security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

[Rule Tuning] Replace legacy winlog.api usage (#4647)

Browse Source 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2025-04-23 21:22:38 -03:00
committed by GitHub
parent 54fadc8e2e
commit e8e76972f5
4 changed files with 8 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_clearing_windows_security_logs.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/12"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/04/23"
[rule]
author = ["Elastic", "Anabella Cristaldi"]
@@ -62,7 +62,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog" and
host.os.type:windows and event.action:("audit-log-cleared" or "Log clear") and
not winlog.provider_name:"AD FS Auditing"
'''
rules/windows/persistence_group_modification_by_system.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/26"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/04/23"
[rule]
author = ["Elastic"]
@@ -69,7 +69,7 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
iam where winlog.api == "wineventlog" and event.code == "4728" and
iam where host.os.type == "windows" and event.code == "4728" and
winlog.event_data.SubjectUserSid : "S-1-5-18" and
/* DOMAIN_USERS and local groups */
rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2021/01/09"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/04/23"
[rule]
author = ["Elastic", "Skoetting"]
@@ -65,7 +65,7 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
iam where winlog.api == "wineventlog" and event.action == "added-member-to-group" and
iam where host.os.type == "windows" and event.action == "added-member-to-group" and
(
(
group.name : (
rules/windows/persistence_user_account_creation_event_logs.toml
+2 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2021/01/04"
integration = ["system", "windows"]
maturity = "development"
updated_date = "2025/02/21"
updated_date = "2025/04/23"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
@@ -31,8 +31,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.module:("system" or "security") and winlog.api:"wineventlog" and
(event.code:"4720" or event.action:"added-user-account")
host.os.type:windows and event.module:("system" or "security") and (event.code:"4720" or event.action:"added-user-account")
'''
note = """## Triage and analysis