From 62f9b9a487ee5b5c3217e6fe5573246b92c311d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adri=C3=A1n=20Jes=C3=BAs=20Pe=C3=B1a=20Rodr=C3=ADguez?= Date: Tue, 14 May 2019 16:31:15 +0200 Subject: [PATCH 1/3] Added script for map the new security standard --- tools/map-security-standard/map_standard.py | 57 +++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 tools/map-security-standard/map_standard.py diff --git a/tools/map-security-standard/map_standard.py b/tools/map-security-standard/map_standard.py new file mode 100644 index 000000000..518358823 --- /dev/null +++ b/tools/map-security-standard/map_standard.py @@ -0,0 +1,57 @@ +#! /usr/bin/python +# -*- coding: utf8 -*- + +import argparse +import re +import os +import glob +import json + + +_rules_file_group = re.compile(r'(.*),<\/group>') + + +def pci_to_hipaa(path, schema): + if list(path)[-1] != '/': + path += '/' + with open(schema) as f: + json_data = json.load(f) + os.chdir(path) + for file in glob.glob('*.xml'): + print('[INFO] Processing {}'.format(file)) + with open(file, 'r+') as f: + lines = f.readlines() + new_file = '' + for line in lines: + match = re.search(_rules_file_group, line) + if match: + added = list() + for group in match.groups(): + for pci in group.split(','): + if pci in list(json_data.keys()): + if json_data[pci] not in group.split(','): + if json_data[pci] not in added: + added.append(json_data[pci]) + added.append(',') + if len(added) > 1: + new_line = line.split(',') + new_line.insert(-1, "".join(added[0:-1])) + new_line = ",".join(new_line) + new_file += new_line + else: + new_file += line + else: + new_file += line + with open(file, 'w') as f: + f.write(new_file) + + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + + parser.add_argument('-p', '--path', type=str, default='../../rules/', help='Rules path') + parser.add_argument('-s', '--schema', type=str, default='schema.txt', help='Schema path') + + args = parser.parse_args() + + pci_to_hipaa(args.path, args.schema) From 760e33116be2766bb828a83d88500983a8eaa318 Mon Sep 17 00:00:00 2001 From: Daniel Ruiz Date: Wed, 15 May 2019 11:10:09 +0200 Subject: [PATCH 2/3] Rename input arguments --- tools/map-security-standard/map_standard.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/map-security-standard/map_standard.py b/tools/map-security-standard/map_standard.py index 518358823..5037602e3 100644 --- a/tools/map-security-standard/map_standard.py +++ b/tools/map-security-standard/map_standard.py @@ -11,7 +11,7 @@ _rules_file_group = re.compile(r'(.*),<\/group>') -def pci_to_hipaa(path, schema): +def pci_to_any(path, schema): if list(path)[-1] != '/': path += '/' with open(schema) as f: @@ -50,8 +50,8 @@ def pci_to_hipaa(path, schema): parser = argparse.ArgumentParser() parser.add_argument('-p', '--path', type=str, default='../../rules/', help='Rules path') - parser.add_argument('-s', '--schema', type=str, default='schema.txt', help='Schema path') + parser.add_argument('-m', '--mapping', type=str, default='mapping.json', help='Mapping path') args = parser.parse_args() - pci_to_hipaa(args.path, args.schema) + pci_to_any(args.path, args.mapping) From 021fa44cada7d88555ccbc659bc187c6bff48d76 Mon Sep 17 00:00:00 2001 From: Daniel Ruiz Date: Wed, 15 May 2019 12:57:40 +0200 Subject: [PATCH 3/3] Add HIPAA groups to ruleset --- rules/0015-ossec_rules.xml | 42 ++-- rules/0020-syslog_rules.xml | 88 ++++----- rules/0030-postfix_rules.xml | 42 ++-- rules/0040-imapd_rules.xml | 8 +- rules/0045-mailscanner_rules.xml | 2 +- rules/0050-ms-exchange_rules.xml | 4 +- rules/0055-courier_rules.xml | 12 +- rules/0060-firewall_rules.xml | 4 +- rules/0065-pix_rules.xml | 42 ++-- rules/0070-netscreenfw_rules.xml | 14 +- rules/0075-cisco-ios_rules.xml | 6 +- rules/0080-sonicwall_rules.xml | 8 +- rules/0085-pam_rules.xml | 18 +- rules/0095-sshd_rules.xml | 36 ++-- rules/0100-solaris_bsm_rules.xml | 8 +- rules/0105-asterisk_rules.xml | 22 +-- rules/0110-ms_dhcp_rules.xml | 24 +-- rules/0115-arpwatch_rules.xml | 14 +- rules/0120-symantec-av_rules.xml | 2 +- rules/0125-symantec-ws_rules.xml | 6 +- rules/0135-hordeimp_rules.xml | 8 +- rules/0140-roundcube_rules.xml | 6 +- rules/0145-wordpress_rules.xml | 6 +- rules/0150-cimserver_rules.xml | 4 +- rules/0155-dovecot_rules.xml | 18 +- rules/0160-vmpop3d_rules.xml | 4 +- rules/0165-vpopmail_rules.xml | 14 +- rules/0170-ftpd_rules.xml | 16 +- rules/0175-proftpd_rules.xml | 30 +-- rules/0180-pure-ftpd_rules.xml | 12 +- rules/0185-vsftpd_rules.xml | 6 +- rules/0190-ms_ftpd_rules.xml | 10 +- rules/0195-named_rules.xml | 48 ++--- rules/0200-smbd_rules.xml | 10 +- rules/0205-racoon_rules.xml | 6 +- rules/0210-vpn_concentrator_rules.xml | 8 +- rules/0215-policy_rules.xml | 4 +- rules/0220-msauth_rules.xml | 214 ++++++++++----------- rules/0225-mcafee_av_rules.xml | 22 +-- rules/0230-ms-se_rules.xml | 24 +-- rules/0235-vmware_rules.xml | 20 +- rules/0240-ids_rules.xml | 4 +- rules/0245-web_rules.xml | 6 +- rules/0250-apache_rules.xml | 46 ++--- rules/0255-zeus_rules.xml | 6 +- rules/0260-nginx_rules.xml | 12 +- rules/0265-php_rules.xml | 14 +- rules/0270-web_appsec_rules.xml | 12 +- rules/0275-squid_rules.xml | 22 +-- rules/0280-attack_rules.xml | 10 +- rules/0290-firewalld_rules.xml | 2 +- rules/0295-mysql_rules.xml | 12 +- rules/0300-postgresql_rules.xml | 14 +- rules/0305-dropbear_rules.xml | 18 +- rules/0310-openbsd_rules.xml | 20 +- rules/0315-apparmor_rules.xml | 4 +- rules/0330-sysmon_rules.xml | 26 +-- rules/0345-netscaler_rules.xml | 38 ++-- rules/0350-amazon_rules.xml | 16 +- rules/0360-serv-u_rules.xml | 18 +- rules/0365-auditd_rules.xml | 50 ++--- rules/0390-fortigate_rules.xml | 44 ++--- rules/0395-hp_rules.xml | 4 +- rules/0400-openvpn_rules.xml | 2 +- rules/0405-rsa-auth-manager_rules.xml | 6 +- rules/0420-freeipa_rules.xml | 2 +- rules/0425-cisco-estreamer_rules.xml | 6 +- rules/0440-ms_sqlserver_rules.xml | 242 ++++++++++++------------ rules/0445-identity_guard_rules.xml | 74 ++++---- rules/0450-mongodb_rules.xml | 6 +- rules/0495-proxmox-ve_rules.xml | 6 +- rules/0500-owncloud_rules.xml | 4 +- rules/0525-openvas_rules.xml | 10 +- rules/0530-mysql_audit_rules.xml | 28 +-- rules/0540-pfsense_rules.xml | 4 +- rules/0560-docker_integration_rules.xml | 62 +++--- rules/0580-win-security_rules.xml | 196 +++++++++---------- rules/0590-win-system_rules.xml | 2 +- rules/0595-win-sysmon_rules.xml | 26 +-- rules/0605-win-mcafee_rules.xml | 24 +-- rules/0615-win-ms-se_rules.xml | 24 +-- rules/0620-win-generic_rules.xml | 14 +- 82 files changed, 1014 insertions(+), 1014 deletions(-) diff --git a/rules/0015-ossec_rules.xml b/rules/0015-ossec_rules.xml index c3b874777..9d04f1a88 100755 --- a/rules/0015-ossec_rules.xml +++ b/rules/0015-ossec_rules.xml @@ -20,7 +20,7 @@ alert_by_email Agent started New ossec agent connected. - pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -28,7 +28,7 @@ alert_by_email Ossec started Ossec server started. - pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -36,7 +36,7 @@ alert_by_email Agent started Ossec agent started. - pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -44,7 +44,7 @@ alert_by_email Agent disconnected Ossec agent disconnected. - pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -52,7 +52,7 @@ alert_by_email Agent removed Ossec agent removed. - pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -108,7 +108,7 @@ ^Starting vulnerability scan|^Ending vulnerability scan.| ^Starting Azure-logs scan.|^Ending Azure-logs scan. Ignoring scan messages. - rootcheck,syscheck,pci_dss_10.6.1,gdpr_IV_35.7.d,gdpr_IV_30.1.g, + rootcheck,syscheck,pci_dss_10.6.1,gdpr_IV_35.7.d,gdpr_IV_30.1.g,hipaa_164.312.b, @@ -143,7 +143,7 @@ 500 Duplicated IP Trying to add an agent with duplicated IP. - pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -160,7 +160,7 @@ ossec: output: 'df -P': /dev/ 100% Partition usage reached 100% (disk space monitor). - low_diskspace,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d, + low_diskspace,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -174,7 +174,7 @@ ossec: output: 'netstat listening ports Listened ports status (netstat) changed (new port opened or closed). - pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d, + pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -204,28 +204,28 @@ ossec syscheck_integrity_changed Integrity checksum changed. - syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f, + syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2, ossec syscheck_deleted File deleted. - syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f, + syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2, ossec syscheck_new_entry File added to the system. - syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f, + syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2, 500 ^ossec: agentless: Integrity checksum for agentless device changed. - syscheck,agentless,pci_dss_11.5,pci_dss_10.6.1,gpg13_4.11,gdpr_II_5.1.f,gdpr_IV_35.7.d, + syscheck,agentless,pci_dss_11.5,pci_dss_10.6.1,gpg13_4.11,gdpr_II_5.1.f,gdpr_IV_35.7.d,hipaa_164.312.c.1,hipaa_164.312.c.2,hipaa_164.312.b, @@ -233,14 +233,14 @@ ossec hostinfo_modified Host information changed. - hostinfo,pci_dss_10.2.7,gpg13_4.13,gdpr_IV_35.7.d, + hostinfo,pci_dss_10.2.7,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b, ossec hostinfo_new Host information added. - hostinfo,pci_dss_10.2.7,gpg13_4.13, + hostinfo,pci_dss_10.2.7,gpg13_4.13,hipaa_164.312.b, @@ -249,28 +249,28 @@ 500 ^ossec: File rotated Log file rotated. - pci_dss_10.5.2,pci_dss_10.5.5,gpg13_10.1,gdpr_II_5.1.f,gdpr_IV_35.7.d, + pci_dss_10.5.2,pci_dss_10.5.5,gpg13_10.1,gdpr_II_5.1.f,gdpr_IV_35.7.d,hipaa_164.312.b, 500 ^ossec: File size reduced Log file size reduced. - attacks,pci_dss_10.5.2,pci_dss_11.4,gpg13_10.1,gdpr_IV_35.7.d, + attacks,pci_dss_10.5.2,pci_dss_11.4,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b, 500 ^ossec: Event log cleared Microsoft Event log cleared. - logs_cleared,pci_dss_10.5.2,gpg13_10.1,gdpr_II_5.1.f,gdpr_IV_35.7.d, + logs_cleared,pci_dss_10.5.2,gpg13_10.1,gdpr_II_5.1.f,gdpr_IV_35.7.d,hipaa_164.312.b, ossec 550 syscheck-registry - syscheck,pci_dss_11.5,gpg13_4.13,gdpr_II_5.1.f, + syscheck,pci_dss_11.5,gpg13_4.13,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2, Registry Integrity Checksum Changed @@ -278,7 +278,7 @@ ossec 553 syscheck-registry - syscheck,pci_dss_11.5,gpg13_4.13,gdpr_II_5.1.f, + syscheck,pci_dss_11.5,gpg13_4.13,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2, Registry Entry Deleted. @@ -286,7 +286,7 @@ ossec 554 syscheck-registry - syscheck,pci_dss_11.5,gpg13_4.13,gdpr_II_5.1.f, + syscheck,pci_dss_11.5,gpg13_4.13,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2, Registry Entry Added to the System diff --git a/rules/0020-syslog_rules.xml b/rules/0020-syslog_rules.xml index da7e283da..9aa32b92d 100644 --- a/rules/0020-syslog_rules.xml +++ b/rules/0020-syslog_rules.xml @@ -19,7 +19,7 @@ ^Couldn't open /etc/securetty File missing. Root access unrestricted. - pci_dss_10.2.4,gpg13_4.1,gdpr_IV_35.7.d, + pci_dss_10.2.4,gpg13_4.