1 <!-- @(#) $Id: ./etc/rules/msauth_rules.xml, 2011/09/08 dcid Exp $
3 - Example of Microsoft Windows (2000, XP, 2003) rules for OSSEC.
5 - Copyright (C) 2009 Trend Micro Inc.
8 - This program is a free software; you can redistribute it
9 - and/or modify it under the terms of the GNU General Public
10 - License (version 2) as published by the FSF - Free Software
13 - License details: http://www.ossec.net/en/licensing.html
17 <var name="MS_FREQ">6</var>
19 <group name="windows,">
20 <rule id="18100" level="0">
21 <category>windows</category>
22 <description>Group of windows rules.</description>
25 <rule id="18101" level="0">
26 <if_sid>18100</if_sid>
27 <status>^INFORMATION</status>
28 <description>Windows informational event.</description>
31 <rule id="18102" level="0">
32 <if_sid>18100</if_sid>
33 <status>^WARNING</status>
34 <description>Windows warning event.</description>
37 <rule id="18103" level="5">
38 <if_sid>18100</if_sid>
39 <status>^ERROR</status>
40 <description>Windows error event.</description>
41 <group>system_error,</group>
44 <rule id="18104" level="0">
45 <if_sid>18100</if_sid>
46 <status>^AUDIT_SUCCESS|^success</status>
47 <description>Windows audit success event.</description>
50 <rule id="18105" level="4">
51 <if_sid>18100</if_sid>
52 <status>^AUDIT_FAILURE|^failure</status>
53 <description>Windows audit failure event.</description>
56 <rule id="18106" level="5">
57 <if_sid>18105</if_sid>
58 <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id>
59 <description>Windows Logon Failure.</description>
60 <group>win_authentication_failed,</group>
63 <rule id="18107" level="3">
64 <if_sid>18104</if_sid>
65 <id>^528$|^540$|^672$|^673$|^4624$|^4769$</id>
66 <description>Windows Logon Success.</description>
67 <group>authentication_success,</group>
70 <rule id="18108" level="4">
71 <if_sid>18105</if_sid>
73 <description>Failed attempt to perform a privileged </description>
74 <description>operation.</description>
77 <rule id="18109" level="3">
78 <if_sid>18104</if_sid>
80 <description>Session reconnected/disconnected to winstation.</description>
83 <rule id="18110" level="8">
84 <if_sid>18104</if_sid>
85 <id>^624$|^626$|^645$|^4720$|^4722$|^4741$</id>
86 <description>User account enabled or created.</description>
87 <group>adduser,account_changed,</group>
90 <rule id="18111" level="8">
91 <if_sid>18104</if_sid>
92 <id>^628$|^642$|^685$|^4738$|^4781$</id>
93 <description>User account changed.</description>
94 <group>account_changed,</group>
97 <rule id="18112" level="8">
98 <if_sid>18104</if_sid>
99 <id>^630$|^629$|^4725$|^4726$</id>
100 <description>User account disabled or deleted.</description>
101 <group>adduser,account_changed,</group>
104 <rule id="18113" level="8">
105 <if_sid>18104</if_sid>
106 <id>^612$|^643$|^4719$|^4907$|^4912$</id>
107 <description>Windows Audit Policy changed.</description>
108 <group>policy_changed,</group>
111 <rule id="18114" level="5">
112 <if_sid>18104</if_sid>
113 <id>^632$|^4728$|^633$|^4729$|^636$|^4732$|^637$|^4733$|^639$|^4735$|</id>
114 <id>^641$|^4737$|^637$|^4733$|^659$|^4755$|^660$|^4766$|^668$|^4764$|</id>
115 <id>^649$|^4745$|^650$|^4746$|^651$|^4747$|^654$|^4750$|^655$|^4751$|</id>
116 <id>^656$|^4752$|^659$|^4755$|^660$|^4756$|^661$|^4757$|^664$|^4760$|</id>
117 <id>^665$|^4761$|^666$|^4762$</id>
118 <description>Group Account Changed</description>
119 <group>group_changed,win_group_changed,</group>
122 <rule id="18115" level="8">
123 <if_sid>18104</if_sid>
125 <description>General account database changed.</description>
126 <info type="link">http://www.ultimatewindowssecurity.com/events/com259.html</info>
127 <group>adduser,account_changed,</group>
130 <rule id="18116" level="9">
131 <if_sid>18104</if_sid>
