2 - Example of Microsoft Windows (2000, XP, 2003) rules for OSSEC.
4 - Copyright (C) 2009 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 2) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
16 <var name="MS_FREQ">6</var>
18 <group name="windows,">
19 <rule id="18100" level="0">
20 <category>windows</category>
21 <description>Group of windows rules.</description>
24 <rule id="18101" level="0">
25 <if_sid>18100</if_sid>
26 <status>^INFORMATION</status>
27 <description>Windows informational event.</description>
30 <rule id="18102" level="0">
31 <if_sid>18100</if_sid>
32 <status>^WARNING</status>
33 <description>Windows warning event.</description>
36 <rule id="18103" level="5">
37 <if_sid>18100</if_sid>
38 <status>^ERROR</status>
39 <description>Windows error event.</description>
40 <group>system_error,</group>
43 <rule id="18104" level="0">
44 <if_sid>18100</if_sid>
45 <status>^AUDIT_SUCCESS|^success</status>
46 <description>Windows audit success event.</description>
49 <rule id="18105" level="4">
50 <if_sid>18100</if_sid>
51 <status>^AUDIT_FAILURE|^failure</status>
52 <description>Windows audit failure event.</description>
55 <rule id="18106" level="5">
56 <if_sid>18105</if_sid>
57 <id>^529|^530|^531|^532|^533|^534|^535|^536|^537|^539|^4625</id>
58 <description>Windows Logon Failure.</description>
59 <group>win_authentication_failed,</group>
62 <rule id="18107" level="3">
63 <if_sid>18104</if_sid>
64 <id>^528|^540|^672|^673|^4624|^4769</id>
65 <description>Windows Logon Success.</description>
66 <group>authentication_success,</group>
69 <rule id="18108" level="4">
70 <if_sid>18105</if_sid>
72 <description>Failed attempt to perform a privileged </description>
73 <description>operation.</description>
76 <rule id="18109" level="3">
77 <if_sid>18104</if_sid>
79 <description>Session reconnected/disconnected to winstation.</description>
82 <rule id="18110" level="8">
83 <if_sid>18104</if_sid>
84 <id>^624|^626|^645|^4720|^4722|^4741</id>
85 <description>User account enabled or created.</description>
86 <group>adduser,account_changed,</group>
89 <rule id="18111" level="8">
90 <if_sid>18104</if_sid>
91 <id>^628|^642|^685|^4738|^4781</id>
92 <description>User account changed.</description>
93 <group>account_changed,</group>
96 <rule id="18112" level="8">
97 <if_sid>18104</if_sid>
98 <id>^630|^629|^4725|^4726</id>
99 <description>User account disabled or deleted.</description>
100 <group>adduser,account_changed,</group>
103 <rule id="18113" level="8">
104 <if_sid>18104</if_sid>
105 <id>^612|^643|^4719|^4907|^4912</id>
106 <description>Windows Audit Policy changed.</description>
107 <group>policy_changed,</group>
110 <rule id="18114" level="5">
111 <if_sid>18104</if_sid>
112 <id>^632$|^4728$|^633$|^4729$|^636$|^4732$|^637$|^4733$|^639$|^4735$|</id>
113 <id>^641$|^4737$|^637$|^4733$|^659$|^4755$|^660$|^4766$|^668$|^4764$|</id>
114 <id>^649$|^4745$|^650$|^4746$|^651$|^4747$|^654$|^4750$|^655$|^4751$|</id>
115 <id>^656$|^4752$|^659$|^4755$|^660$|^4756$|^661$|^4757$|^664$|^4760$|</id>
116 <id>^665$|^4761$|^666$|^4762$</id>
117 <description>Group Account Changed</description>
118 <group>group_changed,win_group_changed,</group>
121 <rule id="18115" level="8">
122 <if_sid>18104</if_sid>
124 <description>General account database changed.</description>
125 <info type="link">http://www.ultimatewindowssecurity.com/events/com259.html</info>
126 <group>adduser,account_changed,</group>
129 <rule id="18116" level="9">
130 <if_sid>18104</if_sid>
132 <description>User account locked out (multiple login errors).</description>
133 <group>authentication_failures,</group>
136 <rule id="18117" level="7">
137 <if_sid>18104</if_sid>
