security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1110 from vburov/patch-11

Browse Source 
Update win_disable_event_logging.yml
This commit is contained in:
Florian Roth
2021-02-18 11:18:32 +01:00
committed by GitHub
parent f62fc2e889 e10771652b
commit a6684c66d6
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/win_disable_event_logging.yml
+3 -1
View File
@@ -16,7 +16,9 @@ logsource:
detection:
selection:
EventID: 4719
AuditPolicyChanges: 'removed'
AuditPolicyChanges|contains:
- '%%8448' # This is "Success removed"
- '%%8450' # This is "Failure removed"
condition: selection
falsepositives:
- Unknown