132 <id>^644$|^4740$</id>
133 <description>User account locked out (multiple login errors).</description>
134 <group>authentication_failures,</group>
137 <rule id="18117" level="7">
138 <if_sid>18104</if_sid>
139 <id>^513$|^4609$</id>
140 <description>Windows is shutting down.</description>
141 <group>system_shutdown,</group>
144 <rule id="18118" level="9">
145 <if_sid>18104</if_sid>
147 <description>Windows audit log was cleared.</description>
148 <group>logs_cleared,</group>
151 <rule id="18119" level="3">
152 <if_sid>18107</if_sid>
153 <options>alert_by_email</options>
155 <description>First time this user logged in this system.</description>
156 <group>authentication_success,</group>
159 <rule id="18120" level="0">
160 <if_sid>18105</if_sid>
162 <description>Windows login attempt (ignored). Duplicated.</description>
165 <rule id="18125" level="5">
166 <if_sid>18102, 18103</if_sid>
167 <id>^20187$|^20014$|^20078$|^20050$|^20049$|^20189$</id>
168 <description>Remote access login failure.</description>
169 <group>authentication_failed,</group>
172 <rule id="18126" level="3">
173 <if_sid>18101</if_sid>
175 <description>Remote access login success.</description>
176 <group>authentication_success,</group>
179 <rule id="18127" level="8">
180 <if_sid>18104</if_sid>
182 <description>Computer account changed/deleted.</description>
183 <group>account_changed,</group>
186 <rule id="18128" level="8">
187 <!-- if_sid>18104</if_sid -->
189 <description>Group account added/changed/deleted.</description>
190 <info>This rule has been deprecated</info>
191 <group>account_changed,</group>
194 <rule id="18129" level="8">
195 <if_sid>18103</if_sid>
197 <description>Windows file system full.</description>
198 <group>low_diskspace,</group>
202 <!-- Granular windows login rules -->
203 <rule id="18130" level="5">
204 <if_sid>18106</if_sid>
206 <description>Logon Failure - Unknown user or bad password.</description>
207 <info type="link">http://www.ultimatewindowssecurity.com/events/com190.html</info>
208 <group>win_authentication_failed,</group>
211 <rule id="18131" level="5">
212 <if_sid>18106</if_sid>
214 <description>Logon Failure - Account logon time restriction </description>
215 <description>violation.</description>
216 <info type="link">http://www.ultimatewindowssecurity.com/events/com191.html</info>
217 <group>win_authentication_failed,login_denied,</group>
220 <rule id="18132" level="5">
221 <if_sid>18106</if_sid>
223 <description>Logon Failure - Account currently disabled.</description>
224 <info type="link">http://www.ultimatewindowssecurity.com/events/com192.html</info>
225 <group>win_authentication_failed,login_denied,</group>
228 <rule id="18133" level="5">
229 <if_sid>18106</if_sid>
231 <description>Logon Failure - Specified account expired.</description>
232 <info type="link">http://www.ultimatewindowssecurity.com/events/com193.html</info>
233 <group>win_authentication_failed,login_denied,</group>
236 <rule id="18134" level="7">
237 <if_sid>18106</if_sid>
239 <description>Logon Failure - User not allowed to login at </description>
240 <description>this computer.</description>
241 <info type="link">http://www.ultimatewindowssecurity.com/events/com194.html</info>
242 <group>win_authentication_failed,login_denied,</group>
245 <rule id="18135" level="5">
246 <if_sid>18106</if_sid>
248 <description>Logon Failure - User not granted logon type.</description>
249 <info type="link">http://www.ultimatewindowssecurity.com/events/com195.html</info>
250 <group>win_authentication_failed,</group>
253 <rule id="18136" level="5">
254 <if_sid>18106</if_sid>
256 <description>Logon Failure - Account's password expired.</description>