139 <description>Windows is shutting down.</description>
140 <group>system_shutdown,</group>
143 <rule id="18118" level="9">
144 <if_sid>18104</if_sid>
146 <description>Windows audit log was cleared.</description>
147 <group>logs_cleared,</group>
150 <rule id="18119" level="3">
151 <if_sid>18107</if_sid>
152 <options>alert_by_email</options>
154 <description>First time this user logged in this system.</description>
155 <group>authentication_success,</group>
158 <rule id="18120" level="0">
159 <if_sid>18105</if_sid>
161 <description>Windows login attempt (ignored). Duplicated.</description>
164 <rule id="18125" level="5">
165 <if_sid>18102, 18103</if_sid>
166 <id>^20187|^20014|^20078|^20050|^20049|^20189</id>
167 <description>Remote access login failure.</description>
168 <group>authentication_failed,</group>
171 <rule id="18126" level="3">
172 <if_sid>18101</if_sid>
174 <description>Remote access login success.</description>
175 <group>authentication_success,</group>
178 <rule id="18127" level="8">
179 <if_sid>18104</if_sid>
181 <description>Computer account changed/deleted.</description>
182 <group>account_changed,</group>
185 <rule id="18128" level="8">
186 <!-- if_sid>18104</if_sid -->
188 <description>Group account added/changed/deleted.</description>
189 <info>This rule has been deprecated</info>
190 <group>account_changed,</group>
193 <rule id="18129" level="8">
194 <if_sid>18103</if_sid>
196 <description>Windows file system full.</description>
197 <group>low_diskspace,</group>
201 <!-- Granular windows login rules -->
202 <rule id="18130" level="5">
203 <if_sid>18106</if_sid>
205 <description>Logon Failure - Unknown user or bad password.</description>
206 <info type="link">http://www.ultimatewindowssecurity.com/events/com190.html</info>
207 <group>win_authentication_failed,</group>
210 <rule id="18131" level="5">
211 <if_sid>18106</if_sid>
213 <description>Logon Failure - Account logon time restriction </description>
214 <description>violation.</description>
215 <info type="link">http://www.ultimatewindowssecurity.com/events/com191.html</info>
216 <group>win_authentication_failed,login_denied,</group>
219 <rule id="18132" level="5">
220 <if_sid>18106</if_sid>
222 <description>Logon Failure - Account currently disabled.</description>
223 <info type="link">http://www.ultimatewindowssecurity.com/events/com192.html</info>
224 <group>win_authentication_failed,login_denied,</group>
227 <rule id="18133" level="5">
228 <if_sid>18106</if_sid>
230 <description>Logon Failure - Specified account expired.</description>
231 <info type="link">http://www.ultimatewindowssecurity.com/events/com193.html</info>
232 <group>win_authentication_failed,login_denied,</group>
235 <rule id="18134" level="7">
236 <if_sid>18106</if_sid>
238 <description>Logon Failure - User not allowed to login at </description>
239 <description>this computer.</description>
240 <info type="link">http://www.ultimatewindowssecurity.com/events/com194.html</info>
241 <group>win_authentication_failed,login_denied,</group>
244 <rule id="18135" level="5">
245 <if_sid>18106</if_sid>
247 <description>Logon Failure - User not granted logon type.</description>
248 <info type="link">http://www.ultimatewindowssecurity.com/events/com195.html</info>
249 <group>win_authentication_failed,</group>
252 <rule id="18136" level="5">
253 <if_sid>18106</if_sid>
255 <description>Logon Failure - Account's password expired.</description>
256 <info type="link">http://www.ultimatewindowssecurity.com/events/com196.html</info>
257 <group>win_authentication_failed,</group>
260 <rule id="18137" level="5">
261 <if_sid>18106</if_sid>
263 <description>Logon Failure - Internal error.</description>
