500" level="15">
<if_sid>5501</if_sid>
<hostname>pbs</hostname>
<description>Connexion SSH sur PBS-LR</description>
<mitre>
<id>T1078</id>
</mitre>
</rule>
</group>
<!-- PBS LACT-->
<group name="authentication_success,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
<rule id="102501" level="15">
<if_sid>5501</if_sid>
<hostname>pbs03</hostname>
<description>Connexion SSH sur PBS-LR</description>
<mitre>
<id>T1078</id>
</mitre>
</rule>
</group>

26
Connexion-admin.xml
View File

@ -52,6 +52,32 @@
</rule> </rule>
</group> </group>
<!-- Filtre anti bruit co sandbox -->
<group name="authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.9,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
<rule id="100003" level="0">
<if_sid>60118</if_sid>
<field name="win.eventdata.targetUserName">^CodexSandboxOffline$</field>
<description>Filtre anti bruit pour co sandbox windows offline</description>
<options>no_full_log</options>
<mitre>
<id>T1078</id>
</mitre>
</rule>
</group>
<!-- Filtre anti bruit déco sandbox -->
<group name="authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.9,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
<rule id="100006" level="0">
<if_sid>67023</if_sid>
<field name="win.eventdata.targetUserName">^CodexSandboxOffline$</field>
<description>Filtre anti bruit pour déco sandbox windows offline</description>
<options>no_full_log</options>
<mitre>
<id>T1078</id>
</mitre>
</rule>
</group>
<!-- Déco utilisateur --> <!-- Déco utilisateur -->
<group name="pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,"> <group name="pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
<rule id="60137" level="1" overwrite="yes"> <rule id="60137" level="1" overwrite="yes">

155
Group-Windows.xml Normal file
View File

@ -0,0 +1,155 @@
<!-- Modification de groupe windows -->
<!-- Critique : Modif groupe Administrateurs -->
<!-- Règles native : modifier pour seulement Ajout utilisateur -->
<group name="windows,windows_security,">
<rule id="60154" level="15" overwrite="yes">
<if_sid>60144,60145</if_sid>
<field name="win.eventdata.targetSid">^S-1-5-32-544$</field>
<field name="win.system.eventID">^636$|^4732$</field>
<description>Ajout membre Administrateurs </description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<!-- Suppression membre groupe Administrateurs -->
<rule id="102100" level="12">
<if_sid>60145</if_sid>
<field name="win.eventdata.targetSid">^S-1-5-32-544$</field>
<field name="win.system.eventID">^637$|^4733$</field>
<description>Suppression membre Administrateurs </description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<!-- Critique : Modif groupe Administrateurs clés -->
<!-- Ajout membre -->
<rule id="102101" level="15">
<if_sid>60141</if_sid>
<field name="win.eventdata.targetSid">^S-1-5-21-888472903-3453034670-1221216045-526$</field>
<description>Ajout membre Administrateurs clés</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<!-- Suppression membre -->
<rule id="102102" level="12">
<if_sid>60142</if_sid>
<field name="win.eventdata.targetSid">^S-1-5-21-888472903-3453034670-1221216045-526$</field>
<description>Suppression membre Administrateurs clés</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<!-- Critique : Modif groupe Administrateurs clés Entreprise -->
<!-- Ajout membre -->
<rule id="102103" level="15">
<if_sid>60151</if_sid>
<field name="win.eventdata.targetSid">^S-1-5-21-888472903-3453034670-1221216045-527$</field>
<description>Ajout membre Administrateurs clés Entreprise</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<!-- Suppression membre -->
<rule id="102104" level="12">
<if_sid>60152</if_sid>
<field name="win.eventdata.targetSid">^S-1-5-21-888472903-3453034670-1221216045-527$</field>
<description>Suppression membre Administrateurs clés Entreprise</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<!-- Critique : Modif groupe Administrateurs de l'entreprise -->
<!-- Règle native : Modification groupe (cré, suppr, ajout..) -->
<rule id="60167" level="15" overwrite="yes">
<if_sid>60149,60150,60151,60152</if_sid>
<field name="win.eventdata.targetSid">^S-1-5-\S+-519$</field>
<description>Groupe Administrateurs de l'entreprise modifié</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<!-- Critique : Modif groupe Administrateurs du schéma -->
<!-- Règle native : Modification groupe (cré, suppr, ajout..) -->
<rule id="60166" level="15" overwrite="yes">
<if_sid>60149,60150,60151,60152</if_sid>
<field name="win.eventdata.targetSid">^S-1-5-\S+-518$</field>
<description>Groupe Administrateurs du schéma modifié</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<!-- Critique : Modif groupe Admins du domaine -->
<!-- Règle native : Ajout utilisateur -->
<rule id="60159" level="15" overwrite="yes">
<if_sid>60141,60142</if_sid>
<field name="win.eventdata.targetSid">^S-1-5-\S+-512$</field>
<field name="win.system.eventID">^632$|^4728$</field>
<description>Ajout membre Admins du domaine</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<!-- Suppression membre -->
<rule id="102105" level="12">
<if_sid>60142</if_sid>
<field name="win.eventdata.targetSid">^S-1-5-\S+-512$</field>
<field name="win.system.eventID">^633$|^4729$</field>
<description>Ajout membre Admins du domaine </description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
</group>