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -36,32 +36,32 @@ ^exiting on signal Syslogd exiting (logging stopped). - pci_dss_10.6.1,gpg13_10.1,gpg13_4.14,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_10.1,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, syslogd ^restart Syslogd restarted. - pci_dss_10.6.1,gpg13_10.1,gpg13_4.14,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_10.1,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, ^syslogd \S+ restart Syslogd restarted. - pci_dss_10.6.1,gpg13_10.1,gpg13_4.14,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_10.1,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, file system full|No space left on device File system full. - low_diskspace,pci_dss_10.6.1,gpg13_4.1,gdpr_IV_35.7.d, + low_diskspace,pci_dss_10.6.1,gpg13_4.1,gdpr_IV_35.7.d,hipaa_164.312.b, killed by SIGTERM Process exiting (killed). - service_availability,pci_dss_10.6.1,gpg13_4.3,gpg13_4.14,gdpr_IV_35.7.d, + service_availability,pci_dss_10.6.1,gpg13_4.3,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -120,7 +120,7 @@ ^Deactivating service xinetd: Excessive number connections to a service. - pci_dss_10.6.1,gdpr_IV_35.7.d, + pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -135,14 +135,14 @@ authinternal failed|Failed to authorize| Wrong password given for|login failed|Auth: Login incorrect| Failed to authenticate user - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, syslog: User authentication failure. more authentication failures;|REPEATED login failures syslog: User missed the password more than one time - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -150,25 +150,25 @@ ^libwrap refused connection| Connection from \S+ denied syslog: Connection blocked by Tcp Wrappers. - access_denied,pci_dss_10.2.4,gdpr_IV_35.7.d, + access_denied,pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b, ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED syslog: Illegal root login. - invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2, + invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, ^ROOT LOGIN on syslog: Physical root login. - pci_dss_10.2.2,gpg13_7.8,gdpr_IV_32.2, + pci_dss_10.2.2,gpg13_7.8,gdpr_IV_32.2,hipaa_164.312.b, ^Authentication passed syslog: Pop3 Authentication passed. - pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -189,7 +189,7 @@ RESULT tag=97 err=49 OpenLDAP authentication failed. - pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -207,7 +207,7 @@ 2550 ^Connection from \S+ on illegal port$ Connection to rshd from unprivileged port. Possible network scan. - connection_attempt,pci_dss_10.6.1,gpg13_7.1,gdpr_IV_35.7.d, + connection_attempt,pci_dss_10.6.1,gpg13_7.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -283,7 +283,7 @@ Promiscuous mode enabled| device \S+ entered promiscuous mode Interface entered in promiscuous(sniffing) mode. - promisc,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d, + promisc,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -310,7 +310,7 @@ Out of Memory: System running out of memory. Availability of the system is in risk. - service_availability,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d, + service_availability,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -340,7 +340,7 @@ 5100 Kernel log daemon terminating - system_shutdown,pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d, + system_shutdown,pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, System is shutting down. @@ -387,14 +387,14 @@ 2830 REPLACE Crontab entry changed. - pci_dss_10.2.7,pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d, + pci_dss_10.2.7,pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b, 2832 ^(root) Root's crontab entry changed. - pci_dss_10.2.7,pci_dss_10.6.1,pci_dss_10.2.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.7,pci_dss_10.6.1,pci_dss_10.2.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -412,14 +412,14 @@ 5300 authentication failure; |failed|BAD su|^- User missed the password to change UID (user id). - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 5301 ^root User missed the password to change UID to root. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -427,7 +427,7 @@ session opened for user root|^'su root'| ^+ \S+ \S+\proot$|^\S+ to root on|^SU \S+ \S+ + \S+ \S+-root$ User successfully changed UID to root. - authentication_success,pci_dss_10.2.5,gpg13_7.6,gpg13_7.8,gpg13_7.9,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.6,gpg13_7.8,gpg13_7.9,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -435,7 +435,7 @@ session opened for user|succeeded for| ^+|^\S+ to |^SU \S+ \S+ + User successfully changed UID. - authentication_success,pci_dss_10.2.5,gpg13_7.6,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.6,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -461,7 +461,7 @@ Integrity Check failed: File could not Problems with the tripwire checking - pci_dss_10.5.5,pci_dss_10.6.1,gdpr_II_5.1.f,gdpr_IV_35.7.d, + pci_dss_10.5.5,pci_dss_10.6.1,gdpr_II_5.1.f,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -472,25 +472,25 @@ ^new group New group added to the system - pci_dss_10.2.7,pci_dss_10.2.5,pci_dss_8.1.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.7,pci_dss_10.2.5,pci_dss_8.1.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II, ^new user|^new account added New user added to the system - pci_dss_10.2.7,pci_dss_10.2.5,pci_dss_8.1.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.7,pci_dss_10.2.5,pci_dss_8.1.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II, ^delete user|^account deleted|^remove group Group (or user) deleted from the system - pci_dss_10.2.7,pci_dss_10.2.5,pci_dss_8.1.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.7,pci_dss_10.2.5,pci_dss_8.1.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II, ^changed user Information from the user was changed - pci_dss_10.2.7,pci_dss_10.2.5,pci_dss_8.1.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.7,pci_dss_10.2.5,pci_dss_8.1.2,gpg13_4.13,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II, @@ -513,14 +513,14 @@ 5400 incorrect password attempt Failed attempt to run sudo - pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 5400 ; USER=root ; COMMAND=| ; USER=root ; TSID=\S+ ; COMMAND= Successful sudo to ROOT executed - pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2, + pci_dss_10.2.5,pci_dss_10.2.2,gpg13_7.6,gpg13_7.8,gpg13_7.13,gdpr_IV_32.2,hipaa_164.312.b, @@ -534,21 +534,21 @@ 5401 3 incorrect password attempts Three failed attempts to run sudo - pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 5400 user NOT in sudoers Unauthorized user attempted to use sudo. - pci_dss_10.2.2,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.2,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 5400 command not allowed Sudo: Command not allowed - pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -618,28 +618,28 @@ 2900 ^install$ New dpkg (Debian Package) requested to install. - pci_dss_10.6.1,gpg13_4.10,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.10,gdpr_IV_35.7.d,hipaa_164.312.b, 2900 ^status installed$ New dpkg (Debian Package) installed. - config_changed,pci_dss_10.6.1,pci_dss_10.2.7,gpg13_4.10,gdpr_IV_35.7.d, + config_changed,pci_dss_10.6.1,pci_dss_10.2.7,gpg13_4.10,gdpr_IV_35.7.d,hipaa_164.312.b, 2900 ^remove$|^purge$ Dpkg (Debian Package) removed. - config_changed,pci_dss_10.6.1,pci_dss_10.2.7,gpg13_4.10,gdpr_IV_35.7.d, + config_changed,pci_dss_10.6.1,pci_dss_10.2.7,gpg13_4.10,gdpr_IV_35.7.d,hipaa_164.312.b, 2900 ^status half-configured$ Dpkg (Debian Package) half configured. - config_changed,pci_dss_10.6.1,pci_dss_10.2.7,gpg13_4.10,gdpr_IV_35.7.d, + config_changed,pci_dss_10.6.1,pci_dss_10.2.7,gpg13_4.10,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -659,21 +659,21 @@ 2930,2931 ^Installed - config_changed,pci_dss_10.6.1,pci_dss_10.2.7,gpg13_4.10,gdpr_IV_35.7.d, + config_changed,pci_dss_10.6.1,pci_dss_10.2.7,gpg13_4.10,gdpr_IV_35.7.d,hipaa_164.312.b, New Yum package installed. 2930,2931 ^Updated - config_changed,pci_dss_10.6.1,pci_dss_10.2.7,gpg13_4.10,gdpr_IV_35.7.d, + config_changed,pci_dss_10.6.1,pci_dss_10.2.7,gpg13_4.10,gdpr_IV_35.7.d,hipaa_164.312.b, Yum package updated. 2930,2931 ^Erased - config_changed,pci_dss_10.6.1,pci_dss_10.2.7,gpg13_4.10,gdpr_IV_35.7.d, + config_changed,pci_dss_10.6.1,pci_dss_10.2.7,gpg13_4.10,gdpr_IV_35.7.d,hipaa_164.312.b, Yum package deleted. @@ -694,21 +694,21 @@ 2935 FAILED Possible Disk failure. SCSI controller error. - pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, 2936 failed SCSI RAID ARRAY ERROR, drive failed. - pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, 2936 degraded SCSI RAID is now in a degraded status. - pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, diff --git a/rules/0030-postfix_rules.xml b/rules/0030-postfix_rules.xml index 9b4bfcbdf..690c0e09c 100644 --- a/rules/0030-postfix_rules.xml +++ b/rules/0030-postfix_rules.xml @@ -21,7 +21,7 @@ ^554$ Postfix: Attempt to use mail server as relay (client host rejected). - spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -29,7 +29,7 @@ ^550$ Postfix: Rejected by access list (Requested action not taken). - spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -37,7 +37,7 @@ ^450$ Postfix: Sender domain is not found (450: Requested mail action not taken). - spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -45,7 +45,7 @@ ^503$ Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands). - spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -53,14 +53,14 @@ ^504$ Postfix: Recipient address must contain FQDN (504: Command parameter not implemented). - spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, 3301, 3302 blocked using Postfix: IP Address black-listed by anti-spam (blocked). - spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -73,21 +73,21 @@ defer service failure|Resource temporarily unavailable| ^fatal: the Postfix mail system is not running Postfix process error. - service_availability,pci_dss_10.6.1,gdpr_IV_35.7.d, + service_availability,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, 3320 authentication failed Postfix SASL authentication failure. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 3300 ^452 Postfix insufficient disk space error. - service_availability,pci_dss_10.6.1,gdpr_IV_35.7.d, + service_availability,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -101,21 +101,21 @@ 3320 ^too many Postfix: too many errors after RCPT from unkown - spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, 3320 ^terminating on signal Postfix stopped. - service_availability,pci_dss_10.6.1,gdpr_IV_35.7.d, + service_availability,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, 3301 Postfix: Multiple relaying attempts of spam. - multiple_spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + multiple_spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -123,7 +123,7 @@ Postfix: Multiple attempts to send e-mail from a rejected sender IP (access). - multiple_spam,pci_dss_10.6.1,pci_dss_11.4, + multiple_spam,pci_dss_10.6.1,pci_dss_11.4,hipaa_164.312.b, @@ -131,7 +131,7 @@ Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain. - multiple_spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + multiple_spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -139,7 +139,7 @@ Postfix: Multiple misuse of SMTP service (bad sequence of commands). - multiple_spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + multiple_spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -147,7 +147,7 @@ Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain. - multiple_spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + multiple_spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -155,14 +155,14 @@ Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked). - multiple_spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + multiple_spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, 3332 Postfix: Multiple SASL authentication failures. - authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -179,21 +179,21 @@ 3395 verification Postfix: hostname verification failed - spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, 3395 RBL Postfix: RBL lookup error: Host or domain name not found - spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, 3395 MAIL|does not resolve to address Postfix: Illegal address from unknown sender - spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + spam,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -66,7 +66,7 @@ 5503 PAM: Multiple failed logins in a small period of time. - authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -79,20 +79,20 @@ login cannot open shared object file: No such file or directory PAM misconfiguration. - pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, login illegal module type: PAM misconfiguration. - pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, : password changed for PAM: User changed password. - pci_dss_8.1.2,pci_dss_10.2.5,gpg13_4.13,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_8.1.2,pci_dss_10.2.5,gpg13_4.13,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -104,7 +104,7 @@ 5556 password check failed unix_chkpwd: Password check failed. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_4.3,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_4.3,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, diff --git a/rules/0095-sshd_rules.xml b/rules/0095-sshd_rules.xml index c95d7f86f..59afee758 100644 --- a/rules/0095-sshd_rules.xml +++ b/rules/0095-sshd_rules.xml @@ -76,7 +76,7 @@ 5700 illegal user|invalid user sshd: Attempt to login using a non-existent user - invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -93,7 +93,7 @@ sshd: brute force trying to get access to the system. - authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -115,14 +115,14 @@ 5700 ^Accepted|authenticated.