264 <group>win_authentication_failed,</group>
267 <rule id="18138" level="7">
268 <if_sid>18106</if_sid>
270 <description>Logon Failure - Account locked out.</description>
271 <group>win_authentication_failed,</group>
274 <rule id="18139" level="5">
275 <if_sid>18105</if_sid>
276 <id>^672|^673|^675|^676|^681|^4769</id>
277 <description>Windows DC Logon Failure.</description>
278 <group>win_authentication_failed,</group>
281 <rule id="18140" level="7">
282 <if_sid>18104</if_sid>
284 <description>System time changed.</description>
285 <group>time_changed,</group>
288 <rule id="18141" level="7">
289 <if_sid>18102</if_sid>
291 <match>unexpected shutdown</match>
292 <group>system_error, system_shutdown,</group>
293 <description>Unexpected Windows shutdown.</description>
296 <rule id="18142" level="5">
297 <if_sid>18104</if_sid>
299 <description>User account unlocked.</description>
300 <info type="link">http://www.ultimatewindowssecurity.com/events/com291.html</info>
301 <group>account_changed,</group>
304 <rule id="18143" level="8">
305 <if_sid>18114</if_sid>
306 <id>^631|^635|^658</id>
307 <description>Security enabled group created.</description>
308 <group>adduser,account_changed,</group>
311 <rule id="18144" level="8">
312 <if_sid>18114</if_sid>
313 <id>^634|^638|^662</id>
314 <description>Security enabled group deleted.</description>
315 <group>adduser,account_changed,</group>
318 <!-- Some services change their startup type automatically -->
319 <rule id="18145" level="3">
320 <if_sid>18101</if_sid>
322 <group>policy_changed,</group>
323 <description>Service startup type was changed.</description>
324 <info type="text">This does not appear to be logged on Windows 2000.</info>
327 <rule id="18146" level="5">
328 <if_sid>18101</if_sid>
330 <options>alert_by_email</options>
331 <description>Application Uninstalled.</description>
334 <rule id="18147" level="5">
335 <if_sid>18101</if_sid>
337 <options>alert_by_email</options>
338 <description>Application Installed.</description>
341 <rule id="18148" level="3">
342 <if_sid>18104</if_sid>
344 <description>Windows is starting up.</description>
347 <rule id="18149" level="3">
348 <if_sid>18104</if_sid>
349 <id>^538|^4634|^4647</id>
350 <description>Windows User Logoff.</description>
353 <!-- Granular group rules -->
355 <rule id="18200" level="5">
356 <if_sid>18104</if_sid>
357 <id>^631$|^4727$|^635$|^4731$|^658$|^4754$|^648$|^4744$|^653$|^4749$|</id>
358 <id>^663$|^4759$</id>
359 <description>Group Account Created</description>
360 <group>group_created,win_group_created,</group>
363 <rule id="18201" level="5">
364 <if_sid>18104</if_sid>
365 <id>^634$|^4730$|^638$|^4734$|^662$|^4758$|^652$|^4748$|^657$|^4753$|</id>
366 <id>^667$|^4763$</id>
367 <description>Group Account Deleted</description>
368 <group>group_deleted,win_group_deleted,</group>
371 <rule id="18202" level="5">
372 <if_sid>18200</if_sid>
373 <id>^631$|^4727$</id>
374 <description>Security Enabled Global Group Created</description>
375 <group>group_created,win_group_created,</group>
376 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=631</info>
379 <rule id="18203" level="5">
380 <if_sid>18114</if_sid>
381 <id>^632$|^4728$</id>
382 <description>Security Enabled Global Group Member Added</description>
383 <group>group_changed,win_group_changed,</group>
384 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=632</info>
387 <rule id="18204" level="5">
388 <if_sid>18114</if_sid>
389 <id>^633$|^4729$</id>
390 <description>Security Enabled Global Group Member Removed</description>
391 <group>group_changed,win_group_changed,</group>
392 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=633</info>