257 <info type="link">http://www.ultimatewindowssecurity.com/events/com196.html</info>
258 <group>win_authentication_failed,</group>
261 <rule id="18137" level="5">
262 <if_sid>18106</if_sid>
264 <description>Logon Failure - Internal error.</description>
265 <group>win_authentication_failed,</group>
268 <rule id="18138" level="7">
269 <if_sid>18106</if_sid>
271 <description>Logon Failure - Account locked out.</description>
272 <group>win_authentication_failed,</group>
275 <rule id="18139" level="5">
276 <if_sid>18105</if_sid>
277 <id>^672$|^673$|^675$|^676$|^681$|^4769$</id>
278 <description>Windows DC Logon Failure.</description>
279 <group>win_authentication_failed,</group>
282 <rule id="18140" level="5">
283 <if_sid>18104</if_sid>
285 <description>System time changed.</description>
286 <group>time_changed,</group>
289 <rule id="18141" level="7">
290 <if_sid>18102</if_sid>
292 <match>unexpected shutdown</match>
293 <group>system_error, system_shutdown,</group>
294 <description>Unexpected Windows shutdown.</description>
297 <rule id="18142" level="5">
298 <if_sid>18104</if_sid>
299 <id>^671$|^4767$</id>
300 <description>User account unlocked.</description>
301 <info type="link">http://www.ultimatewindowssecurity.com/events/com291.html</info>
302 <group>account_changed,</group>
305 <rule id="18143" level="8">
306 <if_sid>18114</if_sid>
307 <id>^631$|^635$|^658$</id>
308 <description>Security enabled group created.</description>
309 <group>adduser,account_changed,</group>
312 <rule id="18144" level="8">
313 <if_sid>18114</if_sid>
314 <id>^634$|^638$|^662$</id>
315 <description>Security enabled group deleted.</description>
316 <group>adduser,account_changed,</group>
319 <!-- Some services change their startup type automatically -->
320 <rule id="18145" level="3">
321 <if_sid>18101</if_sid>
323 <group>policy_changed,</group>
324 <description>Service startup type was changed.</description>
325 <info type="text">This does not appear to be logged on Windows 2000.</info>
328 <rule id="18146" level="5">
329 <if_sid>18101</if_sid>
331 <options>alert_by_email</options>
332 <description>Application Uninstalled.</description>
335 <rule id="18147" level="5">
336 <if_sid>18101</if_sid>
338 <options>alert_by_email</options>
339 <description>Application Installed.</description>
342 <rule id="18148" level="3">
343 <if_sid>18104</if_sid>
345 <description>Windows is starting up.</description>
348 <rule id="18149" level="3">
349 <if_sid>18104</if_sid>
350 <id>^538$|^4634$|^4647$</id>
351 <description>Windows User Logoff.</description>
354 <!-- Granular group rules -->
356 <rule id="18200" level="5">
357 <if_sid>18104</if_sid>
358 <id>^631$|^4727$|^635$|^4731$|^658$|^4754$|^648$|^4744$|^653$|^4749$|</id>
359 <id>^663$|^4759$</id>
360 <description>Group Account Created</description>
361 <group>group_created,win_group_created,</group>
364 <rule id="18201" level="5">
365 <if_sid>18104</if_sid>
366 <id>^634$|^4730$|^638$|^4734$|^662$|^4758$|^652$|^4748$|^657$|^4753$|</id>
367 <id>^667$|^4763$</id>
368 <description>Group Account Deleted</description>
369 <group>group_deleted,win_group_deleted,</group>
372 <rule id="18202" level="5">
373 <if_sid>18200</if_sid>
374 <id>^631$|^4727$</id>
375 <description>Security Enabled Global Group Created</description>
376 <group>group_created,win_group_created,</group>
377 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=631</info>
380 <rule id="18203" level="5">
381 <if_sid>18114</if_sid>
382 <id>^632$|^4728$</id>
383 <description>Security Enabled Global Group Member Added</description>
384 <group>group_changed,win_group_changed,</group>
385 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=632</info>
388 <rule id="18204" level="5">
389 <if_sid>18114</if_sid>
390 <id>^633$|^4729$</id>
