Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Windows EventChannel field #299

Merged
merged 6 commits into from
Feb 26, 2019
Merged

Remove Windows EventChannel field #299

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0cfc1c6
Remove Windows EventChannel field
cristgl Feb 25, 2019
43e13e0
Add win block
cristgl Feb 26, 2019
4719c4a
Replace eventdata field
cristgl Feb 26, 2019
e5d61d9
Fix eventdata field
cristgl Feb 26, 2019
0755ac2
Fix old eventchannel fields
cristgl Feb 26, 2019
2bd86e7
Fix typos in ms-auth rules
chemamartinez Feb 26, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
286 changes: 143 additions & 143 deletions rules/0220-msauth_rules.xml
View file
Open in desktop

Large diffs are not rendered by default.

30 changes: 15 additions & 15 deletions rules/0225-mcafee_av_rules.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,105 +130,105 @@

<rule id="20200" level="0">
<if_sid>20001,20002,20003</if_sid>
<field name="EventChannel.System.Channel">^McLogEvent</field>
<field name="win.system.channel">^McLogEvent</field>
<category>windows</category>
<description>Grouping of McAfee Windows AV rules</description>
</rule>

<rule id="20201" level="2">
<if_sid>20200</if_sid>
<field name="EventChannel.System.EventID">$MCAFEE_INFO</field>
<field name="win.system.eventID">$MCAFEE_INFO</field>
<description>McAfee Windows AV informational event</description>
</rule>

<rule id="20202" level="3">
<if_sid>20200</if_sid>
<field name="EventChannel.System.EventID">$MCAFEE_WARN</field>
<field name="win.system.eventID">$MCAFEE_WARN</field>
<description>McAfee Windows AV warning event</description>
<group>gpg13_4.12,</group>
</rule>

<rule id="20203" level="4">
<if_sid>20200</if_sid>
<field name="EventChannel.System.EventID">$MCAFEE_ERROR</field>
<field name="win.system.eventID">$MCAFEE_ERROR</field>
<description>McAfee Windows AV error event</description>
<group>gpg13_4.3,</group>
</rule>

<rule id="20204" level="12">
<if_sid>20200</if_sid>
<field name="EventChannel.System.Message">$MCAFEE_VIRUS</field>
<field name="win.system.message">$MCAFEE_VIRUS</field>
<group>virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,</group>
<description>McAfee Windows AV - Virus detected and not removed</description>
</rule>

<rule id="20205" level="7">
<if_sid>20204</if_sid>
<field name="EventChannel.System.Message">$MCAFEE_VIRUS_OK</field>
<field name="win.system.message">$MCAFEE_VIRUS_OK</field>
<group>virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,</group>
<description>McAfee Windows AV - Virus detected and properly removed</description>
</rule>

<rule id="20206" level="7">
<if_sid>20204</if_sid>
<field name="EventChannel.System.Message">Will be deleted</field>
<field name="win.system.message">Will be deleted</field>
<group>virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,</group>
<description>McAfee Windows AV - Virus detected and file will be deleted</description>
</rule>

<rule id="20207" level="3">
<if_sid>20200</if_sid>
<field name="EventChannel.System.Message">scan started|scan stopped</field>
<field name="win.system.message">scan started|scan stopped</field>
<description>McAfee Windows AV - Scan started or stopped</description>
<group>pci_dss_5.1,pci_dss_10.2.6,pci_dss_10.6.1,gpg13_4.14,gpg13_10.1,gdpr_IV_35.7.d,</group>
</rule>

<rule id="20208" level="3">
<if_sid>20201</if_sid>
<id>^257</id>
<field name="EventChannel.System.Message">completed. No detections</field>
<field name="win.system.message">completed. No detections</field>
<description>McAfee Windows AV - Scan completed with no viruses found</description>
<group>pci_dss_5.1,pci_dss_10.2.6,pci_dss_10.6.1,gpg13_4.14,gpg13_10.1,gdpr_IV_35.7.d,</group>
</rule>