395 <rule id="18205" level="5">
396 <if_sid>18201</if_sid>
397 <id>^634$|^4730$</id>
398 <description>Security Enabled Global Group Deleted</description>
399 <group>group_deleted,win_group_deleted,</group>
400 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=634</info>
403 <rule id="18206" level="5">
404 <if_sid>18200</if_sid>
405 <id>^635$|^4731$</id>
406 <description>Security Enabled Local Group Created</description>
407 <group>group_created,win_group_created,</group>
408 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=635</info>
411 <rule id="18207" level="5">
412 <if_sid>18114</if_sid>
413 <id>^636$|^4732$</id>
414 <description>Security Enabled Local Group Member Added</description>
415 <group>group_changed,win_group_changed,</group>
416 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=636</info>
419 <rule id="18208" level="5">
420 <if_sid>18114</if_sid>
421 <id>^637$|^4733$</id>
422 <description>Security Enabled Local Group Member Removed</description>
423 <group>group_changed,win_group_changed,</group>
424 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=637</info>
427 <rule id="18209" level="5">
428 <if_sid>18201</if_sid>
429 <id>^638$|^4734$</id>
430 <description>Security Enabled Local Group Deleted</description>
431 <group>group_deleted,win_group_deleted,</group>
432 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=638</info>
435 <rule id="18210" level="5">
436 <if_sid>18114</if_sid>
437 <id>^639$|^4735$</id>
438 <description>Security Enabled Local Group Changed</description>
439 <group>group_changed,win_group_changed,</group>
440 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=639</info>
443 <rule id="18211" level="5">
444 <if_sid>18114</if_sid>
445 <id>^641$|^4737$</id>
446 <description>Security Enabled Global Group Changed</description>
447 <group>group_changed,win_group_changed,</group>
448 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=641</info>
451 <rule id="18212" level="5">
452 <if_sid>18200</if_sid>
453 <id>^658$|^4754$</id>
454 <description>Security Enabled Universal Group Created</description>
455 <group>group_created,win_group_created,</group>
456 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=658</info>
459 <rule id="18213" level="5">
460 <if_sid>18114</if_sid>
461 <id>^659$|^4755$</id>
462 <description>Security Enabled Universal Group Changed</description>
463 <group>group_changed,win_group_changed,</group>
464 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=659</info>
467 <rule id="18214" level="5">
468 <if_sid>18114</if_sid>
469 <id>^660$|^4756$</id>
470 <description>Security Enabled Universal Group Member Added</description>
471 <group>group_changed,win_group_changed,</group>
472 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=660</info>
475 <rule id="18215" level="5">
476 <if_sid>18114</if_sid>
477 <id>^661$|^4757$</id>
478 <description>Security Enabled Universal Group Member Removed</description>
479 <group>group_changed,win_group_changed,</group>
480 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=661</info>
483 <rule id="18216" level="5">
484 <if_sid>18201</if_sid>
485 <id>^662$|^4758$</id>
486 <description>Security Enabled Universal Group Deleted</description>
487 <group>group_deleted,win_group_deleted,</group>
488 <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=662</info>
491 <rule id="18217" level="12">
492 <if_sid>18207,18208</if_sid>
493 <regex> ID:\s+\p*S-1-5-32-544\p*</regex>
494 <description>Administrators Group Changed</description>
495 <group>group_changed,win_group_changed,</group>
496 <info>http://support.microsoft.com/kb/243330</info>
499 <rule id="18218" level="5">
500 <if_sid>18207,18208</if_sid>