$ sshd: authentication success. - authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, 5700 ^Failed|^error: PAM: Authentication sshd: authentication failed. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -135,20 +135,20 @@ 5700 not allowed because sshd: Attempt to login using a denied user. - invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 5718 sshd: Multiple access attempts using a denied user. - invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 5716 sshd: Multiple authentication failures. - authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -161,7 +161,7 @@ 5700 Connection closed sshd: ssh connection closed. - pci_dss_10.2.5,gdpr_IV_32.2, + pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b, @@ -169,7 +169,7 @@ error: buffer_get_bignum2_ret: negative numbers not supported This maybe a bad key in authorized_keys. sshd: key error. - pci_dss_4.1,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_4.1,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.a.2.IV,hipaa_164.312.e.1,hipaa_164.312.e.2.I,hipaa_164.312.e.2.II,hipaa_164.312.b, @@ -177,7 +177,7 @@ fatal: buffer_get_bignum2: buffer error This error may relate to ssh key handling. sshd: key error. - pci_dss_4.1,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_4.1,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.a.2.IV,hipaa_164.312.e.1,hipaa_164.312.e.2.I,hipaa_164.312.e.2.II,hipaa_164.312.b, @@ -196,7 +196,7 @@ 5700 failed: Address already in use. sshd: Attempt to start sshd when something already bound to the port. - pci_dss_10.6.1,pci_dss_2.2.3,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_2.2.3,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -204,7 +204,7 @@ Authentication service cannot retrieve user credentials May be related to PAM module errors. sshd: Authentication services were not able to retrieve user credentials. - authentication_failed,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -217,7 +217,7 @@ 5700 error: connect to \S+ port \d+ failed: Connection refused sshd: SSHD is not accepting connections. - pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -237,7 +237,7 @@ 5700 Invalid credentials sshd: User entered incorrect password. - authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -264,14 +264,14 @@ 5700 ^fatal: Cannot bind any address.$ sshd: cannot bind to configured address. - pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, 5700 set_loginuid failed opening loginuid$ sshd: pam_loginuid could not open loginuid. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -296,7 +296,7 @@ 5700 Connection timed out$ sshd: connection timed out - pci_dss_8.1.5,gdpr_IV_35.7.d, + pci_dss_8.1.5,gdpr_IV_35.7.d,hipaa_164.312.a.1, @@ -339,7 +339,7 @@ 5700 Corrupted MAC on input. sshd: corrupted MAC on input - pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, diff --git a/rules/0100-solaris_bsm_rules.xml b/rules/0100-solaris_bsm_rules.xml index 1bed2addb..6199fabbc 100644 --- a/rules/0100-solaris_bsm_rules.xml +++ b/rules/0100-solaris_bsm_rules.xml @@ -29,27 +29,27 @@ 6102 ^login Solaris: Login session succeeded. - authentication_success,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,hipaa_164.312.b, 6101 ^login Solaris: Login session failed. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 6102 ^su Solaris: User successfully changed UID. - authentication_success,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,hipaa_164.312.b, 6103 ^su Solaris: User failed to change UID (user id). - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, diff --git a/rules/0105-asterisk_rules.xml b/rules/0105-asterisk_rules.xml index 76e8c00ed..3cc3db32a 100644 --- a/rules/0105-asterisk_rules.xml +++ b/rules/0105-asterisk_rules.xml @@ -38,42 +38,42 @@ 6201 Wrong password Asterisk: Login session failed. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 6201 Username/auth name mismatch Asterisk: Login session failed (invalid user). - invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 6201 No matching peer found Asterisk: Login session failed (invalid extension). - invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 6211 Asterisk: Multiple failed logins (user enumeration in process). - pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 6210 Asterisk: Multiple failed logins. - pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 6212 Asterisk: Extension enumeration. - pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -82,7 +82,7 @@ 6201 No registration for peer Asterisk: Login session failed (invalid iax user). - invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -90,7 +90,7 @@ 6253 Asterisk: Extension IAX Enumeration. - pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -98,7 +98,7 @@ 6202 Don't know how to respond via Asterisk: Possible Registration Hijacking. - invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -106,7 +106,7 @@ 6201 failed MD5 authentication Asterisk: IAX peer Wrong Password. - invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -114,7 +114,7 @@ 6256 Asterisk: Multiple failed logins. - pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, diff --git a/rules/0110-ms_dhcp_rules.xml b/rules/0110-ms_dhcp_rules.xml index e66526438..3269648b5 100644 --- a/rules/0110-ms_dhcp_rules.xml +++ b/rules/0110-ms_dhcp_rules.xml @@ -59,21 +59,21 @@ ID,Date,Time,Description,IP Address,Host Name,MAC Address 6300 ^00 MS-DHCP: The log was started. - service_start,pci_dss_10.2.6,gpg13_4.14,gpg13_10.1, + service_start,pci_dss_10.2.6,gpg13_4.14,gpg13_10.1,hipaa_164.312.b, 6300 ^01 MS-DHCP: The log was stopped. - service_availability,pci_dss_10.2.6,gpg13_4.14,gpg13_10.1, + service_availability,pci_dss_10.2.6,gpg13_4.14,gpg13_10.1,hipaa_164.312.b, 6300 ^02 MS-DHCP: The log was temporarily paused due to low disk space. - system_error,pci_dss_10.2.6,gpg13_4.14,gpg13_10.1, + system_error,pci_dss_10.2.6,gpg13_4.14,gpg13_10.1,hipaa_164.312.b, @@ -101,21 +101,21 @@ ID,Date,Time,Description,IP Address,Host Name,MAC Address 6300 ^13 MS-DHCP: An IP address was found to be in use on the network. - dhcp_lease_action,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d, + dhcp_lease_action,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.b, 6300 ^14 MS-DHCP: A lease request could not be satisfied because the scope's address pool was exhausted. - service_availability,dhcp_lease_action,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d, + service_availability,dhcp_lease_action,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.b, 6300 ^15 MS-DHCP: A lease was denied. - dhcp_lease_action,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d, + dhcp_lease_action,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -158,7 +158,7 @@ ID,Date,Time,Description,IP Address,Host Name,MAC Address 6300 ^22 MS-DHCP: A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. - dhcp_lease_action,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d, + dhcp_lease_action,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -193,14 +193,14 @@ ID,Date,Time,Description,IP Address,Host Name,MAC Address 6300 ^31 MS-DHCP: DNS update failed. - dhcp_dns_maintenance,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + dhcp_dns_maintenance,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, 6300 ^32 MS-DHCP: DNS update successful. - dhcp_dns_maintenance,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d, + dhcp_dns_maintenance,pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -343,7 +343,7 @@ Server 2008 IPv6 Event ID Meaning 6350 ^11012 MS-DHCP: Audit log paused. - service_availability,pci_dss_10.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_30.1.g, + service_availability,pci_dss_10.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_30.1.g,hipaa_164.312.b, @@ -415,7 +415,7 @@ Server 2008 IPv6 Event ID Meaning 6350 ^11023 MS-DHCP: Service not authorized in AD. - dhcp_ipv6,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + dhcp_ipv6,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -429,6 +429,6 @@ Server 2008 IPv6 Event ID Meaning 6350 ^11025 MS-DHCP: Service has not determined if it is authorized in AD. - dhcp_ipv6,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + dhcp_ipv6,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, diff --git a/rules/0115-arpwatch_rules.xml b/rules/0115-arpwatch_rules.xml index fb86c857b..09d486723 100644 --- a/rules/0115-arpwatch_rules.xml +++ b/rules/0115-arpwatch_rules.xml @@ -18,28 +18,28 @@ alert_by_email Arpwatch new host detected. - new_host,pci_dss_10.6.1,gdpr_IV_35.7.d, + new_host,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, 7200 flip flop Arpwatch: "flip flop" message. IP address/MAC relation changing too often. - ip_spoof,pci_dss_1.3.4,pci_dss_11.4,gdpr_IV_35.7.d, + ip_spoof,pci_dss_1.3.4,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.a.1, 7200 reaper: pid Arpwatch: exiting. - service_availability,pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d, + service_availability,pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, 7200 changed ethernet address Arpwatch: Changed network interface for ip address. - ip_spoof,pci_dss_1.3.4,pci_dss_11.4,gdpr_IV_35.7.d, + ip_spoof,pci_dss_1.3.4,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.a.1, @@ -58,21 +58,21 @@ 7200 /dev/bpf0: Permission denied arpwatch probably run with wrong permissions - pci_dss_10.6.1,gdpr_IV_35.7.d, + pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, 7200 reused old ethernet address Arpwatch: An IP has reverted to an old ethernet address. - pci_dss_10.6.1,gdpr_IV_35.7.d, + pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, 7200 ethernet mismatch Arpwatch: Possible arpspoofing attempt. - ip_spoof,pci_dss_1.3.4,pci_dss_11.4,gdpr_IV_35.7.d, + ip_spoof,pci_dss_1.3.4,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.a.1, diff --git a/rules/0120-symantec-av_rules.xml b/rules/0120-symantec-av_rules.xml index 46d0599fc..4224b82ff 100644 --- a/rules/0120-symantec-av_rules.xml +++ b/rules/0120-symantec-av_rules.xml @@ -30,7 +30,7 @@ 7300, 7301 ^2$|^3$|^4$|^13$ Symantec-AV: Virus scan updated,started or stopped. - pci_dss_5.1,pci_dss_10.6.1,gdpr_IV_35.7.d, + pci_dss_5.1,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, diff --git a/rules/0125-symantec-ws_rules.xml b/rules/0125-symantec-ws_rules.xml index 45436757c..190e977c0 100644 --- a/rules/0125-symantec-ws_rules.xml +++ b/rules/0125-symantec-ws_rules.xml @@ -17,21 +17,21 @@ 7400 ^3=2,2=1 Symantec-WS: Login failed accessing the web proxy. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_71,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_71,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 7400 ^3=1,2=1 Symantec-WS: Login success accessing the web proxy. - authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, 7415 virtadmin Symantec-WS: Admin Login success to the web proxy. - authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, 18101 ^7040$ - policy_changed,pci_dss_10.6,gdpr_IV_35.7.d, + policy_changed,pci_dss_10.6,gdpr_IV_35.7.d,hipaa_164.312.b, Windows: Service startup type was changed. This does not appear to be logged on Windows 2000. @@ -345,7 +345,7 @@ 18104 ^538$|^551$|^4634$|^4647$ Windows User Logoff. - pci_dss_10.2.5,gdpr_IV_32.2, + pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b, @@ -355,7 +355,7 @@ ^631$|^4727$|^635$|^4731$|^658$|^4754$|^648$|^4744$|^653$|^4749$| ^663$|^4759$ Windows: Group Account Created - group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -363,14 +363,14 @@ ^634$|^4730$|^638$|^4734$|^662$|^4758$|^652$|^4748$|^657$|^4753$| ^667$|^4763$ Windows: Group Account Deleted - group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, 18200 ^631$|^4727$ Windows: Security Enabled Global Group Created - group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=631 @@ -378,7 +378,7 @@ 18114 ^632$|^4728$ Windows: Security Enabled Global Group Member Added - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=632 @@ -386,7 +386,7 @@ 18114 ^633$|^4729$ Windows: Security Enabled Global Group Member Removed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=633 @@ -394,7 +394,7 @@ 18201 ^634$|^4730$ Windows: Security Enabled Global Group Deleted - group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=634 @@ -402,7 +402,7 @@ 18200 ^635$|^4731$ Windows: Security Enabled Local Group Created - group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=635 @@ -410,7 +410,7 @@ 18114 ^636$|^4732$ Windows: Security Enabled Local Group Member Added - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=636 @@ -418,7 +418,7 @@ 18114 ^637$|^4733$ Windows: Security Enabled Local Group Member Removed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=637 @@ -426,7 +426,7 @@ 18201 ^638$|^4734$ Windows: Security Enabled Local Group Deleted - group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=638 @@ -434,7 +434,7 @@ 18114 ^639$|^4735$ Windows: Security Enabled Local Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=639 @@ -442,7 +442,7 @@ 18114 ^641$|^4737$ Windows: Security Enabled Global Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=641 @@ -450,7 +450,7 @@ 18200 ^658$|^4754$ Windows: Security Enabled Universal Group Created - group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=658 @@ -458,7 +458,7 @@ 18114 ^659$|^4755$ Windows: Security Enabled Universal Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=659 @@ -466,7 +466,7 @@ 18114 ^660$|^4756$ Windows: Security Enabled Universal Group Member Added - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=660 @@ -474,7 +474,7 @@ 18114 ^661$|^4757$ Windows: Security Enabled Universal Group Member Removed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=661 @@ -482,7 +482,7 @@ 18201 ^662$|^4758$ Windows: Security Enabled Universal Group Deleted - group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=662 @@ -490,7 +490,7 @@ 18207,18208 ID:\s+\p*S-1-5-32-544\s Windows: Administrators Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -498,7 +498,7 @@ 18207,18208 ID:\s+%{S-1-1-0}| ID:\s+S-1-1-0\s Windows: Everyone Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -506,7 +506,7 @@ 18207,18208 ID:\s+%{S-1-5-9}| ID:\s+S-1-5-9\s Windows: Enterprise Domain Controllers Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -514,7 +514,7 @@ 18207,18208 ID:\s+%{S-1-5-11}| ID:\s+S-1-5-11\s Windows: Authenticated Users Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -522,7 +522,7 @@ 18207,18208 ID:\s+%{S-1-5-13}| ID:\s+S-1-5-13\s Windows: Terminal Server Users Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -530,7 +530,7 @@ 18203,18204 ID:\s+%{S-1-5-21\S+-512}| ID:\s+S-1-5-21\S+-512\s Windows: Domain Admins Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -538,7 +538,7 @@ 18203,18204 ID:\s+%{S-1-5-21\S+-513}| ID:\s+S-1-5-21\S+-513\s Windows: Domain Users Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -553,7 +553,7 @@ 18203,18204 ID:\s+%{S-1-5-21\S+-514}| ID:\s+S-1-5-21\S+-514\s Windows: Domain Guests Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -561,7 +561,7 @@ 18203,18204 ID:\s+%{S-1-5-21\S+-515}| ID:\s+S-1-5-21\S+-515\s Windows: Domain Computers Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -569,7 +569,7 @@ 18203,18204 ID:\s+%{S-1-5-21\S+-516}| ID:\s+S-1-5-21\S+-516\s Windows: Domain Controllers Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -577,7 +577,7 @@ 18207,18208 ID:\s+%{S-1-5-21\S+-517}| ID:\s+S-1-5-21\S+-517\s Windows: Cert Publishers Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -585,7 +585,7 @@ 18203,18204 ID:\s+%{S-1-5-21\.+-518}| ID:\s+S-1-5-21\.+-518\s Windows: Schema Admins Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -593,7 +593,7 @@ 18213,18214 ID:\s+%{S-1-5-21\S+-519}| ID:\s+S-1-5-21\S+-519\s Windows: Enterprise Admins Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -601,7 +601,7 @@ 18203,18204 ID:\s+%{S-1-5-21\S+-520}| ID:\s+S-1-5-21\S+-520\s Windows: Group Policy Creator Owners Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -609,7 +609,7 @@ 18207,18208 ID:\s+%{S-1-5-21\S+-553}| ID:\s+S-1-5-21\S+-553\s Windows: RAS and IAS Servers Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -617,7 +617,7 @@ 18207,18208 ID:\s+%{S-1-5-32-545}| ID:\s+S-1-5-32-545\s Windows: Users Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -625,7 +625,7 @@ 18207,18208 ID:\s+%{S-1-5-32-546}| ID:\s+S-1-5-32-546\s Windows: Guests Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -633,7 +633,7 @@ 18207,18208 ID:\s+%{S-1-5-32-547}| ID:\s+S-1-5-32-547\s Windows: Power Users Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -641,7 +641,7 @@ 18207,18208 ID:\s+%{S-1-5-32-548}| ID:\s+S-1-5-32-548\s Windows: Account Operators Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -649,7 +649,7 @@ 18207,18208 ID:\s+%{S-1-5-32-549}| ID:\s+S-1-5-32-549\s Windows: Server Operators Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -657,7 +657,7 @@ 18207,18208 ID:\s+%{S-1-5-32-550}| ID:\s+S-1-5-32-550\s Windows: Print Operators Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -665,7 +665,7 @@ 18207,18208 ID:\s+%{S-1-5-32-551}| ID:\s+S-1-5-32-551\s Windows: Backup Operators Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -673,7 +673,7 @@ 18207,18208 ID:\s+%{S-1-5-32-552}| ID:\s+S-1-5-32-552\s Windows: Replicators Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -681,7 +681,7 @@ 18207,18208 ID:\s+%{S-1-5-32-554}| ID:\s+S-1-5-32-554\s Pre-Windows 2000 Compatible Access Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -689,7 +689,7 @@ 18207,18208 ID:\s+%{S-1-5-32-555}| ID:\s+S-1-5-32-555\s Windows: Remote Desktop Users Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -697,7 +697,7 @@ 18207,18208 ID:\s+%{S-1-5-32-556}| ID:\s+S-1-5-32-556\s Windows: Network Configuration Operators Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -705,7 +705,7 @@ 18207,18208 ID:\s+%{S-1-5-32-557}| ID:\s+S-1-5-32-557\s Windows: Incoming Forest Trust Builders Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -713,7 +713,7 @@ 18207,18208 ID:\s+%{S-1-5-32-558}| ID:\s+S-1-5-32-558\s Windows: Performance Monitor Users Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -721,7 +721,7 @@ 18207,18208 ID:\s+%{S-1-5-32-559}| ID:\s+S-1-5-32-559\s Windows: Performance Log Users Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -729,7 +729,7 @@ 18207,18208 ID:\s+%{S-1-5-32-560}| ID:\s+S-1-5-32-560\s Windows Authorization Access Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -737,7 +737,7 @@ 18207,18208 ID:\s+%{S-1-5-32-561}| ID:\s+S-1-5-32-561\s Windows: Terminal Server License Servers Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -745,7 +745,7 @@ 18207,18208 ID:\s+%{S-1-5-32-562}| ID:\s+S-1-5-32-562\s Windows: Distributed COM Users Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -753,7 +753,7 @@ 18207,18208 ID:\s+%{S-1-5-\s*21\.+\s*-498}| ID:\s+S-1-5-\s*21\.+\s*-498\s Windows: Enterprise Read-only Domain Controllers Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -761,7 +761,7 @@ 18207,18208 ID:\s+%{S-1-5-\s*21\.+\s*-529}| ID:\s+S-1-5-\s*21\.+\s*-529\s Windows: Read-only Domain Controllers Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -769,7 +769,7 @@ 18207,18208 ID:\s+%{S-1-5-32-569}| ID:\s+S-1-5-32-569\s Windows: Cryptographic Operators Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -777,7 +777,7 @@ 18207,18208 ID:\s+%{S-1-5-\s*21\.+\s*-571}| ID:\s+S-1-5-\s*21\.+\s*-571\s Windows: Allowed RODC Password Replication Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -785,7 +785,7 @@ 18207,18208 ID:\s+%{S-1-5-\s*21\.+\s*-572}| ID:\s+S-1-5-\s*21\.+\s*-572\s Windows: Denied RODC Password Replication Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -793,7 +793,7 @@ 18207,18208 ID:\s+%{S-1-5-32-573}| ID:\s+S-1-5-32-573\s Windows: Event Log Readers Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -801,7 +801,7 @@ 18207,18208 ID:\s+%{S-1-5-32-574}| ID:\s+S-1-5-32-574\s Windows: Certificate Service DCOM Access Group Changed - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, https://support.microsoft.com/kb/243330 @@ -810,7 +810,7 @@ 18101 ^200$|^300$|^302$ Windows: TS Gateway login success. - authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx @@ -829,7 +829,7 @@ 18102, 18103 ^201$|^203$|^204$|^301$|^304$|^305$|^306$|^1001$ Windows: TS Gateway login failure. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx @@ -850,7 +850,7 @@ ^528$|^538$|^540$|^4624$ ^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON Windows Logon Success (ignored). - pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, @@ -861,7 +861,7 @@ Windows DC integrity check on decrypted field failed. https://web.mit.edu/kerberos/ - win_authentication_failed,attacks,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2, + win_authentication_failed,attacks,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -869,7 +869,7 @@ Failure Code: 0x22 Windows DC - Possible replay attack. https://web.mit.edu/kerberos/ - win_authentication_failed,attacks,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2, + win_authentication_failed,attacks,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -877,7 +877,7 @@ Failure Code: 0x25 Windows DC - Clock skew too great. https://web.mit.edu/kerberos/ - win_authentication_failed,attacks,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2, + win_authentication_failed,attacks,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -885,7 +885,7 @@ 18105 ^18456$ - win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, MS SQL Server Logon Failure. @@ -893,7 +893,7 @@ 18104 ^18454$|^18453$ MS SQL Server Logon Success. - authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, @@ -902,7 +902,7 @@ ^4624$ Logon Type: 8 MS Exchange Logon Success. - pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, @@ -910,7 +910,7 @@ ^4634$ Logon Type: 8 MS Exchange User Logoff. - pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, @@ -919,21 +919,21 @@ 18108 Windows: Multiple failed attempts to perform a privileged operation by the same user. - pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, win_authentication_failed Multiple Windows Logon Failures. - authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 18105 Multiple Windows audit failure events. - pci_dss_10.6.1,gdpr_IV_35.7.d, + pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -949,13 +949,13 @@ 18125 Windows: Multiple remote access login failures. - authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,pci_dss_8.1.5,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,pci_dss_8.1.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, 18258 Windows: Multiple TS Gateway login failures. - authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -123,21 +123,21 @@ 30101 mod_security: Access denied|ModSecurity: Access denied ModSecurity: Access attempt blocked. - modsecurity,access_denied,pci_dss_10.2.4,gdpr_IV_35.7.d, + modsecurity,access_denied,pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b, 30118 ModSecurity: Multiple attempts blocked. - modsecurity,access_denied,pci_dss_10.2.4,pci_dss_11.4,gdpr_IV_35.7.d, + modsecurity,access_denied,pci_dss_10.2.4,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, 30101 Resource temporarily unavailable: Apache: without resources to run. - service_availability,pci_dss_10.6.1,gdpr_IV_35.7.d, + service_availability,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -150,13 +150,13 @@ 30200 ^mod_security-message: Access denied ModSecurity: access denied. - modsecurity,access_denied,pci_dss_10.2.4,gdpr_IV_35.7.d, + modsecurity,access_denied,pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b, 30201 ModSecurity: Multiple attempts blocked. - modsecurity,access_denied,pci_dss_10.2.4,pci_dss_11.4,gdpr_IV_35.7.d, + modsecurity,access_denied,pci_dss_10.2.4,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -190,14 +190,14 @@ 30301 AH01630 Apache: Attempt to access forbidden file or directory. - access_denied,pci_dss_6.5.8,pci_dss_10.2.4,gdpr_IV_35.7.d, + access_denied,pci_dss_6.5.8,pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b, 30301 AH01276 Apache: Attempt to access forbidden directory index. - access_denied,pci_dss_6.5.8,pci_dss_10.2.4,gdpr_IV_35.7.d, + access_denied,pci_dss_6.5.8,pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -213,21 +213,21 @@ 30302 AH01617|AH01807|AH01694|AH01695|AH02009|AH02010 Apache: User authentication failed. