155 lines
6.8 KiB
XML
155 lines
6.8 KiB
XML
<!-- Modification de groupe windows -->
|
|
|
|
<!-- Critique : Modif groupe Administrateurs -->
|
|
|
|
<!-- Règles native : modifier pour seulement Ajout utilisateur -->
|
|
<group name="windows,windows_security,">
|
|
|
|
<rule id="60154" level="15" overwrite="yes">
|
|
<if_sid>60144,60145</if_sid>
|
|
<field name="win.eventdata.targetSid">^S-1-5-32-544$</field>
|
|
<field name="win.system.eventID">^636$|^4732$</field>
|
|
<description>Ajout membre Administrateurs </description>
|
|
<options>no_full_log</options>
|
|
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
|
|
<mitre>
|
|
<id>T1484</id>
|
|
</mitre>
|
|
</rule>
|
|
|
|
<!-- Suppression membre groupe Administrateurs -->
|
|
<rule id="102100" level="12">
|
|
<if_sid>60145</if_sid>
|
|
<field name="win.eventdata.targetSid">^S-1-5-32-544$</field>
|
|
<field name="win.system.eventID">^637$|^4733$</field>
|
|
<description>Suppression membre Administrateurs </description>
|
|
<options>no_full_log</options>
|
|
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
|
|
<mitre>
|
|
<id>T1484</id>
|
|
</mitre>
|
|
</rule>
|
|
|
|
|
|
<!-- Critique : Modif groupe Administrateurs clés -->
|
|
|
|
<!-- Ajout membre -->
|
|
<rule id="102101" level="15">
|
|
<if_sid>60141</if_sid>
|
|
<field name="win.eventdata.targetSid">^S-1-5-21-888472903-3453034670-1221216045-526$</field>
|
|
<description>Ajout membre Administrateurs clés</description>
|
|
<options>no_full_log</options>
|
|
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
|
|
<mitre>
|
|
<id>T1484</id>
|
|
</mitre>
|
|
</rule>
|
|
|
|
<!-- Suppression membre -->
|
|
<rule id="102102" level="12">
|
|
<if_sid>60142</if_sid>
|
|
<field name="win.eventdata.targetSid">^S-1-5-21-888472903-3453034670-1221216045-526$</field>
|
|
<description>Suppression membre Administrateurs clés</description>
|
|
<options>no_full_log</options>
|
|
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
|
|
<mitre>
|
|
<id>T1484</id>
|
|
</mitre>
|
|
</rule>
|
|
|
|
|
|
<!-- Critique : Modif groupe Administrateurs clés Entreprise -->
|
|
|
|
<!-- Ajout membre -->
|
|
<rule id="102103" level="15">
|
|
<if_sid>60151</if_sid>
|
|
<field name="win.eventdata.targetSid">^S-1-5-21-888472903-3453034670-1221216045-527$</field>
|
|
<description>Ajout membre Administrateurs clés Entreprise</description>
|
|
<options>no_full_log</options>
|
|
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
|
|
<mitre>
|
|
<id>T1484</id>
|
|
</mitre>
|
|
</rule>
|
|
|
|
<!-- Suppression membre -->
|
|
<rule id="102104" level="12">
|
|
<if_sid>60152</if_sid>
|
|
<field name="win.eventdata.targetSid">^S-1-5-21-888472903-3453034670-1221216045-527$</field>
|
|
<description>Suppression membre Administrateurs clés Entreprise</description>
|
|
<options>no_full_log</options>
|
|
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
|
|
<mitre>
|
|
<id>T1484</id>
|
|
</mitre>
|
|
</rule>
|
|
|
|
|
|
<!-- Critique : Modif groupe Administrateurs de l'entreprise -->
|
|
|
|
<!-- Règle native : Modification groupe (cré, suppr, ajout..) -->
|
|
<rule id="60167" level="15" overwrite="yes">
|
|
<if_sid>60149,60150,60151,60152</if_sid>
|
|
<field name="win.eventdata.targetSid">^S-1-5-\S+-519$</field>
|
|
<description>Groupe Administrateurs de l'entreprise modifié</description>
|
|
<options>no_full_log</options>
|
|
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
|
|
<mitre>
|
|
<id>T1484</id>
|
|
</mitre>
|
|
</rule>
|
|
|
|
|
|
|
|
<!-- Critique : Modif groupe Administrateurs du schéma -->
|
|
|
|
<!-- Règle native : Modification groupe (cré, suppr, ajout..) -->
|
|
<rule id="60166" level="15" overwrite="yes">
|
|
<if_sid>60149,60150,60151,60152</if_sid>
|
|
<field name="win.eventdata.targetSid">^S-1-5-\S+-518$</field>
|
|
<description>Groupe Administrateurs du schéma modifié</description>
|
|
<options>no_full_log</options>
|
|
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
|
|
<mitre>
|
|
<id>T1484</id>
|
|
</mitre>
|
|
</rule>
|
|
|
|
|
|
<!-- Critique : Modif groupe Admins du domaine -->
|
|
|
|
<!-- Règle native : Ajout utilisateur -->
|
|
<rule id="60159" level="15" overwrite="yes">
|
|
<if_sid>60141,60142</if_sid>
|
|
<field name="win.eventdata.targetSid">^S-1-5-\S+-512$</field>
|
|
<field name="win.system.eventID">^632$|^4728$</field>
|
|
<description>Ajout membre Admins du domaine</description>
|
|
<options>no_full_log</options>
|
|
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
|
|
<mitre>
|
|
<id>T1484</id>
|
|
</mitre>
|
|
</rule>
|
|
|
|
<!-- Suppression membre -->
|
|
<rule id="102105" level="12">
|
|
<if_sid>60142</if_sid>
|
|
<field name="win.eventdata.targetSid">^S-1-5-\S+-512$</field>
|
|
<field name="win.system.eventID">^633$|^4729$</field>
|
|
<description>Ajout membre Admins du domaine </description>
|
|
<options>no_full_log</options>
|
|
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
|
|
<mitre>
|
|
<id>T1484</id>
|
|
</mitre>
|
|
</rule>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
</group> |