501 <regex> ID:\s+%{S-1-1-0}</regex>
502 <description>Everyone Group Changed</description>
503 <group>group_changed,win_group_changed,</group>
504 <info>http://support.microsoft.com/kb/243330</info>
507 <rule id="18219" level="12">
508 <if_sid>18207,18208</if_sid>
509 <regex> ID:\s+%{S-1-5-9}</regex>
510 <description>Enterprise Domain Controllers Group Changed</description>
511 <group>group_changed,win_group_changed,</group>
512 <info>http://support.microsoft.com/kb/243330</info>
515 <rule id="18220" level="5">
516 <if_sid>18207,18208</if_sid>
517 <regex> ID:\s+%{S-1-5-11}</regex>
518 <description>Authenticated Users Group Changed</description>
519 <group>group_changed,win_group_changed,</group>
520 <info>http://support.microsoft.com/kb/243330</info>
523 <rule id="18221" level="5">
524 <if_sid>18207,18208</if_sid>
525 <regex> ID:\s+%{S-1-5-13}</regex>
526 <description>Terminal Server Users Group Changed</description>
527 <group>group_changed,win_group_changed,</group>
528 <info>http://support.microsoft.com/kb/243330</info>
531 <rule id="18222" level="12">
532 <if_sid>18203,18204</if_sid>
533 <regex> ID:\s+%{S-1-5-21\S+-512}</regex>
534 <description>Domain Admins Group Changed</description>
535 <group>group_changed,win_group_changed,</group>
536 <info>http://support.microsoft.com/kb/243330</info>
539 <rule id="18223" level="5">
540 <if_sid>18203,18204</if_sid>
541 <regex> ID:\s+%{S-1-5-21\S+-513}</regex>
542 <description>Domain Users Group Changed</description>
543 <group>group_changed,win_group_changed,</group>
544 <info>http://support.microsoft.com/kb/243330</info>
547 <rule id="18224" level="0">
548 <if_sid>18223,18203</if_sid>
549 <match>Target Account Name: None</match>
550 <description>Local User Group NONE</description>
551 <info>Bogus group user added to upon creation</info>
554 <rule id="18225" level="12">
555 <if_sid>18203,18204</if_sid>
556 <regex> ID:\s+%{S-1-5-21\S+-514}</regex>
557 <description>Domain Guests Group Changed</description>
558 <group>group_changed,win_group_changed,</group>
559 <info>http://support.microsoft.com/kb/243330</info>
562 <rule id="18226" level="5">
563 <if_sid>18203,18204</if_sid>
564 <regex> ID:\s+%{S-1-5-21\S+-515}</regex>
565 <description>Domain Computers Group Changed</description>
566 <group>group_changed,win_group_changed,</group>
567 <info>http://support.microsoft.com/kb/243330</info>
570 <rule id="18227" level="12">
571 <if_sid>18203,18204</if_sid>
572 <regex> ID:\s+%{S-1-5-21\S+-516}</regex>
573 <description>Domain Controllers Group Changed</description>
574 <group>group_changed,win_group_changed,</group>
575 <info>http://support.microsoft.com/kb/243330</info>
578 <rule id="18228" level="10">
579 <if_sid>18207,18208</if_sid>
580 <regex> ID:\s+%{S-1-5-21\S+-517}</regex>
581 <description>Cert Publishers Group Changed</description>
582 <group>group_changed,win_group_changed,</group>
583 <info>http://support.microsoft.com/kb/243330</info>
586 <rule id="18229" level="12">
587 <if_sid>18203,18204</if_sid>
588 <regex> ID:\s+%{S-1-5-21\.+-518}</regex>
589 <description>Schema Admins Group Changed</description>
590 <group>group_changed,win_group_changed,</group>
591 <info>http://support.microsoft.com/kb/243330</info>
594 <rule id="18230" level="12">
595 <if_sid>18203,18204</if_sid>
596 <regex> ID:\s+%{S-1-5-21\S+-519}</regex>
597 <description>Enterprise Admins Group Changed</description>
598 <group>group_changed,win_group_changed,</group>
599 <info>http://support.microsoft.com/kb/243330</info>
602 <rule id="18231" level="10">
603 <if_sid>18203,18204</if_sid>
604 <regex> ID:\s+%{S-1-5-21\S+-520}</regex>
605 <description>Group Policy Creator Owners Group Changed</description>
