Added more rules related to Windows Eventlog

wazuh · May 6, 2020 · 3d5f179 · 3d5f179
1 parent c168bd1
commit 3d5f179
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/rules/0590-win-system_rules.xml b/rules/0590-win-system_rules.xml
@@ -323,4 +323,24 @@
     <options>no_email_alert</options>
   </rule>
 
+  <rule id="61139" level="8">
+    <if_sid>61102</if_sid>
+    <field name="win.system.eventID">^6008$</field>
+    <description>Unexpected system shutdown.</description>
+    <mitre>
+      <id>T1529</id>
+    </mitre>
+    <options>no_full_log</options>
+  </rule>
+
+  <rule id="61140" level="7">
+    <if_sid>61100</if_sid>
+    <field name="win.system.eventID">^1074$</field>
+    <description>System has been shutdown by a process/user.</description>
+    <mitre>
+      <id>T1529</id>
+    </mitre>
+    <options>no_full_log</options>
+  </rule>
+
 </group>
diff --git a/rules/0610-win-ms_logs_rules.xml b/rules/0610-win-ms_logs_rules.xml
@@ -58,6 +58,8 @@
     <group>log_clearing,gpg13_10.1,gdpr_II_5.1.f,</group>
   </rule>
 
+    <!-- {"win":{"system":{"providerName":"Microsoft-Windows-Eventlog","providerGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","eventSourceName":"Microsoft-Windows-Eventlog","eventID":"6006","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8080000000000000","systemTime":"2018-11-27T13:03:51.594213100Z","eventRecordID":"8453","correlation":"","processID":"608","threadID":"1296","channel":"Microsoft-Windows-Eventlog","computer":"hffg","message":"The Event log service was started.","severityValue":"INFORMATION"},"eventdata":{"subjectUserSid":"S-1-5-21-571","subjectUserName":"HFFG$","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","transactionId":"{D2399FF4-F177-11E8-82BA-08002750D7C5}","newState":"52","resourceManager":"{7D5F0E1F-ABCB-11E8-A2E2-D5514FE2B72B}","processId":"0x3f8","processName":"C:\\Windows\\System32\\svchost.exe"}}} -->
+
   <!-- {"win":{"system":{"providerName":"Microsoft-Windows-Eventlog","providerGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","eventSourceName":"Microsoft-Windows-Eventlog","eventID":"6005","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8080000000000000","systemTime":"2018-11-27T13:03:51.594213100Z","eventRecordID":"8453","correlation":"","processID":"608","threadID":"1296","channel":"Microsoft-Windows-Eventlog","computer":"hffg","message":"The Event log service was started.","severityValue":"INFORMATION"},"eventdata":{"subjectUserSid":"S-1-5-21-571","subjectUserName":"HFFG$","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","transactionId":"{D2399FF4-F177-11E8-82BA-08002750D7C5}","newState":"52","resourceManager":"{7D5F0E1F-ABCB-11E8-A2E2-D5514FE2B72B}","processId":"0x3f8","processName":"C:\\Windows\\System32\\svchost.exe"}}} -->
   <rule id="63105" level="5">
     <if_sid>63100</if_sid>
@@ -81,4 +83,15 @@
     <description>Multiple Eventlog warning events</description>
     <options>no_full_log</options>
   </rule>
+
+  <rule id="63108" level="7">
+    <if_sid>63100</if_sid>
+    <field name="win.system.eventID">^6006$</field>
+    <description>The Event log service was stopped.</description>
+    <mitre>
+      <id>T1529</id>
+    </mitre>
+    <options>no_full_log</options>
+  </rule>
+
 </group>