391 <description>Security Enabled Global Group Member Removed</description>
392 <group>group_changed,win_group_changed,</group>
393 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=633</info>
396 <rule id="18205" level="5">
397 <if_sid>18201</if_sid>
398 <id>^634$|^4730$</id>
399 <description>Security Enabled Global Group Deleted</description>
400 <group>group_deleted,win_group_deleted,</group>
401 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=634</info>
404 <rule id="18206" level="5">
405 <if_sid>18200</if_sid>
406 <id>^635$|^4731$</id>
407 <description>Security Enabled Local Group Created</description>
408 <group>group_created,win_group_created,</group>
409 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=635</info>
412 <rule id="18207" level="5">
413 <if_sid>18114</if_sid>
414 <id>^636$|^4732$</id>
415 <description>Security Enabled Local Group Member Added</description>
416 <group>group_changed,win_group_changed,</group>
417 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=636</info>
420 <rule id="18208" level="5">
421 <if_sid>18114</if_sid>
422 <id>^637$|^4733$</id>
423 <description>Security Enabled Local Group Member Removed</description>
424 <group>group_changed,win_group_changed,</group>
425 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=637</info>
428 <rule id="18209" level="5">
429 <if_sid>18201</if_sid>
430 <id>^638$|^4734$</id>
431 <description>Security Enabled Local Group Deleted</description>
432 <group>group_deleted,win_group_deleted,</group>
433 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=638</info>
436 <rule id="18210" level="5">
437 <if_sid>18114</if_sid>
438 <id>^639$|^4735$</id>
439 <description>Security Enabled Local Group Changed</description>
440 <group>group_changed,win_group_changed,</group>
441 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=639</info>
444 <rule id="18211" level="5">
445 <if_sid>18114</if_sid>
446 <id>^641$|^4737$</id>
447 <description>Security Enabled Global Group Changed</description>
448 <group>group_changed,win_group_changed,</group>
449 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=641</info>
452 <rule id="18212" level="5">
453 <if_sid>18200</if_sid>
454 <id>^658$|^4754$</id>
455 <description>Security Enabled Universal Group Created</description>
456 <group>group_created,win_group_created,</group>
457 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=658</info>
460 <rule id="18213" level="5">
461 <if_sid>18114</if_sid>
462 <id>^659$|^4755$</id>
463 <description>Security Enabled Universal Group Changed</description>
464 <group>group_changed,win_group_changed,</group>
465 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=659</info>
468 <rule id="18214" level="5">
469 <if_sid>18114</if_sid>
470 <id>^660$|^4756$</id>
471 <description>Security Enabled Universal Group Member Added</description>
472 <group>group_changed,win_group_changed,</group>
473 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=660</info>
476 <rule id="18215" level="5">
477 <if_sid>18114</if_sid>
478 <id>^661$|^4757$</id>
479 <description>Security Enabled Universal Group Member Removed</description>
480 <group>group_changed,win_group_changed,</group>
481 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=661</info>
484 <rule id="18216" level="5">
485 <if_sid>18201</if_sid>
486 <id>^662$|^4758$</id>
487 <description>Security Enabled Universal Group Deleted</description>
488 <group>group_deleted,win_group_deleted,</group>
489 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=662</info>
492 <rule id="18217" level="12">
493 <if_sid>18207,18208</if_sid>
494 <regex> ID:\s+\p*S-1-5-32-544</regex>
495 <description>Administrators Group Changed</description>