606 <group>group_changed,win_group_changed,</group>
607 <info>http://support.microsoft.com/kb/243330</info>
610 <rule id="18232" level="10">
611 <if_sid>18207,18208</if_sid>
612 <regex>\w* ID:\s+%{S-1-5-21\S+-553}</regex>
613 <description>RAS and IAS Servers Group Changed</description>
614 <group>group_changed,win_group_changed,</group>
615 <info>http://support.microsoft.com/kb/243330</info>
618 <rule id="18233" level="5">
619 <if_sid>18207,18208</if_sid>
620 <regex> ID:\s+%{S-1-5-32-545}</regex>
621 <description>Users Group Changed</description>
622 <group>group_changed,win_group_changed,</group>
623 <info>http://support.microsoft.com/kb/243330</info>
626 <rule id="18234" level="12">
627 <if_sid>18207,18208</if_sid>
628 <regex> ID:\s+%{S-1-5-32-546}</regex>
629 <description>Guests Group Changed</description>
630 <group>group_changed,win_group_changed,</group>
631 <info>http://support.microsoft.com/kb/243330</info>
634 <rule id="18235" level="10">
635 <if_sid>18207,18208</if_sid>
636 <regex> ID:\s+%{S-1-5-32-547}</regex>
637 <description>Power Users Group Changed</description>
638 <group>group_changed,win_group_changed,</group>
639 <info>http://support.microsoft.com/kb/243330</info>
642 <rule id="18236" level="10">
643 <if_sid>18207,18208</if_sid>
644 <regex> ID:\s+%{S-1-5-32-548}</regex>
645 <description>Account Operators Group Changed</description>
646 <group>group_changed,win_group_changed,</group>
647 <info>http://support.microsoft.com/kb/243330</info>
650 <rule id="18237" level="10">
651 <if_sid>18207,18208</if_sid>
652 <regex> ID:\s+%{S-1-5-32-549}</regex>
653 <description>Server Operators Group Changed</description>
654 <group>group_changed,win_group_changed,</group>
655 <info>http://support.microsoft.com/kb/243330</info>
658 <rule id="18238" level="8">
659 <if_sid>18207,18208</if_sid>
660 <regex>\w* ID:\s+%{S-1-5-32-550}</regex>
661 <description>Print Operators Group Changed</description>
662 <group>group_changed,win_group_changed,</group>
663 <info>http://support.microsoft.com/kb/243330</info>
666 <rule id="18239" level="12">
667 <if_sid>18207,18208</if_sid>
668 <regex> ID:\s+%{S-1-5-32-551}</regex>
669 <description>Backup Operators Group Changed</description>
670 <group>group_changed,win_group_changed,</group>
671 <info>http://support.microsoft.com/kb/243330</info>
674 <rule id="18240" level="10">
675 <if_sid>18207,18208</if_sid>
676 <regex> ID:\s+%{S-1-5-32-552}</regex>
677 <description>Replicators Group Changed</description>
678 <group>group_changed,win_group_changed,</group>
679 <info>http://support.microsoft.com/kb/243330</info>
682 <rule id="18241" level="8">
683 <if_sid>18207,18208</if_sid>
684 <regex> ID:\s+%{S-1-5-32-554}</regex>
685 <description>Pre-Windows 2000 Compatible Access Group Changed</description>
686 <group>group_changed,win_group_changed,</group>
687 <info>http://support.microsoft.com/kb/243330</info>
690 <rule id="18242" level="10">
691 <if_sid>18207,18208</if_sid>
692 <regex> ID:\s+%{S-1-5-32-555}</regex>
693 <description>Remote Desktop Users Group Changed</description>
694 <group>group_changed,win_group_changed,</group>
695 <info>http://support.microsoft.com/kb/243330</info>
698 <rule id="18243" level="10">
699 <if_sid>18207,18208</if_sid>
700 <regex> ID:\s+%{S-1-5-32-556}</regex>
701 <description>Network Configuration Operators Group Changed</description>
702 <group>group_changed,win_group_changed,</group>
703 <info>http://support.microsoft.com/kb/243330</info>
706 <rule id="18244" level="10">
707 <if_sid>18207,18208</if_sid>
708 <regex> ID:\s+%{S-1-5-32-557}</regex>
709 <description>Incoming Forest Trust Builders Group Changed</description>
710 <group>group_changed,win_group_changed,</group>
