-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix logon alerts triggering #304
Conversation
Let me propose a more specific rule for this purpose. Regarding the event posted here and the Windows event 4624 described here: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624 We can use the |
rules/0220-msauth_rules.xml
Outdated
@@ -1160,6 +1160,16 @@ | |||
<options>no_full_log</options> | |||
</rule> | |||
|
|||
<rule id="20021" level="3"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This alert can make the alert 20019 to not appear when a user is logged physically for the first time in the system. I would change their order.
rules/0220-msauth_rules.xml
Outdated
@@ -1160,6 +1160,16 @@ | |||
<options>no_full_log</options> | |||
</rule> | |||
|
|||
<rule id="20021" level="3"> | |||
<if_sid>20007</if_sid> | |||
<field name="EventChannel.EventData.WorkstationName">\.+</field> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Old field names.
This PR solves the issue #298 for Windows eventchannel. There is a new rule that checks if fields
workstation name
,IP address
andIP port
exist.