X-Git-Url: http://ftp.carnet.hr/pub/carnet-debian/scm?a=blobdiff_plain;f=etc%2Frules%2Fmsauth_rules.xml;h=51ed17b303904f31eac36492fbb1729f8111cb94;hb=HEAD;hp=eda0490462ecfd4822e2cca218435486c0c0e25f;hpb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;p=ossec-hids.git

diff --git a/etc/rules/msauth_rules.xml b/etc/rules/msauth_rules.xml
old mode 100755
new mode 100644
index eda0490..51ed17b
--- a/etc/rules/msauth_rules.xml
+++ b/etc/rules/msauth_rules.xml
@@ -62,27 +62,27 @@
 
   <rule id="18107" level="3">
     <if_sid>18104</if_sid>
-    <id>^528$|^540$|^672$|^673$|^4624$|^4769$</id>
+    <id>^528$|^540$|^673$|^4624$|^4769$</id>
     <description>Windows Logon Success.</description>
     <group>authentication_success,</group>
   </rule>
 
   <rule id="18108" level="4">
     <if_sid>18105</if_sid>
-    <id>^577$</id>
+    <id>^577$|^4673$</id>
     <description>Failed attempt to perform a privileged </description>
     <description>operation.</description>
   </rule>
 
   <rule id="18109" level="3">
     <if_sid>18104</if_sid>
-    <id>^682$|^683$</id>
+    <id>^682$|^683$|^4778$|^4779$</id>
     <description>Session reconnected/disconnected to winstation.</description>
   </rule>
 
   <rule id="18110" level="8">
     <if_sid>18104</if_sid>
-    <id>^624$|^626$|^645$|^4720$|^4722$|^4741$</id>
+    <id>^624$|^626$|^4720$|^4722$</id>
     <description>User account enabled or created.</description>
     <group>adduser,account_changed,</group>
   </rule>
@@ -103,7 +103,7 @@
   
   <rule id="18113" level="8">
     <if_sid>18104</if_sid>
-    <id>^612$|^643$|^4719$|^4907$|^4912$</id>
+    <id>^612$|^643$|^4719$|^4907$|^4912$|^4719$</id>
     <description>Windows Audit Policy changed.</description>
     <group>policy_changed,</group>
   </rule>
@@ -123,7 +123,7 @@
     <if_sid>18104</if_sid>
     <id>^640$</id>
     <description>General account database changed.</description>
-    <info type="link">http://www.ultimatewindowssecurity.com/events/com259.html</info>
+    <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=640</info>
     <group>adduser,account_changed,</group>
   </rule>
   
@@ -143,7 +143,7 @@
   
   <rule id="18118" level="9">
     <if_sid>18104</if_sid>
-    <id>^517$</id>
+    <id>^517$|^1102$</id>
     <description>Windows audit log was cleared.</description>
     <group>logs_cleared,</group>
   </rule>
@@ -176,10 +176,10 @@
     <group>authentication_success,</group>
   </rule>
   
-  <rule id="18127" level="8">
+  <rule id="18127" level="5">
     <if_sid>18104</if_sid>
-    <id>^646$|^647$</id>
-    <description>Computer account changed/deleted.</description>
+    <id>^646$|^645$|^647$|^4741$|^4742$|^4743$</id>
+    <description>Computer account added/changed/deleted.</description>
     <group>account_changed,</group>
   </rule>
   
@@ -202,9 +202,9 @@
   <!-- Granular windows login rules -->
   <rule id="18130" level="5">
     <if_sid>18106</if_sid>
-    <id>^529$</id>
+    <id>^529$|^4625$</id>
     <description>Logon Failure - Unknown user or bad password.</description>
-    <info type="link">http://www.ultimatewindowssecurity.com/events/com190.html</info>
+    <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625</info>
     <group>win_authentication_failed,</group>
   </rule>
 
@@ -213,7 +213,7 @@
     <id>^530$</id>
     <description>Logon Failure - Account logon time restriction </description>
     <description>violation.</description>
-    <info type="link">http://www.ultimatewindowssecurity.com/events/com191.html</info>
+    <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=530</info>
     <group>win_authentication_failed,login_denied,</group>
   </rule>
 
@@ -221,7 +221,7 @@
     <if_sid>18106</if_sid>
     <id>^531$</id>
     <description>Logon Failure - Account currently disabled.</description>
-    <info type="link">http://www.ultimatewindowssecurity.com/events/com192.html</info>
+    <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=531</info>
     <group>win_authentication_failed,login_denied,</group>
   </rule>
 