711 <info>http://support.microsoft.com/kb/243330</info>
714 <rule id="18245" level="8">
715 <if_sid>18207,18208</if_sid>
716 <regex> ID:\s+%{S-1-5-32-558}</regex>
717 <description>Performance Monitor Users Group Changed</description>
718 <group>group_changed,win_group_changed,</group>
719 <info>http://support.microsoft.com/kb/243330</info>
722 <rule id="18246" level="8">
723 <if_sid>18207,18208</if_sid>
724 <regex> ID:\s+%{S-1-5-32-559}</regex>
725 <description>Performance Log Users Group Changed</description>
726 <group>group_changed,win_group_changed,</group>
727 <info>http://support.microsoft.com/kb/243330</info>
730 <rule id="18247" level="8">
731 <if_sid>18207,18208</if_sid>
732 <regex> ID:\s+%{S-1-5-32-560}</regex>
733 <description>Windows Authorization Access Group Changed</description>
734 <group>group_changed,win_group_changed,</group>
735 <info>http://support.microsoft.com/kb/243330</info>
738 <rule id="18248" level="8">
739 <if_sid>18207,18208</if_sid>
740 <regex> ID:\s+%{S-1-5-32-561}</regex>
741 <description>Terminal Server License Servers Group Changed</description>
742 <group>group_changed,win_group_changed,</group>
743 <info>http://support.microsoft.com/kb/243330</info>
746 <rule id="18249" level="8">
747 <if_sid>18207,18208</if_sid>
748 <regex> ID:\s+%{S-1-5-32-562}</regex>
749 <description>Distributed COM Users Group Changed</description>
750 <group>group_changed,win_group_changed,</group>
751 <info>http://support.microsoft.com/kb/243330</info>
754 <rule id="18250" level="12">
755 <if_sid>18207,18208</if_sid>
756 <regex> ID:\s+%{S-1-5-\s*21\.+\s*-498}</regex>
757 <description>Enterprise Read-only Domain Controllers Group Changed</description>
758 <group>group_changed,win_group_changed,</group>
759 <info>http://support.microsoft.com/kb/243330</info>
762 <rule id="18251" level="12">
763 <if_sid>18207,18208</if_sid>
764 <regex> ID:\s+%{S-1-5-\s*21\.+\s*-529}</regex>
765 <description>Read-only Domain Controllers Group Changed</description>
766 <group>group_changed,win_group_changed,</group>
767 <info>http://support.microsoft.com/kb/243330</info>
770 <rule id="18252" level="12">
771 <if_sid>18207,18208</if_sid>
772 <regex> ID:\s+%{S-1-5-32-569}</regex>
773 <description>Cryptographic Operators Group Changed</description>
774 <group>group_changed,win_group_changed,</group>
775 <info>http://support.microsoft.com/kb/243330</info>
778 <rule id="18253" level="10">
779 <if_sid>18207,18208</if_sid>
780 <regex> ID:\s+%{S-1-5-\s*21\.+\s*-571}</regex>
781 <description>Allowed RODC Password Replication Group Changed</description>
782 <group>group_changed,win_group_changed,</group>
783 <info>http://support.microsoft.com/kb/243330</info>
786 <rule id="18254" level="10">
787 <if_sid>18207,18208</if_sid>
788 <regex> ID:\s+%{S-1-5-\s*21\.+\s*-572}</regex>
789 <description>Denied RODC Password Replication Group Changed</description>
790 <group>group_changed,win_group_changed,</group>
791 <info>http://support.microsoft.com/kb/243330</info>
794 <rule id="18255" level="10">
795 <if_sid>18207,18208</if_sid>
796 <regex> ID:\s+%{S-1-5-32-573}</regex>
797 <description>Event Log Readers Group Changed</description>
798 <group>group_changed,win_group_changed,</group>
799 <info>http://support.microsoft.com/kb/243330</info>
802 <rule id="18256" level="10">
803 <if_sid>18207,18208</if_sid>
804 <regex> ID:\s+%{S-1-5-32-574}</regex>
805 <description>Certificate Service DCOM Access Group Changed</description>
806 <group>group_changed,win_group_changed,</group>
807 <info>http://support.microsoft.com/kb/243330</info>
810 <!-- Ignore Login events, type 5, from Advapi for:
811 - LOCAL SERVICE and NETWORK SERVICE.
