From 2daae1681468bdb444a1e49f1274714dd9038d2a Mon Sep 17 00:00:00 2001 From: janniten Date: Thu, 12 Nov 2020 17:14:01 +0100 Subject: [PATCH 1/3] [New Rule] Clearing Windows Security Logs --- ...vasion_clearing_windows_security_logs.toml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/defense_evasion_clearing_windows_security_logs.toml diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml new file mode 100644 index 00000000000..cf72d9f2878 --- /dev/null +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -0,0 +1,23 @@ +[metadata] +creation_date = "2020/11/12" +ecs_version = ["1.6.0"] +maturity = "development" +updated_date = "2020/11/12" + +[rule] +author = ["Anabella Cristaldi"] +description = "Looks for events related to clearing security logs" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Clearing Windows Security Logs" +risk_score = 21 +rule_id = "95ba057e-4a9c-41af-9dda-510516fdfbe4" +severity = "low" +tags = ["Windows"] +type = "query" + +query = ''' +event.module:security and event.action:audit-log-cleared +''' + From ec8895f919d62a03cf28244377cd32a9103214d3 Mon Sep 17 00:00:00 2001 From: janniten Date: Mon, 16 Nov 2020 17:19:43 +0100 Subject: [PATCH 2/3] Fix Date Format Error --- ...defense_evasion_clearing_windows_security_logs.toml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index cf72d9f2878..aab36926455 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -6,15 +6,19 @@ updated_date = "2020/11/12" [rule] author = ["Anabella Cristaldi"] -description = "Looks for events related to clearing security logs" +description = "Identifies attempts to clear Windows Security log stores" +from = "now-9m" index = ["winlogbeat-*"] +interval = "6m" language = "kuery" license = "Elastic License" +max_signals = 99 name = "Clearing Windows Security Logs" risk_score = 21 -rule_id = "95ba057e-4a9c-41af-9dda-510516fdfbe4" +rule_id = "45ac4800-840f-414c-b221-53dd36a5aaf7" severity = "low" -tags = ["Windows"] +tags = ["Windows", "Elastic"] +to = "now-1s" type = "query" query = ''' From 9eeb65cd2524b4e5c29ab473b1a70b1aa6bda485 Mon Sep 17 00:00:00 2001 From: janniten Date: Wed, 18 Nov 2020 16:08:37 +0100 Subject: [PATCH 3/3] Add User Account Created Rule --- .../cross-platform/user_account_created.toml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/cross-platform/user_account_created.toml diff --git a/rules/cross-platform/user_account_created.toml b/rules/cross-platform/user_account_created.toml new file mode 100644 index 00000000000..a2bf3aab408 --- /dev/null +++ b/rules/cross-platform/user_account_created.toml @@ -0,0 +1,26 @@ +[metadata] +creation_date = "2020/11/18" +ecs_version = ["1.6.0"] +maturity = "development" +updated_date = "2020/11/18" + +[rule] +author = ["Anabella Cristaldi"] +description = """ +Identifies the creation of new users. This is sometimes done either by attackers to increase access to a system or a +domain or by a legal admin and the activity needs to be audited when strong security regulations are in place. +""" +index = ["winlogbeat-*", "auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "User Account Created" +risk_score = 21 +rule_id = "73ccc727-dc70-4112-85f1-aa91f86548f0" +severity = "low" +tags = ["Windows", "Linux", "Elastic"] +type = "query" + +query = ''' +event.category:iam and event.type:(creation and user) and event.outcome:success +''' +