@@ -229,7 +229,7 @@
     <if_sid>18106</if_sid>
     <id>^532$</id>
     <description>Logon Failure - Specified account expired.</description>
-    <info type="link">http://www.ultimatewindowssecurity.com/events/com193.html</info>
+    <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=532</info>
     <group>win_authentication_failed,login_denied,</group>
   </rule>
 
@@ -238,7 +238,7 @@
     <id>^533$</id>
     <description>Logon Failure - User not allowed to login at </description>
     <description>this computer.</description>
-    <info type="link">http://www.ultimatewindowssecurity.com/events/com194.html</info>
+    <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=533</info>
     <group>win_authentication_failed,login_denied,</group>
   </rule>
 
@@ -246,7 +246,7 @@
     <if_sid>18106</if_sid>
     <id>^534$</id>
     <description>Logon Failure - User not granted logon type.</description>
-    <info type="link">http://www.ultimatewindowssecurity.com/events/com195.html</info>
+    <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=534</info>
     <group>win_authentication_failed,</group>
   </rule>
   
@@ -254,7 +254,7 @@
     <if_sid>18106</if_sid>
     <id>^535$</id>
     <description>Logon Failure - Account's password expired.</description>
-    <info type="link">http://www.ultimatewindowssecurity.com/events/com196.html</info>
+    <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=535</info>
     <group>win_authentication_failed,</group>
   </rule>
 
@@ -274,14 +274,14 @@
   
   <rule id="18139" level="5">
     <if_sid>18105</if_sid>
-    <id>^672$|^673$|^675$|^676$|^681$|^4769$</id>
+    <id>^673$|^675$|^681$|^4769$</id>
     <description>Windows DC Logon Failure.</description>
     <group>win_authentication_failed,</group>
   </rule>
   
   <rule id="18140" level="5">
     <if_sid>18104</if_sid>
-    <id>^520$</id>
+    <id>^520$|^4616$</id>
     <description>System time changed.</description>
     <group>time_changed,</group>
   </rule>
@@ -298,7 +298,7 @@
     <if_sid>18104</if_sid>
     <id>^671$|^4767$</id>
     <description>User account unlocked.</description>
-    <info type="link">http://www.ultimatewindowssecurity.com/events/com291.html</info>
+    <info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767</info>
     <group>account_changed,</group>
   </rule>
 
@@ -347,7 +347,7 @@
 
   <rule id="18149" level="3">
     <if_sid>18104</if_sid>
-    <id>^538$|^4634$|^4647$</id>
+    <id>^538$|^551$|^4634$|^4647$</id>
     <description>Windows User Logoff.</description>
   </rule>
 
@@ -499,7 +499,7 @@
 
   <rule id="18218" level="5">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-1-0}</regex>
+    <regex> ID:\s+%{S-1-1-0}| ID:\s+S-1-1-0</regex>
     <description>Everyone Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -507,7 +507,7 @@
 
   <rule id="18219" level="12">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-9}</regex>
+    <regex> ID:\s+%{S-1-5-9}| ID:\s+S-1-5-9</regex>
     <description>Enterprise Domain Controllers Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -515,7 +515,7 @@
 
   <rule id="18220" level="5">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-11}</regex>
+    <regex> ID:\s+%{S-1-5-11}| ID:\s+S-1-5-11</regex>
     <description>Authenticated Users Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -523,7 +523,7 @@
 
   <rule id="18221" level="5">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-13}</regex>
+    <regex> ID:\s+%{S-1-5-13}| ID:\s+S-1-5-13</regex>
     <description>Terminal Server Users Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -531,7 +531,7 @@
 
   <rule id="18222" level="12">
     <if_sid>18203,18204</if_sid>
-    <regex> ID:\s+%{S-1-5-21\S+-512}</regex>
+    <regex> ID:\s+%{S-1-5-21\S+-512}| ID:\s+S-1-5-21\S+-512</regex>
     <description>Domain Admins Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -539,22 +539,22 @@
 
   <rule id="18223" level="5">
     <if_sid>18203,18204</if_sid>
-    <regex> ID:\s+%{S-1-5-21\S+-513}</regex>
+    <regex> ID:\s+%{S-1-5-21\S+-513}| ID:\s+S-1-5-21\S+-513</regex>
     <description>Domain Users Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
   </rule>
 
-    <rule id="18224" level="0">
-      <if_sid>18223,18203</if_sid>
-      <match>Target Account Name: None</match>
-      <description>Local User Group NONE</description>
-      <info>Bogus group user added to upon creation</info>
-    </rule>
+  <rule id="18224" level="0">
+    <if_sid>18223,18203</if_sid>
+    <match>Target Account Name: None</match>
+    <description>Local User Group NONE</description>
+    <info>Bogus group user added to upon creation</info>
+  </rule>
 
