l.bourdin
/
Wazuh-Custom-rules
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Wazuh-Custom-rules/Connexion-admin.xml

120 lines
4.4 KiB
XML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!-- Alerte si connexion Administrateur -->
<!-- Alerte si connexion Administrateur (local)-->
<group name="Co-Windows">
<rule id="100002" level="3">
<if_sid>60106</if_sid>
<field name="data.win.eventdata.targetUserName">administrateur</field>
<description>Windows Logon Sucess Admin</description>
<options>no_full_log</options>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_80></group>
</rule>
</group>
<!-- Règle de base wazuh - Overwrite -->
<!-- Co RDP -->
<group name="windows,rdp,authentication_success,">
<rule id="92653" level="2" overwrite="yes">
<if_sid>92651</if_sid>
<field name="win.eventdata.logonType" type="pcre2">10</field>
<description>User: $(win.eventdata.subjectDomainName)\$(win.eventdata.targetUserName) logged using Remote Desktop Connection (RDP) from ip:$(win.eventdata.ipAddress).</description>
<mitre>
<id>T1021.001</id>
<id>T1078.002</id>
</mitre>
</rule>
</group>
<!-- Co avec privilège admin -->
<group name="windows,auth,privileged,">
<rule id="67028" level="3" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4672$</field>
<field name="win.eventdata.subjectUserSid" negate="yes">^S-1-5-18$</field>
<description>Special privileges assigned to new logon.</description>
<mitre>
<id>T1484</id>
</mitre>
<options>no_full_log</options>
</rule>
</group>
<!-- Co utilisateur -->
<group name="authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.9,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
<rule id="60106" level="1" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^528$|^540$|^673$|^4624$|^4769$</field>
<description>Windows Logon Success</description>
<options>no_full_log</options>
<mitre>
<id>T1078</id>
</mitre>
</rule>
</group>
<!-- Filtre anti bruit co sandbox -->
<group name="authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.9,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
<rule id="100003" level="0">
<if_sid>60118</if_sid>
<field name="win.eventdata.targetUserName">^CodexSandboxOffline$</field>
<description>Filtre anti bruit pour co sandbox windows offline</description>
<options>no_full_log</options>
<mitre>
<id>T1078</id>
</mitre>
</rule>
</group>
<!-- Filtre anti bruit déco sandbox -->
<group name="authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.9,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
<rule id="100006" level="0">
<if_sid>67023</if_sid>
<field name="win.eventdata.targetUserName">^CodexSandboxOffline$</field>
<description>Filtre anti bruit pour déco sandbox windows offline</description>
<options>no_full_log</options>
<mitre>
<id>T1078</id>
</mitre>
</rule>
</group>
<!-- Déco utilisateur -->
<group name="pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,">
<rule id="60137" level="1" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^538$|^551$|^4634$|^4647$</field>
<description>Windows User Logoff</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Règle alerte RDP
<group name="windows,rdp,authentication_success,">
<rule id="100003" level="10">
<field name="win.system.eventID">1149</field>
<description>Connexion RDP réussie détectée (1149)</description>
<group>rdp,windows,authentication_success,</group>
</rule>
</group>
-->
<!-- Règle alerte RDP - co entre 0:00 et 5:00-->
<group name="windows,auth,privileged,quiet_hours,">
<rule id="100300" level="12">
<if_sid>67028</if_sid>
<time>00:00-05:00</time>
<description>Privileged logon during quiet hours (00:0005:00 local)</description>
<options>no_full_log</options>
</rule>
</group>
<!-- Alerte si déconnexion Administrateur -->
<group name="Co-Windows">
<rule id="100005" level="3">
<if_sid>60137</if_sid>
<field name="data.win.eventdata.targetUserName">administrateur</field>
<description>Windows Logoff Admin</description>
<options>no_full_log</options>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_80></group>
</rule>
</group>
Reference in New Issue View Git Blame Copy Permalink