l.bourdin
/
Wazuh-Custom-rules
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Wazuh-Custom-rules/Connexion-admin.xml

94 lines
3.4 KiB
XML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!-- Alerte si connexion Administrateur -->
<!-- Alerte si connexion Administrateur (local)-->
<group name="Co-Windows">
<rule id="100002" level="3">
<if_sid>60106</if_sid>
<field name="data.win.eventdata.targetUserName">administrateur</field>
<description>Windows Logon Sucess Admin</description>
<options>no_full_log</options>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_80></group>
</rule>
</group>
<!-- Règle de base wazuh - Overwrite -->
<!-- Co RDP -->
<group name="windows,rdp,authentication_success,">
<rule id="92653" level="2" overwrite="yes">
<if_sid>92651</if_sid>
<field name="win.eventdata.logonType" type="pcre2">10</field>
<description>User: $(win.eventdata.subjectDomainName)\$(win.eventdata.targetUserName) logged using Remote Desktop Connection (RDP) from ip:$(win.eventdata.ipAddress).</description>
<mitre>
<id>T1021.001</id>
<id>T1078.002</id>
</mitre>
</rule>
</group>
<!-- Co avec privilège admin -->
<group name="windows,auth,privileged,">
<rule id="67028" level="3" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4672$</field>
<field name="win.eventdata.subjectUserSid" negate="yes">^S-1-5-18$</field>
<description>Special privileges assigned to new logon.</description>
<mitre>
<id>T1484</id>
</mitre>
<options>no_full_log</options>
</rule>
</group>
<!-- Co utilisateur -->
<group name="authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.9,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
<rule id="60106" level="1" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^528$|^540$|^673$|^4624$|^4769$</field>
<description>Windows Logon Success</description>
<options>no_full_log</options>
<mitre>
<id>T1078</id>
</mitre>
</rule>
</group>
<!-- Déco utilisateur -->
<group name="pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
<rule id="60137" level="1" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^538$|^551$|^4634$|^4647$</field>
<description>Windows User Logoff</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Règle alerte RDP
<group name="windows,rdp,authentication_success,">
<rule id="100003" level="10">
<field name="win.system.eventID">1149</field>
<description>Connexion RDP réussie détectée (1149)</description>
<group>rdp,windows,authentication_success,</group>
</rule>
</group>
-->
<!-- Règle alerte RDP - co entre 0:00 et 5:00-->
<group name="windows,auth,privileged,quiet_hours,">
<rule id="100300" level="12">
<if_sid>67028</if_sid>
<time>00:00-05:00</time>
<description>Privileged logon during quiet hours (00:0005:00 local)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Alerte si déconnexion Administrateur -->
<group name="Co-Windows">
<rule id="100005" level="3">
<if_sid>60137</if_sid>
<field name="data.win.eventdata.targetUserName">administrateur</field>
<description>Windows Logoff Admin</description>
<options>no_full_log</options>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_80></group>
</rule>
</group>
Reference in New Issue View Git Blame Copy Permalink