   <rule id="18225" level="12">
     <if_sid>18203,18204</if_sid>
-    <regex> ID:\s+%{S-1-5-21\S+-514}</regex>
+    <regex> ID:\s+%{S-1-5-21\S+-514}| ID:\s+S-1-5-21\S+-514</regex>
     <description>Domain Guests Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -562,7 +562,7 @@
 
   <rule id="18226" level="5">
     <if_sid>18203,18204</if_sid>
-    <regex> ID:\s+%{S-1-5-21\S+-515}</regex>
+    <regex> ID:\s+%{S-1-5-21\S+-515}| ID:\s+S-1-5-21\S+-515</regex>
     <description>Domain Computers Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -570,7 +570,7 @@
 
   <rule id="18227" level="12">
     <if_sid>18203,18204</if_sid>
-    <regex> ID:\s+%{S-1-5-21\S+-516}</regex>
+    <regex> ID:\s+%{S-1-5-21\S+-516}| ID:\s+S-1-5-21\S+-516</regex>
     <description>Domain Controllers Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -578,7 +578,7 @@
 
   <rule id="18228" level="10">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-21\S+-517}</regex>
+    <regex> ID:\s+%{S-1-5-21\S+-517}| ID:\s+S-1-5-21\S+-517</regex>
     <description>Cert Publishers Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -586,7 +586,7 @@
 
   <rule id="18229" level="12">
     <if_sid>18203,18204</if_sid>
-    <regex> ID:\s+%{S-1-5-21\.+-518}</regex>
+    <regex> ID:\s+%{S-1-5-21\.+-518}| ID:\s+S-1-5-21\.+-518</regex>
     <description>Schema Admins Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -594,7 +594,7 @@
 
   <rule id="18230" level="12">
     <if_sid>18203,18204</if_sid>
-    <regex> ID:\s+%{S-1-5-21\S+-519}</regex>
+    <regex> ID:\s+%{S-1-5-21\S+-519}| ID:\s+S-1-5-21\S+-519</regex>
     <description>Enterprise Admins Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -602,7 +602,7 @@
 
   <rule id="18231" level="10">
     <if_sid>18203,18204</if_sid>
-    <regex> ID:\s+%{S-1-5-21\S+-520}</regex>
+    <regex> ID:\s+%{S-1-5-21\S+-520}| ID:\s+S-1-5-21\S+-520</regex>
     <description>Group Policy Creator Owners Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -610,7 +610,7 @@
 
   <rule id="18232" level="10">
     <if_sid>18207,18208</if_sid>
-    <regex>\w* ID:\s+%{S-1-5-21\S+-553}</regex>
+    <regex> ID:\s+%{S-1-5-21\S+-553}| ID:\s+S-1-5-21\S+-553</regex>
     <description>RAS and IAS Servers Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -618,7 +618,7 @@
 
   <rule id="18233" level="5">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-545}</regex>
+    <regex> ID:\s+%{S-1-5-32-545}| ID:\s+S-1-5-32-545</regex>
     <description>Users Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -626,7 +626,7 @@
 
   <rule id="18234" level="12">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-546}</regex>
+    <regex> ID:\s+%{S-1-5-32-546}| ID:\s+S-1-5-32-546</regex>
     <description>Guests Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -634,7 +634,7 @@
 
   <rule id="18235" level="10">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-547}</regex>
+    <regex> ID:\s+%{S-1-5-32-547}| ID:\s+S-1-5-32-547</regex>
     <description>Power Users Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -642,7 +642,7 @@
 
   <rule id="18236" level="10">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-548}</regex>
+    <regex> ID:\s+%{S-1-5-32-548}| ID:\s+S-1-5-32-548</regex>
     <description>Account Operators Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -650,7 +650,7 @@
 
   <rule id="18237" level="10">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-549}</regex>
+    <regex> ID:\s+%{S-1-5-32-549}| ID:\s+S-1-5-32-549</regex>
     <description>Server Operators Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -658,7 +658,7 @@
 
   <rule id="18238" level="8">
     <if_sid>18207,18208</if_sid>
-    <regex>\w* ID:\s+%{S-1-5-32-550}</regex>
+    <regex> ID:\s+%{S-1-5-32-550}| ID:\s+S-1-5-32-550</regex>
     <description>Print Operators Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -666,7 +666,7 @@
 