813 <rule id="18121" level="0">
814 <if_sid>18107,18149</if_sid>
815 <id>^528|^538|^540</id>
816 <user>^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON</user>
817 <description>Windows Logon Success (ignored).</description>
821 <!-- Kerberos failures that may indicate an attack -->
822 <rule id="18170" level="10">
823 <if_sid>18139</if_sid>
824 <match>Failure Code: 0x1F</match>
825 <description>Windows DC integrity check on decrypted </description>
826 <description>field failed.</description>
827 <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>
828 <group>win_authentication_failed,attacks,</group>
831 <rule id="18171" level="10">
832 <if_sid>18139</if_sid>
833 <match>Failure Code: 0x22</match>
834 <description>Windows DC - Possible replay attack.</description>
835 <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>
836 <group>win_authentication_failed,attacks,</group>
839 <rule id="18172" level="7">
840 <if_sid>18139</if_sid>
841 <match>Failure Code: 0x25</match>
842 <description>Windows DC - Clock skew too great.</description>
843 <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>
844 <group>win_authentication_failed,attacks,</group>
848 <!-- MS SQL rules -->
849 <rule id="18180" level="5">
850 <if_sid>18105</if_sid>
852 <group>win_authentication_failed,</group>
853 <description>MS SQL Server Logon Failure.</description>
856 <rule id="18181" level="3">
857 <if_sid>18104</if_sid>
858 <id>^18454|^18453</id>
859 <description>MS SQL Server Logon Success.</description>
860 <group>authentication_success,</group>
865 <!-- Composite rules -->
866 <rule id="18151" level="10" frequency="$MS_FREQ" timeframe="240">
867 <if_matched_sid>18108</if_matched_sid>
869 <description>Multiple failed attempts to perform a </description>
870 <description>privileged operation by the same user.</description>
873 <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
874 <if_matched_group>win_authentication_failed</if_matched_group>
875 <description>Multiple Windows Logon Failures.</description>
876 <group>authentication_failures,</group>
879 <rule id="18153" level="10" frequency="$MS_FREQ" timeframe="240">
880 <if_matched_sid>18105</if_matched_sid>
881 <description>Multiple Windows audit failure events.</description>
884 <rule id="18154" level="10" frequency="$MS_FREQ" timeframe="240">
885 <if_matched_sid>18103</if_matched_sid>
886 <description>Multiple Windows error events.</description>
889 <rule id="18155" level="10" frequency="$MS_FREQ" timeframe="120">
890 <if_matched_sid>18102</if_matched_sid>
891 <description>Multiple Windows warning events.</description>
894 <rule id="18156" level="10" frequency="$MS_FREQ" timeframe="240">
895 <if_matched_sid>18125</if_matched_sid>
896 <description>Multiple remote access login failures.</description>
897 <group>authentication_failures,</group>