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 30301 AH01618|AH01808|AH01790 Apache: Attempt to login using a non-existent user. - invalid_login,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + invalid_login,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 30309 Apache: Multiple authentication failures with invalid user. - authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -236,28 +236,28 @@ failed to open stream: No such file or directory| Failed opening Apache: Attempt to access an non-existent file (those are reported on the access.log). - unknown_resource,pci_dss_10.2.4,gdpr_IV_35.7.d, + unknown_resource,pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b, 30301 AH00126 Apache: Invalid URI (bad client request). - invalid_request,pci_dss_10.2.4,gdpr_IV_35.7.d, + invalid_request,pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b, 30315 Apache: Multiple Invalid URI requests from same source. - invalid_request,pci_dss_10.2.4,pci_dss_11.4,gdpr_IV_35.7.d, + invalid_request,pci_dss_10.2.4,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, 30301 AH00565 Apache: Invalid URI, file name too long. - invalid_request,pci_dss_10.2.4,gdpr_IV_35.7.d, + invalid_request,pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -278,7 +278,7 @@ 30301 ModSecurity: Access denied ModSecurity Access denied messages grouped - modsecurity,pci_dss_10.2.4,gdpr_IV_35.7.d, + modsecurity,pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b, diff --git a/rules/0255-zeus_rules.xml b/rules/0255-zeus_rules.xml index 0b304b9cb..52f624a8b 100644 --- a/rules/0255-zeus_rules.xml +++ b/rules/0255-zeus_rules.xml @@ -38,14 +38,14 @@ 31200 ^[\S+ \S+] FATAL: Zeus fatal log. - pci_dss_10.6.1,gpg13_4.1,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.1,gdpr_IV_35.7.d,hipaa_164.312.b, 31202 admin:Authentication failure Zeus: Admin authentication failed. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -58,6 +58,6 @@ 31202 Multiple Zeus warnings. - pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.b, diff --git a/rules/0260-nginx_rules.xml b/rules/0260-nginx_rules.xml index 8cde22fc9..1236c4b6f 100644 --- a/rules/0260-nginx_rules.xml +++ b/rules/0260-nginx_rules.xml @@ -41,14 +41,14 @@ 31301 accept() failed (53: Software caused connection abort) Nginx: Incomplete client request. - pci_dss_10.6.1,gdpr_IV_35.7.d, + pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, 31301 no user/password was provided for basic authentication Nginx: Initial 401 authentication request. - pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -56,14 +56,14 @@ password mismatch, client| was not found in Nginx: Web authentication failed. authentication_failed, - pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 31315 Nginx: Multiple web authentication failures. - authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -76,7 +76,7 @@ 31301 failed (36: File name too long) Nginx: Invalid URI, file name too long. - invalid_request,pci_dss_10.2.4,gdpr_IV_35.7.d, + invalid_request,pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -91,7 +91,7 @@ 31301 ModSecurity: Access denied ModSecurity Access denied messages grouped - modsecurity,pci_dss_10.2.4,gdpr_IV_35.7.d, + modsecurity,pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b, diff --git a/rules/0265-php_rules.xml b/rules/0265-php_rules.xml index 465e3ead1..f3ff0f3c4 100644 --- a/rules/0265-php_rules.xml +++ b/rules/0265-php_rules.xml @@ -18,14 +18,14 @@ 31301, 30101 PHP Fatal error: PHP Fatal error. - pci_dss_6.5,pci_dss_6.5.5,pci_dss_10.6.1,gpg13_4.1,gdpr_IV_35.7.d, + pci_dss_6.5,pci_dss_6.5.5,pci_dss_10.6.1,gpg13_4.1,gdpr_IV_35.7.d,hipaa_164.312.b, 31301, 30101 PHP Parse error: PHP Parse error. - pci_dss_6.5,pci_dss_6.5.5,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_6.5,pci_dss_6.5.5,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -36,13 +36,13 @@ ^PHP Fatal error: PHP Fatal error. - pci_dss_6.5,pci_dss_6.5.5,pci_dss_10.6.1,gpg13_4.1,gdpr_IV_35.7.d, + pci_dss_6.5,pci_dss_6.5.5,pci_dss_10.6.1,gpg13_4.1,gdpr_IV_35.7.d,hipaa_164.312.b, ^PHP Parse error: PHP Parse error. - pci_dss_6.5,pci_dss_6.5.5,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_6.5,pci_dss_6.5.5,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -75,7 +75,7 @@ PHP internal error (server out of space). alert_by_email low_diskspace, - attack,pci_dss_6.5,pci_dss_10.2.7,gpg13_4.3,gdpr_IV_35.7.d, + attack,pci_dss_6.5,pci_dss_10.2.7,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -93,7 +93,7 @@ d 'includes/SkinTemplate.php' Failed opening required |Call to undefined function PHP internal error (missing file or function). alert_by_email - pci_dss_6.5,pci_dss_6.5.5,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_6.5,pci_dss_6.5.5,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -103,7 +103,7 @@ d 'includes/SkinTemplate.php' 31403, 31406 PHP Parse error. alert_by_email - pci_dss_6.5,pci_dss_6.5.5,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_6.5,pci_dss_6.5.5,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, diff --git a/rules/0270-web_appsec_rules.xml b/rules/0270-web_appsec_rules.xml index df79ce25d..de91886b2 100644 --- a/rules/0270-web_appsec_rules.xml +++ b/rules/0270-web_appsec_rules.xml @@ -42,7 +42,7 @@ login.php "POST /\S+.php/login.php?cPath= osCommerce login.php bypass attempt. - pci_dss_6.5,pci_dss_11.4,pci_dss_10.2.4,gdpr_IV_35.7.d, + pci_dss_6.5,pci_dss_11.4,pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -97,7 +97,7 @@ wp-login.php|/administrator ] "POST \S+wp-login.php| "POST /administrator CMS (WordPress or Joomla) login attempt. - pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.10,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.10,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -105,7 +105,7 @@ 31509 CMS (WordPress or Joomla) brute force attempt. - pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.10,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.10,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -139,14 +139,14 @@ Squid: Multiple attempts to access forbidden file or directory from same source ip. - pci_dss_10.2.4,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.2.4,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, 35007 Squid: Multiple unauthorized attempts to use proxy. - pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -154,7 +154,7 @@ Squid: Multiple Bad requests/Invalid syntax. - pci_dss_10.6.1,gdpr_IV_35.7.d, + pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -171,7 +171,7 @@ Squid: Multiple attempts to access a non-existent file. - pci_dss_10.2.4,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.2.4,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -179,7 +179,7 @@ Squid: Multiple attempts to access a worm/trojan/virus related web site. System probably infected. - pci_dss_10.2.4,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d, + pci_dss_10.2.4,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,hipaa_164.312.b, diff --git a/rules/0280-attack_rules.xml b/rules/0280-attack_rules.xml index df7e8c7fd..f3c07f160 100644 --- a/rules/0280-attack_rules.xml +++ b/rules/0280-attack_rules.xml @@ -16,7 +16,7 @@ authentication_success $SYS_USERS System user successfully logged to the system. - invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2, + invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -40,7 +40,7 @@ changed by \(\(null\) "Null" user changed some information. - exploit_attempt,pci_dss_10.2.7,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2, + exploit_attempt,pci_dss_10.2.7,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -68,7 +68,7 @@ authentication_failed Multiple authentication failures. - authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -77,7 +77,7 @@ Multiple authentication failures followed by a success. - pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -96,7 +96,7 @@ Attacks followed by the addition of an user. - pci_dss_10.2.7,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.2.7,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, diff --git a/rules/0290-firewalld_rules.xml b/rules/0290-firewalld_rules.xml index 71b922d8e..388012199 100644 --- a/rules/0290-firewalld_rules.xml +++ b/rules/0290-firewalld_rules.xml @@ -11,7 +11,7 @@ ^firewalld firewalld grouping - pci_dss_1.4, + pci_dss_1.4,hipaa_164.312.a.1, diff --git a/rules/0295-mysql_rules.xml b/rules/0295-mysql_rules.xml index ece206f73..a0c8cde5e 100644 --- a/rules/0295-mysql_rules.xml +++ b/rules/0295-mysql_rules.xml @@ -17,14 +17,14 @@ 50100 ^MySQL log: \d+ \S+ \d+ Connect MySQL: authentication success. - authentication_success,pci_dss_10.2.5,pci_dss_8.7,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,pci_dss_8.7,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.d,hipaa_164.312.e.1,hipaa_164.312.e.2.I,hipaa_164.312.e.2.II, 50105 Access denied for user MySQL: authentication failure. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_8.7,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_8.7,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.d,hipaa_164.312.e.1,hipaa_164.312.e.2.I,hipaa_164.312.e.2.II, @@ -37,14 +37,14 @@ 50100 ^MySQL log: \d+ \S+ \d+ Quit MySQL: User disconnected from database. - pci_dss_10.2.5,pci_dss_8.7,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + pci_dss_10.2.5,pci_dss_8.7,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.d,hipaa_164.312.e.1,hipaa_164.312.e.2.I,hipaa_164.312.e.2.II, 50100 mysqld ended|Shutdown complete MySQL: shutdown message. - service_availability,pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d, + service_availability,pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -65,13 +65,13 @@ 50125 Fatal error: MySQL: fatal error. - service_availability,pci_dss_10.6.1,gpg13_4.1,gdpr_IV_35.7.d, + service_availability,pci_dss_10.6.1,gpg13_4.1,gdpr_IV_35.7.d,hipaa_164.312.b, 50125 MySQL: Multiple errors. - service_availability,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + service_availability,pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, diff --git a/rules/0300-postgresql_rules.xml b/rules/0300-postgresql_rules.xml index 0e26bc578..7d30e1967 100644 --- a/rules/0300-postgresql_rules.xml +++ b/rules/0300-postgresql_rules.xml @@ -35,7 +35,7 @@ 50500 ^FATAL PostgreSQL error message. - pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -54,40 +54,40 @@ 50501 connection authorized PostgreSQL: Database authentication success. - authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, 50504 authentication failed PostgreSQL: Database authentication failure. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 50504 terminating connection due PostgreSQL: Database shutdown message. - service_availability,pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d, + service_availability,pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, 50501 aborting any active transactions|shutting down PostgreSQL: Database shutdown message. - service_availability,pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d, + service_availability,pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, 50504 PostgreSQL: Multiple database errors. - service_availability,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.3,gdpr_IV_35.7.d, + service_availability,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, 50503 PostgreSQL: Multiple database errors. - service_availability,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.3,gdpr_IV_35.7.d, + service_availability,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, diff --git a/rules/0305-dropbear_rules.xml b/rules/0305-dropbear_rules.xml index afb05c4e0..c670fe226 100644 --- a/rules/0305-dropbear_rules.xml +++ b/rules/0305-dropbear_rules.xml @@ -30,42 +30,42 @@ 51000 bad password attempt for Dropbear: Bad password attempt. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, 51000 attempt for nonexistent user Dropbear: Bad password attempt for non existent user. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, authentication_failed Dropbear: dropbear brute force attempt. - authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,pci_dss_8.1.5,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,pci_dss_8.1.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, 51000 exit after auth \(\S+\): Disconnect received Dropbear: User disconnected. - pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, 51000 exit before auth Dropbear: Client exited before authentication. - recon,pci_dss_10.6.1,pci_dss_11.4,pci_dss_8.1.5,gdpr_IV_35.7.d,gdpr_IV_32.2, + recon,pci_dss_10.6.1,pci_dss_11.4,pci_dss_8.1.