   <rule id="18239" level="12">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-551}</regex>
+    <regex> ID:\s+%{S-1-5-32-551}| ID:\s+S-1-5-32-551</regex>
     <description>Backup Operators Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -674,7 +674,7 @@
 
   <rule id="18240" level="10">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-552}</regex>
+    <regex> ID:\s+%{S-1-5-32-552}| ID:\s+S-1-5-32-552</regex>
     <description>Replicators Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -682,7 +682,7 @@
 
   <rule id="18241" level="8">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-554}</regex>
+    <regex> ID:\s+%{S-1-5-32-554}| ID:\s+S-1-5-32-554</regex>
     <description>Pre-Windows 2000 Compatible Access Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -690,7 +690,7 @@
 
   <rule id="18242" level="10">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-555}</regex>
+    <regex> ID:\s+%{S-1-5-32-555}| ID:\s+S-1-5-32-555</regex>
     <description>Remote Desktop Users Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -698,7 +698,7 @@
 
   <rule id="18243" level="10">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-556}</regex>
+    <regex> ID:\s+%{S-1-5-32-556}| ID:\s+S-1-5-32-556</regex>
     <description>Network Configuration Operators Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -706,7 +706,7 @@
 
   <rule id="18244" level="10">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-557}</regex>
+    <regex> ID:\s+%{S-1-5-32-557}| ID:\s+S-1-5-32-557</regex>
     <description>Incoming Forest Trust Builders Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -714,7 +714,7 @@
 
   <rule id="18245" level="8">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-558}</regex>
+    <regex> ID:\s+%{S-1-5-32-558}| ID:\s+S-1-5-32-558</regex>
     <description>Performance Monitor Users Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -722,7 +722,7 @@
 
   <rule id="18246" level="8">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-559}</regex>
+    <regex> ID:\s+%{S-1-5-32-559}| ID:\s+S-1-5-32-559</regex>
     <description>Performance Log Users Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -730,7 +730,7 @@
 
   <rule id="18247" level="8">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-560}</regex>
+    <regex> ID:\s+%{S-1-5-32-560}| ID:\s+S-1-5-32-560</regex>
     <description>Windows Authorization Access Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -738,7 +738,7 @@
 
   <rule id="18248" level="8">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-561}</regex>
+    <regex> ID:\s+%{S-1-5-32-561}| ID:\s+S-1-5-32-561</regex>
     <description>Terminal Server License Servers Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -746,7 +746,7 @@
 
   <rule id="18249" level="8">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-562}</regex>
+    <regex> ID:\s+%{S-1-5-32-562}| ID:\s+S-1-5-32-562</regex>
     <description>Distributed COM Users Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -754,7 +754,7 @@
 
   <rule id="18250" level="12">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-\s*21\.+\s*-498}</regex>
+    <regex> ID:\s+%{S-1-5-\s*21\.+\s*-498}| ID:\s+S-1-5-\s*21\.+\s*-498</regex>
     <description>Enterprise Read-only Domain Controllers Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -762,7 +762,7 @@
 
   <rule id="18251" level="12">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-\s*21\.+\s*-529}</regex>
+    <regex> ID:\s+%{S-1-5-\s*21\.+\s*-529}| ID:\s+S-1-5-\s*21\.+\s*-529</regex>
     <description>Read-only Domain Controllers Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -770,7 +770,7 @@
 
   <rule id="18252" level="12">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-569}</regex>
+    <regex> ID:\s+%{S-1-5-32-569}| ID:\s+S-1-5-32-569</regex>
     <description>Cryptographic Operators Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -778,7 +778,7 @@
 
   <rule id="18253" level="10">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-\s*21\.+\s*-571}</regex>
+    <regex> ID:\s+%{S-1-5-\s*21\.+\s*-571}| ID:\s+S-1-5-\s*21\.+\s*-571</regex>
     <description>Allowed RODC Password Replication Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -786,7 +786,7 @@
 
   <rule id="18254" level="10">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-\s*21\.+\s*-572}</regex>
+    <regex> ID:\s+%{S-1-5-\s*21\.+\s*-572}| ID:\s+S-1-5-\s*21\.+\s*-572</regex>
     <description>Denied RODC Password Replication Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -794,7 +794,7 @@
 
   <rule id="18255" level="10">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-573}</regex>
+    <regex> ID:\s+%{S-1-5-32-573}| ID:\s+S-1-5-32-573</regex>
     <description>Event Log Readers Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
@@ -802,18 +802,41 @@
 