<rule id="20209" level="5">
<if_sid>20200</if_sid>
<field name="EventChannel.System.Message">scan was cancelled |has taken too long</field>
<field name="win.system.message">scan was cancelled |has taken too long</field>
<description>McAfee Windows AV - Virus scan cancelled</description>
<group>pci_dss_5.1,pci_dss_10.2.6,pci_dss_10.6.1,gpg13_4.14,gpg13_10.1,gdpr_IV_35.7.d,</group>
</rule>

<rule id="20210" level="5">
<if_sid>20200</if_sid>
<field name="EventChannel.System.Message">scan was canceled because</field>
<field name="win.system.message">scan was canceled because</field>
<description>McAfee Windows AV - Virus scan cancelled due to shutdown</description>
<group>pci_dss_5.1,pci_dss_10.2.6,pci_dss_10.6.1,gpg13_4.14,gpg13_10.1,gdpr_IV_35.7.d,</group>
</rule>

<rule id="20211" level="3">
<if_sid>20200</if_sid>
<field name="EventChannel.System.Message">update was successful</field>
<field name="win.system.message">update was successful</field>
<description>McAfee Windows AV - Virus program or DAT update succeeded</description>
<group>pci_dss_5.1,pci_dss_10.6.1,pci_dss_5.2,gpg13_4.4,gpg13_4.14,gdpr_IV_35.7.d,</group>
</rule>

<rule id="20212" level="7">
<if_sid>20200</if_sid>
<field name="EventChannel.System.Message">update failed</field>
<field name="win.system.message">update failed</field>
<description>McAfee Windows AV - Virus program or DAT update failed</description>
<group>pci_dss_5.1,pci_dss_10.6.1,pci_dss_5.2,gpg13_4.14,gdpr_IV_35.7.d,</group>
</rule>

<rule id="20213" level="7">
<if_sid>20200</if_sid>
<field name="EventChannel.System.Message">update was cancelled</field>
<field name="win.system.message">update was cancelled</field>
<description>McAfee Windows AV - Virus program or DAT update cancelled</description>
<group>pci_dss_5.1,pci_dss_10.6.1,pci_dss_5.2,gpg13_4.14,gdpr_IV_35.7.d,</group>
</rule>

<rule id="20214" level="5">
<if_sid>20205</if_sid>
<field name="EventChannel.System.Message">contains the EICAR test file</field>
<field name="win.system.message">contains the EICAR test file</field>
<options>alert_by_email</options>
<description>McAfee Windows AV - EICAR test file detected</description>
</rule>
Expand Down
30 changes: 15 additions & 15 deletions rules/0230-ms-se_rules.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,117 +128,117 @@
<rule id="20168" level="0">
<category>windows</category>
<if_sid>20001,20002,20003</if_sid>
<field name="EventChannel.System.Channel">^Microsoft Antimalware</field>
<field name="win.system.channel">^Microsoft Antimalware</field>
<description>Grouping of Microsoft Security Essentials rules</description>
<options>no_full_log</options>
</rule>

<rule id="20169" level="12">
<if_sid>20168</if_sid>
<field name="EventChannel.System.EventID">^1118$|^1119$</field>
<field name="win.system.eventID">^1118$|^1119$</field>
<group>virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,</group>
<description>Microsoft Security Essentials - Virus detected, but unable to remove</description>
<options>no_full_log</options>
</rule>

<rule id="20170" level="7">
<if_sid>20168</if_sid>
<field name="EventChannel.System.EventID">^1107$</field>
<field name="win.system.eventID">^1107$</field>
<group>virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,</group>
<description>Microsoft Security Essentials - Virus detected and properly removed</description>
<options>no_full_log</options>
</rule>

<rule id="20171" level="7">
<if_sid>20168</if_sid>
<field name="EventChannel.System.EventID">^1119$|^1118$|^1117$|^1116$</field>
<field name="win.system.eventID">^1119$|^1118$|^1117$|^1116$</field>
<group>virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,</group>
<description>Microsoft Security Essentials - Virus detected</description>
<options>no_full_log</options>
</rule>