496 <group>group_changed,win_group_changed,</group>
497 <info>http://support.microsoft.com/kb/243330</info>
500 <rule id="18218" level="5">
501 <if_sid>18207,18208</if_sid>
502 <regex> ID:\s+%{S-1-1-0}</regex>
503 <description>Everyone Group Changed</description>
504 <group>group_changed,win_group_changed,</group>
505 <info>http://support.microsoft.com/kb/243330</info>
508 <rule id="18219" level="12">
509 <if_sid>18207,18208</if_sid>
510 <regex> ID:\s+%{S-1-5-9}</regex>
511 <description>Enterprise Domain Controllers Group Changed</description>
512 <group>group_changed,win_group_changed,</group>
513 <info>http://support.microsoft.com/kb/243330</info>
516 <rule id="18220" level="5">
517 <if_sid>18207,18208</if_sid>
518 <regex> ID:\s+%{S-1-5-11}</regex>
519 <description>Authenticated Users Group Changed</description>
520 <group>group_changed,win_group_changed,</group>
521 <info>http://support.microsoft.com/kb/243330</info>
524 <rule id="18221" level="5">
525 <if_sid>18207,18208</if_sid>
526 <regex> ID:\s+%{S-1-5-13}</regex>
527 <description>Terminal Server Users Group Changed</description>
528 <group>group_changed,win_group_changed,</group>
529 <info>http://support.microsoft.com/kb/243330</info>
532 <rule id="18222" level="12">
533 <if_sid>18203,18204</if_sid>
534 <regex> ID:\s+%{S-1-5-21\S+-512}</regex>
535 <description>Domain Admins Group Changed</description>
536 <group>group_changed,win_group_changed,</group>
537 <info>http://support.microsoft.com/kb/243330</info>
540 <rule id="18223" level="5">
541 <if_sid>18203,18204</if_sid>
542 <regex> ID:\s+%{S-1-5-21\S+-513}</regex>
543 <description>Domain Users Group Changed</description>
544 <group>group_changed,win_group_changed,</group>
545 <info>http://support.microsoft.com/kb/243330</info>
548 <rule id="18224" level="0">
549 <if_sid>18223,18203</if_sid>
550 <match>Target Account Name: None</match>
551 <description>Local User Group NONE</description>
552 <info>Bogus group user added to upon creation</info>
555 <rule id="18225" level="12">
556 <if_sid>18203,18204</if_sid>
557 <regex> ID:\s+%{S-1-5-21\S+-514}</regex>
558 <description>Domain Guests Group Changed</description>
559 <group>group_changed,win_group_changed,</group>
560 <info>http://support.microsoft.com/kb/243330</info>
563 <rule id="18226" level="5">
564 <if_sid>18203,18204</if_sid>
565 <regex> ID:\s+%{S-1-5-21\S+-515}</regex>
566 <description>Domain Computers Group Changed</description>
567 <group>group_changed,win_group_changed,</group>
568 <info>http://support.microsoft.com/kb/243330</info>
571 <rule id="18227" level="12">
572 <if_sid>18203,18204</if_sid>
573 <regex> ID:\s+%{S-1-5-21\S+-516}</regex>
574 <description>Domain Controllers Group Changed</description>
575 <group>group_changed,win_group_changed,</group>
576 <info>http://support.microsoft.com/kb/243330</info>
579 <rule id="18228" level="10">
580 <if_sid>18207,18208</if_sid>
581 <regex> ID:\s+%{S-1-5-21\S+-517}</regex>
582 <description>Cert Publishers Group Changed</description>
583 <group>group_changed,win_group_changed,</group>
584 <info>http://support.microsoft.com/kb/243330</info>
587 <rule id="18229" level="12">
588 <if_sid>18203,18204</if_sid>
589 <regex> ID:\s+%{S-1-5-21\.+-518}</regex>
590 <description>Schema Admins Group Changed</description>
591 <group>group_changed,win_group_changed,</group>
592 <info>http://support.microsoft.com/kb/243330</info>
595 <rule id="18230" level="12">
596 <if_sid>18203,18204</if_sid>
597 <regex> ID:\s+%{S-1-5-21\S+-519}</regex>
598 <description>Enterprise Admins Group Changed</description>
599 <group>group_changed,win_group_changed,</group>
600 <info>http://support.microsoft.com/kb/243330</info>
603 <rule id="18231" level="10">
604 <if_sid>18203,18204</if_sid>
