l.bourdin
/
Wazuh-Custom-rules
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Wazuh-Custom-rules/Logon-failure-win.xml

28 lines
1.2 KiB
XML
Raw Permalink Blame History

<!-- Overwrite règles de base wazuh logon failure - Add event 4771 -->
<group name="authentication_failed,windows,windows_security,">
<rule id="60105" level="5" overwrite="yes">
<if_sid>60104</if_sid>
<field name="win.system.eventID">^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$|^4771$</field>
<description>Windows Logon Failure</description>
<options>no_full_log</options>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1078</id>
</mitre>
</rule>
</group>
<group name="authentication_failed,windows,windows_security,">
<rule id="60122" level="5" overwrite="yes">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^529$|^4625$|^4771$</field>
<description>Logon Failure - Unknown user or bad password</description>
<options>no_full_log</options>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1531</id>
</mitre>
</rule>
</group>
Reference in New Issue View Git Blame Copy Permalink