Skip to content

Commit

Permalink
Fix provider name for Windows Eventlog
Browse files Browse the repository at this point in the history
  • Loading branch information
@danimegar
danimegar committed May 27, 2020
1 parent 8ed592c commit 3e2b59a
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 3 deletions.
11 changes: 9 additions & 2 deletions rules/0575-win-base_rules.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,11 +70,18 @@
<description>Group of Windows rules for the McAfee channel</description>
</rule>

<rule id="60017" level="0">
<if_sid>60001</if_sid>
<field name="win.system.providerName">^Microsoft-Windows-Eventlog$</field>
<options>no_full_log</options>
<description>Group of rules for Windows Eventlog from Security channel</description>
</rule>

<rule id="60007" level="0">
<if_sid>60002</if_sid>
<field name="win.system.providerName">^Eventlog$</field>
<field name="win.system.providerName">^Eventlog$|^Microsoft-Windows-Eventlog$</field>
<options>no_full_log</options>
<description>Group of rules for Windows Eventlog</description>
<description>Group of rules for Windows Eventlog from System channel</description>
</rule>

<rule id="60008" level="0">
Expand Down
25 changes: 24 additions & 1 deletion rules/0610-win-ms_logs_rules.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,32 @@
<group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>
</rule>

<rule id="63108" level="0">
<if_sid>60017</if_sid>
<field name="win.system.severityValue">^INFORMATION$</field>
<description>Windows Eventlog informational event</description>
<options>no_full_log</options>
</rule>

<rule id="63109" level="0">
<if_sid>60017</if_sid>
<field name="win.system.severityValue">^WARNING$</field>
<description>Windows Eventlog warning event</description>
<options>no_full_log</options>
<group>gpg13_4.12,</group>
</rule>

<rule id="63110" level="5">
<if_sid>60017</if_sid>
<field name="win.system.severityValue">^ERROR$</field>
<description>Windows Eventlog error event</description>
<options>no_full_log</options>
<group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>
</rule>

<!-- {"win":{"system":{"providerName":"Microsoft-Windows-Eventlog","providerGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","eventSourceName":"Microsoft-Windows-Eventlog","eventID":"1102","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8080000000000000","systemTime":"2018-11-27T13:03:51.594213100Z","eventRecordID":"8453","correlation":"","processID":"608","threadID":"1296","channel":"Microsoft-Windows-Eventlog","computer":"hffg","message":"The audit log was cleared.","severityValue":"INFORMATION"},"eventdata":{"subjectUserSid":"S-1-5-21-571","subjectUserName":"HFFG$","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","transactionId":"{D2399FF4-F177-11E8-82BA-08002750D7C5}","newState":"52","resourceManager":"{7D5F0E1F-ABCB-11E8-A2E2-D5514FE2B72B}","processId":"0x3f8","processName":"C:\\Windows\\System32\\svchost.exe"}}} -->
<rule id="63103" level="5">
<if_sid>63100</if_sid>
<if_sid>63108</if_sid>
<field name="win.system.eventID">^1102$</field>
<description>The audit log was cleared</description>
<options>no_full_log</options>
Expand Down

0 comments on commit 3e2b59a

Please sign in to comment.