605 <regex> ID:\s+%{S-1-5-21\S+-520}</regex>
606 <description>Group Policy Creator Owners Group Changed</description>
607 <group>group_changed,win_group_changed,</group>
608 <info>http://support.microsoft.com/kb/243330</info>
611 <rule id="18232" level="10">
612 <if_sid>18207,18208</if_sid>
613 <regex>\w* ID:\s+%{S-1-5-21\S+-553}</regex>
614 <description>RAS and IAS Servers Group Changed</description>
615 <group>group_changed,win_group_changed,</group>
616 <info>http://support.microsoft.com/kb/243330</info>
619 <rule id="18233" level="5">
620 <if_sid>18207,18208</if_sid>
621 <regex> ID:\s+%{S-1-5-32-545}</regex>
622 <description>Users Group Changed</description>
623 <group>group_changed,win_group_changed,</group>
624 <info>http://support.microsoft.com/kb/243330</info>
627 <rule id="18234" level="12">
628 <if_sid>18207,18208</if_sid>
629 <regex> ID:\s+%{S-1-5-32-546}</regex>
630 <description>Guests Group Changed</description>
631 <group>group_changed,win_group_changed,</group>
632 <info>http://support.microsoft.com/kb/243330</info>
635 <rule id="18235" level="10">
636 <if_sid>18207,18208</if_sid>
637 <regex> ID:\s+%{S-1-5-32-547}</regex>
638 <description>Power Users Group Changed</description>
639 <group>group_changed,win_group_changed,</group>
640 <info>http://support.microsoft.com/kb/243330</info>
643 <rule id="18236" level="10">
644 <if_sid>18207,18208</if_sid>
645 <regex> ID:\s+%{S-1-5-32-548}</regex>
646 <description>Account Operators Group Changed</description>
647 <group>group_changed,win_group_changed,</group>
648 <info>http://support.microsoft.com/kb/243330</info>
651 <rule id="18237" level="10">
652 <if_sid>18207,18208</if_sid>
653 <regex> ID:\s+%{S-1-5-32-549}</regex>
654 <description>Server Operators Group Changed</description>
655 <group>group_changed,win_group_changed,</group>
656 <info>http://support.microsoft.com/kb/243330</info>
659 <rule id="18238" level="8">
660 <if_sid>18207,18208</if_sid>
661 <regex>\w* ID:\s+%{S-1-5-32-550}</regex>
662 <description>Print Operators Group Changed</description>
663 <group>group_changed,win_group_changed,</group>
664 <info>http://support.microsoft.com/kb/243330</info>
667 <rule id="18239" level="12">
668 <if_sid>18207,18208</if_sid>
669 <regex> ID:\s+%{S-1-5-32-551}</regex>
670 <description>Backup Operators Group Changed</description>
671 <group>group_changed,win_group_changed,</group>
672 <info>http://support.microsoft.com/kb/243330</info>
675 <rule id="18240" level="10">
676 <if_sid>18207,18208</if_sid>
677 <regex> ID:\s+%{S-1-5-32-552}</regex>
678 <description>Replicators Group Changed</description>
679 <group>group_changed,win_group_changed,</group>
680 <info>http://support.microsoft.com/kb/243330</info>
683 <rule id="18241" level="8">
684 <if_sid>18207,18208</if_sid>
685 <regex> ID:\s+%{S-1-5-32-554}</regex>
686 <description>Pre-Windows 2000 Compatible Access Group Changed</description>
687 <group>group_changed,win_group_changed,</group>
688 <info>http://support.microsoft.com/kb/243330</info>
691 <rule id="18242" level="10">
692 <if_sid>18207,18208</if_sid>
693 <regex> ID:\s+%{S-1-5-32-555}</regex>
694 <description>Remote Desktop Users Group Changed</description>
695 <group>group_changed,win_group_changed,</group>
696 <info>http://support.microsoft.com/kb/243330</info>
699 <rule id="18243" level="10">
700 <if_sid>18207,18208</if_sid>
701 <regex> ID:\s+%{S-1-5-32-556}</regex>
702 <description>Network Configuration Operators Group Changed</description>
703 <group>group_changed,win_group_changed,</group>
704 <info>http://support.microsoft.com/kb/243330</info>
707 <rule id="18244" level="10">
708 <if_sid>18207,18208</if_sid>
709 <regex> ID:\s+%{S-1-5-32-557}</regex>
710 <description>Incoming Forest Trust Builders Group Changed</description>