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, 51000 Dropbear: brute force attempt. - authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,pci_dss_8.1.5,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,pci_dss_8.1.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, @@ -73,21 +73,21 @@ 51000 Incompatible remote version Dropbear: Incompatible remote version. - recon,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + recon,pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, 51000 password auth succeeded for Dropbear: User successfully logged in using a password. - authentication_success,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, 51000 Pubkey auth succeeded Dropbear: User successfully logged in using a public key. - authentication_success,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, diff --git a/rules/0310-openbsd_rules.xml b/rules/0310-openbsd_rules.xml index 0400f1953..91e0e6701 100644 --- a/rules/0310-openbsd_rules.xml +++ b/rules/0310-openbsd_rules.xml @@ -42,14 +42,14 @@ 51500 was not properly unmounted A filesystem was not properly unmounted, likely system crash - pci_dss_10.2.7,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_10.2.7,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, 51500 UKC> quit UKC was used, possibly modifying a kernel at boot time. - pci_dss_10.2.7,gpg13_4.12,gdpr_IV_35.7.d, + pci_dss_10.2.7,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -76,14 +76,14 @@ 51500 Critical temperature, shutting down System shutdown due to temperature - pci_dss_10.2.7,gpg13_4.1,gdpr_IV_35.7.d, + pci_dss_10.2.7,gpg13_4.1,gdpr_IV_35.7.d,hipaa_164.312.b, 51500 _AL0[0] _PR0 failed Unknown ACPI event (bug 6299 in OpenBSD bug tracking system). - pci_dss_10.2.7,pci_dss_6.2,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_10.2.7,pci_dss_6.2,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -142,14 +142,14 @@ groupdel Grouping for groupdel rules. - groupdel,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_32.2, + groupdel,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, 51521 group deleted Group deleted. - groupdel,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + groupdel,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -174,7 +174,7 @@ bsd_kernel uncorrectable data error reading fsbn Hard drive is dying. - pci_dss_10.2.7,gpg13_4.3,gdpr_IV_35.7.d, + pci_dss_10.2.7,gpg13_4.3,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -189,7 +189,7 @@ bsd_kernel duplicate IP6 address Duplicate IPv6 address. - pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -203,14 +203,14 @@ ^hotplugd Permission denied$ hotplugd could not open a file. - pci_dss_10.2.4,gpg13_4.6,gdpr_IV_35.7.d, + pci_dss_10.2.4,gpg13_4.6,gdpr_IV_35.7.d,hipaa_164.312.b, open-userdel user removed: name= User account deleted. - account_changed,pci_dss_10.2.5,pci_dss_8.1.2,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + account_changed,pci_dss_10.2.5,pci_dss_8.1.2,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II, diff --git a/rules/0315-apparmor_rules.xml b/rules/0315-apparmor_rules.xml index 0bdeabde6..483472c96 100644 --- a/rules/0315-apparmor_rules.xml +++ b/rules/0315-apparmor_rules.xml @@ -32,14 +32,14 @@ 52002 exec Apparmor DENIED exec operation. - pci_dss_10.2.7,pci_dss_10.6.1,gdpr_IV_35.7.d, + pci_dss_10.2.7,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, 52002 mknod Apparmor DENIED mknod operation. - pci_dss_10.2.7,pci_dss_10.6.1,gdpr_IV_35.7.d, + pci_dss_10.2.7,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, diff --git a/rules/0330-sysmon_rules.xml b/rules/0330-sysmon_rules.xml index 6f9db648b..38253db94 100644 --- a/rules/0330-sysmon_rules.xml +++ b/rules/0330-sysmon_rules.xml @@ -128,7 +128,7 @@ sysmon_event1 svchost.exe Sysmon - Suspicious Process - svchost.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -142,7 +142,7 @@ sysmon_event1 lsm.exe Sysmon - Suspicious Process - lsm.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -155,7 +155,7 @@ sysmon_event1 lsm.exe Sysmon - Suspicious Process - lsm.exe is a Parent Image - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -163,7 +163,7 @@ sysmon_event1 csrss.exe Sysmon - Suspicious Process - csrss.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -177,7 +177,7 @@ sysmon_event1 lsass.exe Sysmon - Suspicious Process - lsass - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -190,7 +190,7 @@ sysmon_event1 lsass.exe Sysmon - Suspicious Process - lsass.exe is a Parent Image - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -198,7 +198,7 @@ sysmon_event1 winlogon.exe Sysmon - Suspicious Process - winlogon.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -212,7 +212,7 @@ sysmon_event1 wininit.exe Sysmon - Suspicious Process - wininit - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -226,7 +226,7 @@ sysmon_event1 smss.exe Sysmon - Suspicious Process - smss.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -240,7 +240,7 @@ sysmon_event1 taskhost.exe Sysmon - Suspicious Process - taskhost.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -254,7 +254,7 @@ sysmon_event1 /services.exe Sysmon - Suspicious Process - services.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -268,7 +268,7 @@ sysmon_event1 dllhost.exe Sysmon - Suspicious Process - dllhost.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -282,7 +282,7 @@ sysmon_event1 \\explorer.exe Sysmon - Suspicious Process - explorer.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, diff --git a/rules/0345-netscaler_rules.xml b/rules/0345-netscaler_rules.xml index bd308845f..37d1e9b46 100644 --- a/rules/0345-netscaler_rules.xml +++ b/rules/0345-netscaler_rules.xml @@ -24,14 +24,14 @@ id (Decoder): AAA, UI, API, SSLVPN, EVENT, SSLLOG, APPFW, TCP, ROUTING, SNMP, AC 80100 AAA LOGIN_FAILED Netscaler: AAA module failed to login the user - authentication_failed,netscaler-aaa,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gpg13_3.3,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,netscaler-aaa,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gpg13_3.3,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 80101 Netscaler: Multiple AAA failed to login the user - authentication_failures,netscaler-aaa,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gpg13_3.3,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,netscaler-aaa,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gpg13_3.3,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -80,7 +80,7 @@ id (Decoder): AAA, UI, API, SSLVPN, EVENT, SSLLOG, APPFW, TCP, ROUTING, SNMP, AC 80100 SSLVPN LOGIN Netscaler: SSLVPN login succeeds - netscaler-sslvpn,authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gpg13_3.6,gdpr_IV_32.2, + netscaler-sslvpn,authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gpg13_3.6,gdpr_IV_32.2,hipaa_164.312.b, @@ -36,7 +36,7 @@ ID: 80200 - 80499 80202 \.+ AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName). Error: $(aws.errorCode). - aws_cloudtrail,pci_dss_10.6.1,amazon-error,gdpr_IV_35.7.d, + aws_cloudtrail,pci_dss_10.6.1,amazon-error,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -46,7 +46,7 @@ ID: 80200 - 80499 80203 AccessDenied AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName). Error: $(aws.errorCode). - aws_cloudtrail,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2, + aws_cloudtrail,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -54,13 +54,13 @@ ID: 80200 - 80499 80202 DeleteObjects AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName). - aws_cloudtrail,pci_dss_10.6.1,gdpr_IV_35.7.d, + aws_cloudtrail,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, 80251 AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName) - high number of deleted object. - aws_cloudtrail,pci_dss_10.6.1,gdpr_IV_35.7.d, + aws_cloudtrail,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -68,20 +68,20 @@ ID: 80200 - 80499 80202 ConsoleLogin AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName) - User Login Success. - aws_cloudtrail,authentication_success,pci_dss_10.2.5,gdpr_IV_32.2, + aws_cloudtrail,authentication_success,pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b, 80253 Failure AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName) - User Login failed. - aws_cloudtrail,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2, + aws_cloudtrail,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, 80254 AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName) - Possible breaking attempt (high number of login attempts). - aws_cloudtrail,authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2, + aws_cloudtrail,authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, diff --git a/rules/0360-serv-u_rules.xml b/rules/0360-serv-u_rules.xml index d85c69131..cfd5f5667 100644 --- a/rules/0360-serv-u_rules.xml +++ b/rules/0360-serv-u_rules.xml @@ -68,7 +68,7 @@ TypeMessage: 02 logged in Serv-U: User logged in - authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, - - - - - - - sqlserver - SQL Server messages. - - - - - - 85000 - Starting up database - Starting up database. - - - - - - - 85000 - Attempting to load library - Attempting to load library. - sqlserverlibraries, - - - - - 85000 - Server process ID is - SQL Server process ID. - sqlserver_process_id, - - - - - 85000 - Login succeeded for user - SQL Server login success. - sqlserver_login,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, - - - - - - 85000 - Login failed for user - SQL Server login failed. - sqlserver_login, authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, - - - - 85005 - - SQL Server: Multiple authentication failures. - identityguard_login,authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, - - - - - - 85000 - Using - SQL Server library use. - sqlserverlibraries, - - - - - - 85000 - The SQL Server Network Interface library could not register the Service Principal Name - SQL Server Network Interface library unregistered - sqlservererror, sqlserverlibraries,gdpr_IV_35.7.d, - - - - - - 85000 - Error: - SQL Server error. - sqlservererror,gdpr_IV_35.7.d, - - - - - - 85000 - FILESTREAM: - SQL Server filestream information. - sqlservererror, - - - + + + + + + + + sqlserver + SQL Server messages. + + + + + + 85000 + Starting up database + Starting up database. + + + + + + + 85000 + Attempting to load library + Attempting to load library. + sqlserverlibraries, + + + + + 85000 + Server process ID is + SQL Server process ID. + sqlserver_process_id, + + + + + 85000 + Login succeeded for user + SQL Server login success. + sqlserver_login,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, + + + + + + 85000 + Login failed for user + SQL Server login failed. + sqlserver_login, authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, + + + + 85005 + + SQL Server: Multiple authentication failures. + identityguard_login,authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, + + + + + + 85000 + Using + SQL Server library use. + sqlserverlibraries, + + + + + + 85000 + The SQL Server Network Interface library could not register the Service Principal Name + SQL Server Network Interface library unregistered + sqlservererror, sqlserverlibraries,gdpr_IV_35.7.d, + + + + + + 85000 + Error: + SQL Server error. + sqlservererror,gdpr_IV_35.7.d, + + + + + + 85000 + FILESTREAM: + SQL Server filestream information. + sqlservererror, + + + diff --git a/rules/0445-identity_guard_rules.xml b/rules/0445-identity_guard_rules.xml index 579c838b9..2db06d10d 100644 --- a/rules/0445-identity_guard_rules.xml +++ b/rules/0445-identity_guard_rules.xml @@ -1,37 +1,37 @@ - - - - - - - - - identity_guard - Identity Guard Log. - - - - - - 85500 - failed authentication - Identity Guard: User authentication failed. - identityguard_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, - - - - - 85501 - - Identity Guard: Multiple authentication failures. - identityguard_login,authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, - - - + + + + + + + + + identity_guard + Identity Guard Log. + + + + + + 85500 + failed authentication + Identity Guard: User authentication failed. + identityguard_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, + + + + + 85501 + + Identity Guard: Multiple authentication