Skip to content

Commit

Permalink
Added more rules related to Windows Eventlog
Browse files Browse the repository at this point in the history
  • Loading branch information
@danimegar
danimegar committed May 6, 2020
1 parent c168bd1 commit 169e9e2
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 0 deletions.
20 changes: 20 additions & 0 deletions rules/0590-win-system_rules.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -323,4 +323,24 @@
<options>no_email_alert</options>
</rule>

<rule id="61139" level="8">
<if_sid>61102</if_sid>
<field name="win.system.eventID">^6008$</field>
<description>Unexpected system shutdown.</description>
<mitre>
<id>T1529</id>
</mitre>
<options>no_full_log</options>
</rule>

<rule id="61140" level="7">
<if_sid>61100</if_sid>
<field name="win.system.eventID">^1074$</field>
<description>System has been shutdown by a process/user.</description>
<mitre>
<id>T1529</id>
</mitre>
<options>no_full_log</options>
</rule>

</group>
11 changes: 11 additions & 0 deletions rules/0610-win-ms_logs_rules.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,4 +81,15 @@
<description>Multiple Eventlog warning events</description>
<options>no_full_log</options>
</rule>

<rule id="63108" level="7">
<if_sid>63100</if_sid>
<field name="win.system.eventID">^6006$</field>
<description>The Event log service was stopped.</description>
<mitre>
<id>T1529</id>
</mitre>
<options>no_full_log</options>
</rule>

</group>

0 comments on commit 169e9e2

Please sign in to comment.