@@ -68,7 +68,7 @@ alert any any any -> any any (msg: "[WINDOWS-SECURITY] Kerberos policy was chang
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Encrypted data recovery policy was changed"; meta_content: " %sagan%|3a| ",4714,618; meta_depth: 8; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003399; sid: 5003399; rev: 2;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] The audit policy (SACL) on an object was changed"; content: " 4715|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003400; sid: 5003400; rev: 1;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] Trusted domain information was modified"; meta_content: " %sagan%|3a| ",4716,620; meta_depth: 8; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003401; sid: 5003401; rev: 2;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to reset an account's password"; meta_content: " %sagan%|3a| ",4724,628; meta_depth: 8; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003402; sid: 5003402; rev: 2;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to reset an account's password"; meta_content: " %sagan%|3a| ",4724,628; meta_depth: 8; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003402; sid: 5003402; rev: 3;)
alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled global group was created"; meta_content: " %sagan%|3a| ",4727,631; meta_depth: 8; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003403; sid: 5003403; rev: 2;)
# Champ Clark III - Removed Account Name of machines - 2018/10/20