remove duplicate rule and fix errors

2021-08-15 16:52:24 +02:00
parent a75859a976
commit 12396f615c
10 changed files with 13 additions and 35 deletions
@@ -1,10 +1,9 @@
 id: bf74135c-18e8-4a72-a926-0e4f47888c19
 title: DNS events related to mining pools
-description: |
-  'Identifies IPs that may be performing DNS lookups associated with common currency mining pools.'
+description: Identifies IPs that may be performing DNS lookups associated with common currency mining pools.
 reference: Azure Sentinel
 author: Saw Winn Naung
-severity: Medium
+severity: medium
 logsource:                     
    service: dns  
    product: zeek 
@@ -4,7 +4,7 @@ description: |
  'Identifies IPs performing DNS lookups associated with common Tor proxies.'
 reference: Azure Sentinel
 author: Saw Winn Naung
-severity: Medium
+severity: medium
 logsource: 
    service: dns  
    product: zeek 
@@ -2,16 +2,15 @@ title: Process execution anomaly
 id: 2c55fe7a-b06f-4029-a5b9-c54a2320d7b8
 description: 'Identifies anomalous executions of sensitive processes which are often leveraged as attack vectors.'
 references: Azure Sentinel
-level: Medium
+level: medium
 logsource:          
-    service: Security 
    product: windows 
+    category: process_creation 
 tags:
  - attack.execution
  - attack.t1064
 detection:
    selection:
-        EventID: 4688
        NewProcessName|contains: 
          - 'powershell.exe'
          - 'cmd.exe'
@@ -5,7 +5,7 @@ description: |
  'Checks for event id 1102 which indicates the security event log was cleared.'
 reference: Azure Sentinel
 author: Saw Winn Naung
-severity: Medium
+severity: medium
 logsource:                     
    service: security  
    product: windows 
@@ -1,19 +1,17 @@
 title: Powershell Empire cmdlets seen in command line
 id: ef88eb96-861c-43a0-ab16-f3835a97c928
-description: |
-  'Identifies instances of PowerShell Empire cmdlets in powershell process command line data.'
+description: Identifies instances of PowerShell Empire cmdlets in powershell process command line data.
 references: Azure Sentinel
-level: Medium
+level: medium
 logsource: 
-    service: Security
-    product: windows    
+    product: windows
+    category: process_creation 
 tags:
  - attack.execution
  - attack.persistence
  - attack.t1208
 detection:
    selection1:
-        EventID: 4688
        CommandLine|contains: ' -encodedCommand'
    selection2:
        CommandLine:
@@ -2,7 +2,7 @@ title: Account added and removed from privileged groups
 id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60
 description: 'Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' 
 references: Azure Sentinel  
-level: Low
+level: low
 logsource:          
    service: Security 
    product: windows 
@@ -1,18 +0,0 @@
-title: User account created and deleted within 10 mins
-id: 4b93c5af-d20b-4236-b696-a28b8c51407f
-description: 'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and
-  an adversary attempting to hide in the noise.'
-references: Azure Sentinel  
-level: Medium
-logsource:          
-    service: Security 
-    product: windows 
-tags:
-  - attack.persistence
-  - attack.privilege_escalation
-  - attack.t1098
-  - attack.t1078
-detection:
-    selection:
-        EventID: 4720
-    condition: selection  
@@ -3,7 +3,7 @@ id: 3d023f64-8225-41a2-9570-2bd7c2c4535e
 description: 'Identifies when a user account is enabled and then disabled. This can be an indication of compromise and
  an adversary attempting to hide in the noise.'
 references: Azure Sentinel  
-level: Medium
+level: medium
 logsource:          
    service: Security 
    product: windows 
@@ -3,7 +3,7 @@ id: aa1eff90-29d4-49dc-a3ea-b65199f516db
 description: 'Identifies when a user account was created and then added to the builtin Administrators group.
  This should be monitored closely and all additions reviewed.'
 references: Azure Sentinel  
-level: Low
+level: low
 logsource:          
    service: Security 
    product: windows