711 <group>group_changed,win_group_changed,</group>
712 <info>http://support.microsoft.com/kb/243330</info>
715 <rule id="18245" level="8">
716 <if_sid>18207,18208</if_sid>
717 <regex> ID:\s+%{S-1-5-32-558}</regex>
718 <description>Performance Monitor Users Group Changed</description>
719 <group>group_changed,win_group_changed,</group>
720 <info>http://support.microsoft.com/kb/243330</info>
723 <rule id="18246" level="8">
724 <if_sid>18207,18208</if_sid>
725 <regex> ID:\s+%{S-1-5-32-559}</regex>
726 <description>Performance Log Users Group Changed</description>
727 <group>group_changed,win_group_changed,</group>
728 <info>http://support.microsoft.com/kb/243330</info>
731 <rule id="18247" level="8">
732 <if_sid>18207,18208</if_sid>
733 <regex> ID:\s+%{S-1-5-32-560}</regex>
734 <description>Windows Authorization Access Group Changed</description>
735 <group>group_changed,win_group_changed,</group>
736 <info>http://support.microsoft.com/kb/243330</info>
739 <rule id="18248" level="8">
740 <if_sid>18207,18208</if_sid>
741 <regex> ID:\s+%{S-1-5-32-561}</regex>
742 <description>Terminal Server License Servers Group Changed</description>
743 <group>group_changed,win_group_changed,</group>
744 <info>http://support.microsoft.com/kb/243330</info>
747 <rule id="18249" level="8">
748 <if_sid>18207,18208</if_sid>
749 <regex> ID:\s+%{S-1-5-32-562}</regex>
750 <description>Distributed COM Users Group Changed</description>
751 <group>group_changed,win_group_changed,</group>
752 <info>http://support.microsoft.com/kb/243330</info>
755 <rule id="18250" level="12">
756 <if_sid>18207,18208</if_sid>
757 <regex> ID:\s+%{S-1-5-\s*21\.+\s*-498}</regex>
758 <description>Enterprise Read-only Domain Controllers Group Changed</description>
759 <group>group_changed,win_group_changed,</group>
760 <info>http://support.microsoft.com/kb/243330</info>
763 <rule id="18251" level="12">
764 <if_sid>18207,18208</if_sid>
765 <regex> ID:\s+%{S-1-5-\s*21\.+\s*-529}</regex>
766 <description>Read-only Domain Controllers Group Changed</description>
767 <group>group_changed,win_group_changed,</group>
768 <info>http://support.microsoft.com/kb/243330</info>
771 <rule id="18252" level="12">
772 <if_sid>18207,18208</if_sid>
773 <regex> ID:\s+%{S-1-5-32-569}</regex>
774 <description>Cryptographic Operators Group Changed</description>
775 <group>group_changed,win_group_changed,</group>
776 <info>http://support.microsoft.com/kb/243330</info>
779 <rule id="18253" level="10">
780 <if_sid>18207,18208</if_sid>
781 <regex> ID:\s+%{S-1-5-\s*21\.+\s*-571}</regex>
782 <description>Allowed RODC Password Replication Group Changed</description>
783 <group>group_changed,win_group_changed,</group>
784 <info>http://support.microsoft.com/kb/243330</info>
787 <rule id="18254" level="10">
788 <if_sid>18207,18208</if_sid>
789 <regex> ID:\s+%{S-1-5-\s*21\.+\s*-572}</regex>
790 <description>Denied RODC Password Replication Group Changed</description>
791 <group>group_changed,win_group_changed,</group>
792 <info>http://support.microsoft.com/kb/243330</info>
795 <rule id="18255" level="10">
796 <if_sid>18207,18208</if_sid>
797 <regex> ID:\s+%{S-1-5-32-573}</regex>
798 <description>Event Log Readers Group Changed</description>
799 <group>group_changed,win_group_changed,</group>
800 <info>http://support.microsoft.com/kb/243330</info>
803 <rule id="18256" level="10">
804 <if_sid>18207,18208</if_sid>
805 <regex> ID:\s+%{S-1-5-32-574}</regex>
806 <description>Certificate Service DCOM Access Group Changed</description>
807 <group>group_changed,win_group_changed,</group>
808 <info>http://support.microsoft.com/kb/243330</info>
811 <!-- Ignore Login events, type 5, from Advapi for:
812 - LOCAL SERVICE and NETWORK SERVICE.