   <rule id="18256" level="10">
     <if_sid>18207,18208</if_sid>
-    <regex> ID:\s+%{S-1-5-32-574}</regex>
+    <regex> ID:\s+%{S-1-5-32-574}| ID:\s+S-1-5-32-574</regex>
     <description>Certificate Service DCOM Access Group Changed</description>
     <group>group_changed,win_group_changed,</group>
     <info>http://support.microsoft.com/kb/243330</info>
   </rule>
+  
+    <rule id="18257" level="3">
+    <if_sid>18101</if_sid>
+    <id>^200$|^300$|^302$</id>
+    <description>TS Gateway login success.</description>
+    <group>authentication_success,</group>
+    <info>https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx</info>
+  </rule>
+
+  <rule id="18258" level="5">
+    <if_sid>18102, 18103</if_sid>
+    <id>^201$|^203$|^204$|^301$|^304$|^305$|^306$|^1001$</id>
+    <description>TS Gateway login failure.</description>
+    <group>authentication_failed,</group>
+    <info>https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx</info>
+  </rule>
+
+  <rule id="18259" level="3">
+    <if_sid>18101</if_sid>
+    <id>^202$|^303$</id>
+    <description>TS Gateway user disconnected.</description>
+    <info>https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx</info>
+  </rule>
 
   <!-- Ignore Login events, type 5, from Advapi for:
     -  LOCAL SERVICE and NETWORK SERVICE.
     -->
   <rule id="18121" level="0">
     <if_sid>18107,18149</if_sid>
-    <id>^528$|^538$|^540$</id>
+    <id>^528$|^538$|^540$|^4624$</id>
     <user>^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON</user>
     <description>Windows Logon Success (ignored).</description>
   </rule>
@@ -825,7 +848,7 @@
     <match>Failure Code: 0x1F</match>
     <description>Windows DC integrity check on decrypted </description>
     <description>field failed.</description>
-    <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>
+    <!--<info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>-->
     <group>win_authentication_failed,attacks,</group>
   </rule>
   
@@ -833,7 +856,7 @@
     <if_sid>18139</if_sid>
     <match>Failure Code: 0x22</match>
     <description>Windows DC - Possible replay attack.</description>
-    <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>
+    <!--<info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>-->
     <group>win_authentication_failed,attacks,</group>
   </rule>
 
@@ -841,7 +864,7 @@
     <if_sid>18139</if_sid>
     <match>Failure Code: 0x25</match>
     <description>Windows DC - Clock skew too great.</description>
-    <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>
+    <!--<info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>-->
     <group>win_authentication_failed,attacks,</group>
   </rule>
 
@@ -861,6 +884,20 @@
     <group>authentication_success,</group>
   </rule>
 
+<!-- Detail logon rules -->
+  <rule id="18260" level="3">
+    <if_sid>18107</if_sid>
+    <id>^4624$</id>
+    <match>Logon Type:   8</match>
+    <description>MS Exchange Logon Success.</description>
+  </rule> 
+  
+  <rule id="18261" level="0">
+    <if_sid>18149</if_sid>
+    <id>^4634$</id>
+    <match>Logon Type:   8</match>
+    <description>User Logoff Exchange.</description>
+  </rule>
   
   
   <!-- Composite rules -->
@@ -897,6 +934,39 @@
     <description>Multiple remote access login failures.</description>
     <group>authentication_failures,</group>
   </rule>
+  
+  <rule id="18157" level="10" frequency="$MS_FREQ" timeframe="240">
+    <if_matched_sid>18258</if_matched_sid>
+    <description>Multiple TS Gateway login failures.</description>
+    <group>authentication_failures,</group>
+  </rule>
+
+  <!--
+  Chrome Remote Desktop
+  Created by Kevin Branch
+  Updated by Wazuh
+  -->
+  <rule id="18158" level="5">
+      <if_sid>18103</if_sid>
+      <match>chromoting</match>
+      <regex>: chromoting: \.* Access denied for client: </regex>
+      <description>Chrome Remote Desktop attempt - access denied</description>
+  </rule>
+
+  <rule id="18159" level="5">
+      <if_sid>18101</if_sid>
+      <match>chromoting</match>
+      <regex>: chromoting: \.* Client connected:</regex>
+      <description>Chrome Remote Desktop attempt - connected</description>
+  </rule>
+
+  <rule id="18160" level="5">
+      <if_sid>18101</if_sid>
+      <match>chromoting</match>
+      <regex>: chromoting: \.* Client disconnected:</regex>
+      <description>Chrome Remote Desktop attempt - disconnected</description>
+  </rule>
+
 </group>
 
 <!-- EOF -->