<rule id="20172" level="7">
<if_sid>20168</if_sid>
<field name="EventChannel.System.EventID">^1015$</field>
<field name="win.system.eventID">^1015$</field>
<group>virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,</group>
<description>Microsoft Security Essentials - Suspicious activity detected</description>
<options>no_full_log</options>
</rule>

<rule id="20173" level="3">
<if_sid>20168</if_sid>
<field name="EventChannel.System.EventID">^5007$</field>
<field name="win.system.eventID">^5007$</field>
<description>Microsoft Security Essentials - Configuration changed</description>
<options>no_full_log</options>
<group>policy_changed,pci_dss_10.2.7,pci_dss_10.6.1,gpg13_4.4,gdpr_IV_35.7.d,</group>
</rule>

<rule id="20174" level="9">
<if_sid>20168</if_sid>
<field name="EventChannel.System.EventID">^5008$</field>
<field name="win.system.eventID">^5008$</field>
<group>pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d,</group>
<description>Microsoft Security Essentials - Service failed</description>
<options>no_full_log</options>
</rule>

<rule id="20175" level="9">
<if_sid>20168</if_sid>
<field name="EventChannel.System.EventID">^3002$</field>
<field name="win.system.eventID">^3002$</field>
<group>pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d,</group>
<description>Microsoft Security Essentials - Real time protection failed</description>
<options>no_full_log</options>
</rule>

<rule id="20176" level="8">
<if_sid>20168</if_sid>
<field name="EventChannel.System.EventID">^2012$</field>
<field name="win.system.eventID">^2012$</field>
<description>Microsoft Security Essentials - Cannot use Dynamic Signature Service</description>
<options>no_full_log</options>
</rule>

<rule id="20177" level="8">
<if_sid>20168</if_sid>
<field name="EventChannel.System.EventID">^2004$</field>
<field name="win.system.eventID">^2004$</field>
<group>pci_dss_10.6.1,gpg13_4.14,gpg13_4.4,gpg13_,gdpr_IV_35.7.d,</group>
<description>Microsoft Security Essentials - Loading definitions failed. Using last good set</description>
<options>no_full_log</options>
</rule>

<rule id="20178" level="8">
<if_sid>20168</if_sid>
<field name="EventChannel.System.EventID">^2003$</field>
<field name="win.system.eventID">^2003$</field>
<group>pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d,</group>
<description>Microsoft Security Essentials - Engine update failed</description>
<options>no_full_log</options>
</rule>

<rule id="20179" level="8">
<if_sid>20168</if_sid>
<field name="EventChannel.System.EventID">^2001$</field>
<field name="win.system.eventID">^2001$</field>
<group>pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d,</group>
<description>Microsoft Security Essentials - Definitions update failed</description>
<options>no_full_log</options>
</rule>

<rule id="20180" level="7">
<if_sid>20168</if_sid>
<field name="EventChannel.System.EventID">^1005$</field>
<field name="win.system.eventID">^1005$</field>
<group>pci_dss_10.6.1,gpg13_4.4,gdpr_IV_35.7.d,</group>
<description>Microsoft Security Essentials - Scan error. Scan has stopped</description>
<options>no_full_log</options>
</rule>

<rule id="20181" level="5">
<if_sid>20168</if_sid>
<field name="EventChannel.System.EventID">^1002$</field>
<field name="win.system.eventID">^1002$</field>
<group>pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d,</group>
<description>Microsoft Security Essentials - Scan stopped before completion</description>
<options>no_full_log</options>
</rule>

<rule id="20182" level="5">
<if_sid>20170, 20171</if_sid>
<field name="EventChannel.System.Message">\.*DOS/EICAR_Test_File</field>
<field name="win.system.message">\.*DOS/EICAR_Test_File</field>
<options>alert_by_email</options>
<description>Microsoft Security Essentials - EICAR test file detected</description>
<options>no_full_log</options>
Expand Down