814 <rule id="18121" level="0">
815 <if_sid>18107,18149</if_sid>
816 <id>^528$|^538$|^540$</id>
817 <user>^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON</user>
818 <description>Windows Logon Success (ignored).</description>
822 <!-- Kerberos failures that may indicate an attack -->
823 <rule id="18170" level="10">
824 <if_sid>18139</if_sid>
825 <match>Failure Code: 0x1F</match>
826 <description>Windows DC integrity check on decrypted </description>
827 <description>field failed.</description>
828 <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>
829 <group>win_authentication_failed,attacks,</group>
832 <rule id="18171" level="10">
833 <if_sid>18139</if_sid>
834 <match>Failure Code: 0x22</match>
835 <description>Windows DC - Possible replay attack.</description>
836 <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>
837 <group>win_authentication_failed,attacks,</group>
840 <rule id="18172" level="7">
841 <if_sid>18139</if_sid>
842 <match>Failure Code: 0x25</match>
843 <description>Windows DC - Clock skew too great.</description>
844 <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>
845 <group>win_authentication_failed,attacks,</group>
849 <!-- MS SQL rules -->
850 <rule id="18180" level="5">
851 <if_sid>18105</if_sid>
853 <group>win_authentication_failed,</group>
854 <description>MS SQL Server Logon Failure.</description>
857 <rule id="18181" level="3">
858 <if_sid>18104</if_sid>
859 <id>^18454$|^18453$</id>
860 <description>MS SQL Server Logon Success.</description>
861 <group>authentication_success,</group>
866 <!-- Composite rules -->
867 <rule id="18151" level="10" frequency="$MS_FREQ" timeframe="240">
868 <if_matched_sid>18108</if_matched_sid>
870 <description>Multiple failed attempts to perform a </description>
871 <description>privileged operation by the same user.</description>
874 <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
875 <if_matched_group>win_authentication_failed</if_matched_group>
876 <description>Multiple Windows Logon Failures.</description>
877 <group>authentication_failures,</group>
880 <rule id="18153" level="10" frequency="$MS_FREQ" timeframe="240">
881 <if_matched_sid>18105</if_matched_sid>
882 <description>Multiple Windows audit failure events.</description>
885 <rule id="18154" level="10" frequency="$MS_FREQ" timeframe="240">
886 <if_matched_sid>18103</if_matched_sid>
887 <description>Multiple Windows error events.</description>
890 <rule id="18155" level="10" frequency="$MS_FREQ" timeframe="120">
891 <if_matched_sid>18102</if_matched_sid>
892 <description>Multiple Windows warning events.</description>
895 <rule id="18156" level="10" frequency="$MS_FREQ" timeframe="240">
896 <if_matched_sid>18125</if_matched_sid>
897 <description>Multiple remote access login failures.</description>
898 <group>authentication_failures,</group>