15
fim-fs17101.xml
View File

@ -22,6 +22,15 @@
<!-- Filtre accès objet win - Supression/modif/créa --> <!-- Filtre accès objet win - Supression/modif/créa -->
<group name="windows,windows_security,"> <group name="windows,windows_security,">
<rule id="100102" level="0"> <rule id="100102" level="0">
<if_sid>100100</if_sid>
<field type="pcre2" name="win.eventdata.objectName">.db$</field>
<description>Filtre modif fichier temporaire</description>
</rule>
</group>
<!-- Filtre accès objet win - Supression/modif/créa -->
<group name="windows,windows_security,">
<rule id="100103" level="0">
<if_sid>100100</if_sid> <if_sid>100100</if_sid>
<field type="pcre2" name="win.eventdata.objectName">Zone.Identifier$</field> <field type="pcre2" name="win.eventdata.objectName">Zone.Identifier$</field>
<description>Filtre modif fichier temporaire</description> <description>Filtre modif fichier temporaire</description>
@ -30,7 +39,7 @@
<!-- Règle alerte lors de la modification d'un fichier --> <!-- Règle alerte lors de la modification d'un fichier -->
<group name="windows,windows_security,"> <group name="windows,windows_security,">
<rule id="100103" level="5"> <rule id="100104" level="5">
<if_sid>100100</if_sid> <if_sid>100100</if_sid>
<field name="win.system.eventID">^4663$</field> <field name="win.system.eventID">^4663$</field>
<description>Alerte fichier modifié</description> <description>Alerte fichier modifié</description>
@ -40,7 +49,7 @@
<!-- Règle alerte lors de la suppression d'un fichier --> <!-- Règle alerte lors de la suppression d'un fichier -->
<group name="windows,windows_security,"> <group name="windows,windows_security,">
<rule id="100104" level="5"> <rule id="100105" level="5">
<if_sid>100100</if_sid> <if_sid>100100</if_sid>
<field name="win.system.eventID">^4659$</field> <field name="win.system.eventID">^4659$</field>
<description>Alerte fichier supprimé</description> <description>Alerte fichier supprimé</description>
@ -50,7 +59,7 @@
<!-- Règle alerte lors de la création d'un fichier --> <!-- Règle alerte lors de la création d'un fichier -->
<group name="windows,windows_security,"> <group name="windows,windows_security,">
<rule id="100105" level="5"> <rule id="100106" level="5">
<if_sid>100100</if_sid> <if_sid>100100</if_sid>
<field name="win.system.message">Écriture données (ou ajout fichier)</field> <field name="win.system.message">Écriture données (ou ajout fichier)</field>
<description>Alerte fichier Créé</description> <description>Alerte fichier Créé</description>

2
fortigate.xml
View File

@ -33,7 +33,7 @@
<!-- 4. Alerte 1GB critique --> <!-- 4. Alerte 1GB critique -->
<rule id="100254" level="8"> <rule id="100254" level="8">
<if_sid>100251</if_sid> <if_sid>100251</if_sid>
<field type="pcre2" name="sentbyte">^\d{10,}$</field> <field type="pcre2" name="sentbyte">^(?:[1-9]\d{9})$</field>
<description>CRITICAL - Fortigate: Massive outbound transfer 1GB from $(srcip) to $(dstip)</description> <description>CRITICAL - Fortigate: Massive outbound transfer 1GB from $(srcip) to $(dstip)</description>
</rule> </rule>