failures. + identityguard_login,authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, + + + diff --git a/rules/0450-mongodb_rules.xml b/rules/0450-mongodb_rules.xml index 4dc4fe691..66831f03f 100644 --- a/rules/0450-mongodb_rules.xml +++ b/rules/0450-mongodb_rules.xml @@ -101,7 +101,7 @@ D Debug, for All Verbosity Levels > 0 ACCESS Successfully authenticated MongoDB: Successfully authentication - authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, @@ -63,7 +63,7 @@ ^528$|^540$|^673$|^4624$|^4769$ Windows Logon Success no_full_log - authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, @@ -71,7 +71,7 @@ ^577$|^4673$ Failed attempt to perform a privileged operation no_full_log - authentication_success,pci_dss_10.2.2,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.2,gdpr_IV_32.2,hipaa_164.312.b, @@ -81,7 +81,7 @@ ^682$|^683$|^4778$|^4779$ Session reconnected/disconnected to winstation no_full_log - authentication_success,pci_dss_8.1.5,gdpr_IV_35.7.d, + authentication_success,pci_dss_8.1.5,gdpr_IV_35.7.d,hipaa_164.312.a.1, @@ -90,7 +90,7 @@ User account enabled or created no_full_log adduser,account_changed, - pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -99,7 +99,7 @@ User account changed no_full_log account_changed, - pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -107,7 +107,7 @@ ^630$|^629$|^4725$|^4726$ User account disabled or deleted no_full_log - adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -115,7 +115,7 @@ ^612$|^643$|^4719$|^4907$|^4912$|^4719$ Windows Audit Policy changed no_full_log - policy_changed,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d, + policy_changed,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -127,7 +127,7 @@ |^665$|^4761$|^666$|^4762$ Group Account Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -135,7 +135,7 @@ ^640$ General account database changed no_full_log - adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -143,7 +143,7 @@ ^644$|^4740$ User account locked out (multiple login errors) no_full_log - authentication_failures,pci_dss_8.1.6,pci_dss_11.4,gpg13_7.5,gdpr_IV_35.7.d, + authentication_failures,pci_dss_8.1.6,pci_dss_11.4,gpg13_7.5,gdpr_IV_35.7.d,hipaa_164.312.a.1, @@ -159,7 +159,7 @@ ^517$|^1102$ Windows audit log was cleared no_full_log - logs_cleared,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d, + logs_cleared,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -168,7 +168,7 @@ ^2$ Windows Workstation Logon Success no_full_log - authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, @@ -177,7 +177,7 @@ First time this user logged in this system no_full_log - authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, @@ -192,7 +192,7 @@ ^646$|^645$|^647$|^4741$|^4742$|^4743$ Computer account added/changed/deleted no_full_log - account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -201,7 +201,7 @@ ^529$|^4625$ Logon Failure - Unknown user or bad password no_full_log - win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -209,7 +209,7 @@ ^530$ Logon Failure - Account logon time restriction violation no_full_log - win_authentication_failed,login_denied,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + win_authentication_failed,login_denied,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, @@ -217,7 +217,7 @@ ^531$ Logon Failure - Account currently disabled no_full_log - win_authentication_failed,login_denied,pci_dss_10.2.5,pci_dss_8.1.4,gpg13_7.5,gdpr_IV_35.7.d,gdpr_IV_32.2, + win_authentication_failed,login_denied,pci_dss_10.2.5,pci_dss_8.1.4,gpg13_7.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, @@ -225,7 +225,7 @@ ^532$ Logon Failure - Specified account expired no_full_log - win_authentication_failed,login_denied,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.5,gdpr_IV_35.7.d,gdpr_IV_32.2, + win_authentication_failed,login_denied,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, @@ -233,7 +233,7 @@ ^533$ Logon Failure - User not allowed to login at this computer no_full_log - win_authentication_failed,login_denied,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.5,gdpr_IV_35.7.d,gdpr_IV_32.2, + win_authentication_failed,login_denied,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -241,7 +241,7 @@ ^534$ Logon Failure - User not granted logon type no_full_log - win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.5,gdpr_IV_35.7.d,gdpr_IV_32.2, + win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -249,7 +249,7 @@ ^535$ Logon Failure - Account's password expired no_full_log - win_authentication_failed,pci_dss_10.2.5,pci_dss_8.2.4,gpg13_7.5,gdpr_IV_32.2, + win_authentication_failed,pci_dss_10.2.5,pci_dss_8.2.4,gpg13_7.5,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.d, @@ -257,7 +257,7 @@ ^536$|^537$ Logon Failure - Internal error no_full_log - win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -265,7 +265,7 @@ ^539$ Logon Failure - Account locked out no_full_log - win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_8.1.6,gpg13_7.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_8.1.6,gpg13_7.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, @@ -273,7 +273,7 @@ ^673$|^675$|^681$|^4769$ Windows DC Logon Failure no_full_log - win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -281,7 +281,7 @@ ^520$|^4616$ System time changed no_full_log - time_changed,pci_dss_10.6.1,gpg13_1.3,gpg13_4.13,gdpr_IV_35.7.d, + time_changed,pci_dss_10.6.1,gpg13_1.3,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -289,7 +289,7 @@ ^671$|^4767$ User account unlocked no_full_log - account_changed,pci_dss_10.2.5,pci_dss_8.1.6,gpg13_7.10,gdpr_IV_32.2, + account_changed,pci_dss_10.2.5,pci_dss_8.1.6,gpg13_7.10,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, @@ -297,7 +297,7 @@ ^631$|^635$|^658$ Security enabled group created no_full_log - adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -305,7 +305,7 @@ ^634$|^638$|^662$ Security enabled group deleted no_full_log - adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -320,7 +320,7 @@ ^538$|^551$|^4634$|^4647$ Windows User Logoff no_full_log - pci_dss_10.2.5,gdpr_IV_32.2, + pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b, @@ -330,7 +330,7 @@ ^4749$|^663$|^4759$ Group Account Created no_full_log - group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -339,7 +339,7 @@ ^657$|^4753$|^667$|^4763$ Group Account Deleted no_full_log - group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -347,7 +347,7 @@ ^631$|^4727$ Security Enabled Global Group Created no_full_log - group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -355,7 +355,7 @@ ^632$|^4728$ Security Enabled Global Group Member Added $(win.eventdata.memberSid) no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -363,7 +363,7 @@ ^633$|^4729$ Security Enabled Global Group Member Removed $(win.eventdata.memberSid) no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -371,7 +371,7 @@ ^635$|^4731$ Security Enabled Local Group Created $(win.eventdata.memberSid) no_full_log - group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -379,7 +379,7 @@ ^636$|^4732$ Security Enabled Local Group Member Added $(win.eventdata.memberSid) no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -387,7 +387,7 @@ ^637$|^4733$ Security Enabled Local Group Member Removed $(win.eventdata.memberSid) no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -395,7 +395,7 @@ ^638$|^4734$ Security Enabled Local Group Deleted no_full_log - group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -403,7 +403,7 @@ ^639$|^4735$ Security Enabled Local Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -411,7 +411,7 @@ ^641$|^4737$ Security Enabled Global Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -419,7 +419,7 @@ ^658$|^4754$ Security Enabled Universal Group Created no_full_log - group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -427,7 +427,7 @@ ^659$|^4755$ Security Enabled Universal Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -435,7 +435,7 @@ ^660$|^4756$ Security Enabled Universal Group Member Added no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -443,7 +443,7 @@ ^661$|^4757$ Security Enabled Universal Group Member Removed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -451,7 +451,7 @@ ^662$|^4758$ Security Enabled Universal Group Deleted no_full_log - group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -459,7 +459,7 @@ ^\p*S-1-5-32-544$ Administrators Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -467,7 +467,7 @@ ^%{S-1-1-0}$|^S-1-1-0$ Everyone Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -475,7 +475,7 @@ ^%{S-1-5-9}$|^S-1-5-9$ Enterprise Domain Controllers Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -483,7 +483,7 @@ ^%{S-1-5-11}$|^S-1-5-11$ Authenticated Users Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -491,7 +491,7 @@ ^%{S-1-5-13}$|^S-1-5-13$ Terminal Server Users Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -499,7 +499,7 @@ ^%{S-1-5-21\S+-512}$|^S-1-5-21\S+-512$ Domain Admins Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -507,7 +507,7 @@ ^%{S-1-5-21\S+-513}$|^S-1-5-21\S+-513$ Domain Users Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -523,7 +523,7 @@ ^%{S-1-5-21\S+-514}$|^S-1-5-21\S+-514$ Domain Guests Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -531,7 +531,7 @@ ^%{S-1-5-21\S+-515}$|^S-1-5-21\S+-515$ Domain Computers Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -539,7 +539,7 @@ ^%{S-1-5-21\S+-516}$|^S-1-5-21\S+-516$ Domain Controllers Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -547,7 +547,7 @@ ^%{S-1-5-21\S+-517}$|^S-1-5-21\S+-517$ Cert Publishers Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -555,7 +555,7 @@ ^%{S-1-5-21\S+-518}$|^S-1-5-21\S+-518$ Schema Admins Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -563,7 +563,7 @@ ^%{S-1-5-21\S+-519}$|^S-1-5-21\S+-519$ Enterprise Admins Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -571,7 +571,7 @@ ^%{S-1-5-21\S+-520}$|^S-1-5-21\S+-520$ Group Policy Creator Owners Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -579,7 +579,7 @@ ^%{S-1-5-21\S+-553}$|^S-1-5-21\S+-553$ RAS and IAS Servers Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -587,7 +587,7 @@ ^%{S-1-5-32\S+-545}$|^S-1-5-32\S+-545$ Users Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -595,7 +595,7 @@ ^%{S-1-5-32\S+-546}$|^S-1-5-32\S+-546$ Guests Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -603,7 +603,7 @@ ^%{S-1-5-32\S+-547}$|^S-1-5-32\S+-547$ Power Users Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -611,7 +611,7 @@ ^%{S-1-5-32\S+-548}$|^S-1-5-32\S+-548$ Account Operators Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -619,7 +619,7 @@ ^%{S-1-5-32\S+-549}$|^S-1-5-32\S+-549$ Server Operators Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -627,7 +627,7 @@ ^%{S-1-5-32\S+-550}$|^S-1-5-32\S+-550$ Print Operators Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -635,7 +635,7 @@ ^%{S-1-5-32\S+-551}$|^S-1-5-32\S+-551$ Backup Operators Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -643,7 +643,7 @@ ^%{S-1-5-32\S+-552}$|^S-1-5-32\S+-552$ Replicators Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -651,7 +651,7 @@ ^%{S-1-5-32\S+-554}$|^S-1-5-32\S+-554$ Pre-Windows 2000 Compatible Access Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -659,7 +659,7 @@ ^%{S-1-5-32\S+-555}$|^S-1-5-32\S+-555$ Remote Desktop Users Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -667,7 +667,7 @@ ^%{S-1-5-32\S+-556}$|^S-1-5-32\S+-556$ Network Configuration Operators Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -675,7 +675,7 @@ ^%{S-1-5-32\S+-557}$|^S-1-5-32\S+-557$ Incoming Forest Trust Builders Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -683,7 +683,7 @@ ^%{S-1-5-32\S+-558}$|^S-1-5-32\S+-558$ Performance Monitor Users Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -691,7 +691,7 @@ ^%{S-1-5-32\S+-559}$|^S-1-5-32\S+-559$ Performance Log Users Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -699,7 +699,7 @@ ^%{S-1-5-32\S+-560}$|^S-1-5-32\S+-560$ Windows Authorization Access Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -707,7 +707,7 @@ ^%{S-1-5-32\S+-561}$|^S-1-5-32\S+-561$ Terminal Server License Servers Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -715,7 +715,7 @@ ^%{S-1-5-32\S+-562}$|^S-1-5-32\S+-562$ Distributed COM Users Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -723,7 +723,7 @@ ^%{S-1-5-\s*21\s*-498}$|^S-1-5-\s*21\s*-498$ Enterprise Read-only Domain Controllers Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -731,7 +731,7 @@ ^%{S-1-5-\s*21\s*-529}$|^S-1-5-\s*21\s*-529$ Read-only Domain Controllers Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -739,7 +739,7 @@ ^%{S-1-5-32-569}$|^S-1-5-32-569$ Cryptographic Operators Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -747,7 +747,7 @@ ^%{S-1-5-\s*21\s*-571}$|^S-1-5-\s*21\s*-571$ Allowed RODC Password Replication Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -755,7 +755,7 @@ ^%{S-1-5-\s*21\s*-572}$|^S-1-5-\s*21\s*-572$ Denied RODC Password Replication Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -763,7 +763,7 @@ ^%{S-1-5-32-573}$|^S-1-5-32-573$ Event Log Readers Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -771,7 +771,7 @@ ^%{S-1-5-32-574}$|^S-1-5-32-574$ Certificate Service DCOM Access Group Changed no_full_log - group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, 60104 ^18456$ - win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, MS SQL Server Logon Failure no_full_log @@ -825,7 +825,7 @@ ^18454$|^18453$ MS SQL Server Logon Success no_full_log - authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, @@ -835,7 +835,7 @@ ^8$ IIS NetworkCleartext Logon Success no_full_log - pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, @@ -844,7 +844,7 @@ ^8$ MS Exchange User Logoff no_full_log - pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, @@ -852,7 +852,7 @@ ^634$|^4730$ Security Enabled Global Group Deleted $(win.eventdata.memberSid) no_full_log - group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2, + group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b, @@ -861,7 +861,7 @@ win.eventdata.targetUserName Multiple failed attempts to perform a privileged operation by the same user no_full_log - pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2, + pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -869,7 +869,7 @@ win.eventdata.ipAddress Multiple Windows Logon Failures no_full_log - authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -877,7 +877,7 @@ win.eventdata.ipAddress Multiple Windows audit failure events no_full_log - pci_dss_10.6.1,gdpr_IV_35.7.d, + pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, diff --git a/rules/0590-win-system_rules.xml b/rules/0590-win-system_rules.xml index 0993fd45e..7a1e44ed6 100644 --- a/rules/0590-win-system_rules.xml +++ b/rules/0590-win-system_rules.xml @@ -44,7 +44,7 @@ 61100 ^7040$ - policy_changed,pci_dss_10.6,gdpr_IV_35.7.d, + policy_changed,pci_dss_10.6,gdpr_IV_35.7.d,hipaa_164.312.b, Service startup type was changed no_full_log This does not appear to be logged on Windows 2000 diff --git a/rules/0595-win-sysmon_rules.xml b/rules/0595-win-sysmon_rules.xml index 77e5be7c7..2ab7955cd 100644 --- a/rules/0595-win-sysmon_rules.xml +++ b/rules/0595-win-sysmon_rules.xml @@ -158,7 +158,7 @@ sysmon_event1 svchost.exe Sysmon - Suspicious Process - svchost.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -171,7 +171,7 @@ sysmon_event1 lsm.exe Sysmon - Suspicious Process - lsm.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -184,14 +184,14 @@ sysmon_event1 lsm.exe Sysmon - Suspicious Process - lsm.exe is a Parent Image - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, sysmon_event1 csrss.exe Sysmon - Suspicious Process - csrss.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -204,7 +204,7 @@ sysmon_event1 lsass.exe Sysmon - Suspicious Process - lsass - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -217,14 +217,14 @@ sysmon_event1 lsass.exe Sysmon - Suspicious Process - lsass.exe is a Parent Image - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, sysmon_event1 winlogon.exe Sysmon - Suspicious Process - winlogon.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -237,7 +237,7 @@ sysmon_event1 wininit.exe Sysmon - Suspicious Process - wininit - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -250,7 +250,7 @@ sysmon_event1 smss.exe Sysmon - Suspicious Process - smss.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -263,7 +263,7 @@ sysmon_event1 taskhost.exe Sysmon - Suspicious Process - taskhost.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -276,7 +276,7 @@ sysmon_event1 /services.exe Sysmon - Suspicious Process - services.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -289,7 +289,7 @@ sysmon_event1 dllhost.exe Sysmon - Suspicious Process - dllhost.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -302,7 +302,7 @@ sysmon_event1 \\explorer.exe Sysmon - Suspicious Process - explorer.exe - pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b, diff --git a/rules/0605-win-mcafee_rules.xml b/rules/0605-win-mcafee_rules.xml index 243960727..0651a47a6 100644 --- a/rules/0605-win-mcafee_rules.xml +++ b/rules/0605-win-mcafee_rules.xml @@ -63,21 +63,21 @@ 62600,62601,62602 $MCAFEE_VIRUS - virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d, + virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,hipaa_164.312.b, McAfee Windows AV - Virus detected and not removed 62606 $MCAFEE_VIRUS_OK - virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d, + virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,hipaa_164.312.b, McAfee Windows AV - Virus detected and properly removed 62606 Will be deleted - virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d, + virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,hipaa_164.312.b, McAfee Windows AV - Virus detected and file will be deleted @@ -85,7 +85,7 @@ 62600,62601,62602 scan started|scan stopped McAfee Windows AV - Scan started or stopped - pci_dss_5.1,pci_dss_10.2.6,pci_dss_10.6.1,gpg13_4.14,gpg13_10.1,gdpr_IV_35.7.d, + pci_dss_5.1,pci_dss_10.2.6,pci_dss_10.6.1,gpg13_4.14,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -93,42 +93,42 @@ ^257$ completed. No detections McAfee Windows AV - Scan completed with no viruses found - pci_dss_5.1,pci_dss_10.2.6,pci_dss_10.6.1,gpg13_4.14,gpg13_10.1,gdpr_IV_35.7.d, + pci_dss_5.1,pci_dss_10.2.6,pci_dss_10.6.1,gpg13_4.14,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b, 62600,62601,62602 scan was cancelled |has taken too long McAfee Windows AV - Virus scan cancelled - pci_dss_5.1,pci_dss_10.2.6,pci_dss_10.6.1,gpg13_4.14,gpg13_10.1,gdpr_IV_35.7.d, + pci_dss_5.1,pci_dss_10.2.6,pci_dss_10.6.1,gpg13_4.14,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b, 62600,62601,62602 scan was canceled because McAfee Windows AV - Virus scan cancelled due to shutdown - pci_dss_5.1,pci_dss_10.2.6,pci_dss_10.6.1,gpg13_4.14,gpg13_10.1,gdpr_IV_35.7.d, + pci_dss_5.1,pci_dss_10.2.6,pci_dss_10.6.1,gpg13_4.14,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b, 62600,62601,62602 update was successful McAfee Windows AV - Virus program or DAT update succeeded - pci_dss_5.1,pci_dss_10.6.1,pci_dss_5.2,gpg13_4.4,gpg13_4.14,gdpr_IV_35.7.d, + pci_dss_5.1,pci_dss_10.6.1,pci_dss_5.2,gpg13_4.4,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, 62600,62601,62602 update failed McAfee Windows AV - Virus program or DAT update failed - pci_dss_5.1,pci_dss_10.6.1,pci_dss_5.2,gpg13_4.14,gdpr_IV_35.7.d, + pci_dss_5.1,pci_dss_10.6.1,pci_dss_5.2,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, 62600,62601,62602 update was cancelled McAfee Windows AV - Virus program or DAT update cancelled - pci_dss_5.1,pci_dss_10.6.1,pci_dss_5.2,gpg13_4.14,gdpr_IV_35.7.d, + pci_dss_5.1,pci_dss_10.6.1,pci_dss_5.2,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -143,13 +143,13 @@ 62604 Multiple McAfee AV warning events - pci_dss_5.1,pci_dss_10.6.1,gdpr_IV_35.7.d, + pci_dss_5.1,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, 62605 Multiple McAfee AV error events - pci_dss_5.1,pci_dss_10.6.1,gdpr_IV_35.7.d, + pci_dss_5.1,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b, \ No newline at end of file diff --git a/rules/0615-win-ms-se_rules.xml b/rules/0615-win-ms-se_rules.xml index af13e91f4..983f381ad 100644 --- a/rules/0615-win-ms-se_rules.xml +++ b/rules/0615-win-ms-se_rules.xml @@ -38,7 +38,7 @@ 63600,63601,63602 ^1118$|^1119$ - virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d, + virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,hipaa_164.312.b, Microsoft Security Essentials - Virus detected, but unable to remove no_full_log @@ -46,7 +46,7 @@ 63600,63601,63602 ^1107$ - virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d, + virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,hipaa_164.312.b, Microsoft Security Essentials - Virus detected and properly removed no_full_log @@ -54,7 +54,7 @@ 63601 ^1119$|^1118$|^1117$|^1116$ - virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d, + virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,hipaa_164.312.b, Microsoft Security Essentials - Virus detected no_full_log @@ -62,7 +62,7 @@ 63600,63601,63602 ^1015$ - virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d, + virus,pci_dss_5.1,pci_dss_5.2,pci_dss_10.6.1,pci_dss_11.4,gpg13_4.2,gdpr_IV_35.7.d,hipaa_164.312.b, Microsoft Security Essentials - Suspicious activity detected no_full_log @@ -72,13 +72,13 @@ ^5007$ Microsoft Security Essentials - Configuration changed no_full_log - policy_changed,pci_dss_10.2.7,pci_dss_10.6.1,gpg13_4.4,gdpr_IV_35.7.d, + policy_changed,pci_dss_10.2.7,pci_dss_10.6.1,gpg13_4.4,gdpr_IV_35.7.d,hipaa_164.312.b, 63600,63601,63602 ^5008$ - pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, Microsoft Security Essentials - Service failed no_full_log @@ -86,7 +86,7 @@ 63600,63601,63602 ^3002$ - pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, Microsoft Security Essentials - Real time protection failed no_full_log @@ -101,7 +101,7 @@ 63600,63601,63602 ^2004$ - pci_dss_10.6.1,gpg13_4.14,gpg13_4.4,gpg13_,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.14,gpg13_4.4,gpg13_,gdpr_IV_35.7.d,hipaa_164.312.b, Microsoft Security Essentials - Loading definitions failed. Using last good set no_full_log @@ -109,7 +109,7 @@ 63600,63601,63602 ^2003$ - pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, Microsoft Security Essentials - Engine update failed no_full_log @@ -117,7 +117,7 @@ 63600,63601,63602 ^2001$ - pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, Microsoft Security Essentials - Definitions update failed no_full_log @@ -125,7 +125,7 @@ 63600,63601,63602 ^1005$ - pci_dss_10.6.1,gpg13_4.4,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.4,gdpr_IV_35.7.d,hipaa_164.312.b, Microsoft Security Essentials - Scan error. Scan has stopped no_full_log @@ -133,7 +133,7 @@ 63600,63601,63602 ^1002$ - pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d, + pci_dss_10.6.1,gpg13_4.14,gdpr_IV_35.7.d,hipaa_164.312.b, Microsoft Security Essentials - Scan stopped before completion no_full_log diff --git a/rules/0620-win-generic_rules.xml b/rules/0620-win-generic_rules.xml index 600d22809..b3aa6c193 100644 --- a/rules/0620-win-generic_rules.xml +++ b/rules/0620-win-generic_rules.xml @@ -24,7 +24,7 @@ ^20187$|^20014$|^20078$|^20050$|^20049$|^20189$ Remote access login failure no_full_log - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, @@ -32,7 +32,7 @@ ^20158$ Remote access login success no_full_log - authentication_success,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,pci_dss_8.1.5,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, @@ -40,7 +40,7 @@ ^13570$ Windows file system full no_full_log - low_diskspace,pci_dss_10.6.1,gpg13_4.1,gdpr_IV_35.7.d, + low_diskspace,pci_dss_10.6.1,gpg13_4.1,gdpr_IV_35.7.d,hipaa_164.312.b, @@ -55,7 +55,7 @@ ^200$|^300$|^302$ TS Gateway login success no_full_log - authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2, + authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b, @@ -70,7 +70,7 @@ ^201$|^203$|^204$|^301$|^304$|^305$|^306$|^1001$ TS Gateway login failure no_full_log - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, @@ -84,14 +84,14 @@ 64101 Multiple remote access login failures no_full_log - authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,pci_dss_8.1.5,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,pci_dss_8.1.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1, 64107 Multiple TS Gateway login failures no_full_log - authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2, + authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b, \ No newline at end of file