diff --git a/rules/0575-win-base_rules.xml b/rules/0575-win-base_rules.xml
index ab2894798..f3e5fd134 100644
--- a/rules/0575-win-base_rules.xml
+++ b/rules/0575-win-base_rules.xml
@@ -23,56 +23,56 @@
60000
- ^Security
+ ^Security$
no_full_log
Group of Windows rules for the Security channel
60000
- ^System
+ ^System$
no_full_log
Group of Windows rules for the System channel
60000
- ^Application
+ ^Application$
no_full_log
Group of Windows rules for the Application channel
60000
- ^Microsoft-Windows-Sysmon/Operational
+ ^Microsoft-Windows-Sysmon/Operational$
no_full_log
Group of Windows rules for the Sysmon channel
60000
- ^Microsoft-Windows-Windows Defender/Operational
+ ^Microsoft-Windows-Windows Defender/Operational$
no_full_log
Group of Windows rules for the System channel
- 60000
- ^McLogEvent
+ 60003
+ ^McLogEvent$
no_full_log
Group of Windows rules for the McAfee channel
- 60001
- ^Microsoft-Windows-Eventlog
+ 60002
+ ^Eventlog$
no_full_log
Group of rules for Windows Eventlog
60002
- ^Microsoft Antimalware
+ ^Microsoft Antimalware$
no_full_log
Group of Microsoft Security Essentials rules
@@ -81,14 +81,14 @@
60000
- ^INFORMATION
+ ^INFORMATION$
Windows informational event
no_full_log
60000
- ^WARNING
+ ^WARNING$
Windows warning event
no_full_log
gpg13_4.12,
@@ -96,7 +96,7 @@
60000
- ^ERROR
+ ^ERROR$
Windows error event
no_full_log
system_error,gpg13_4.3,gdpr_IV_35.7.d,
@@ -104,7 +104,7 @@
60000
- ^CRITICAL
+ ^CRITICAL$
Windows critical event
no_full_log
system_error,gpg13_4.3,gdpr_IV_35.7.d,
diff --git a/rules/0580-win-security_rules.xml b/rules/0580-win-security_rules.xml
index eacf10578..56bb01e20 100644
--- a/rules/0580-win-security_rules.xml
+++ b/rules/0580-win-security_rules.xml
@@ -12,14 +12,14 @@
60001
- ^INFORMATION
+ ^INFORMATION$
Windows Security informational event
no_full_log
60001
- ^WARNING
+ ^WARNING$
Windows Security warning event
no_full_log
gpg13_4.12,
@@ -27,7 +27,7 @@
60001
- ^ERROR
+ ^ERROR$
Windows Security error event
no_full_log
system_error,gpg13_4.3,gdpr_IV_35.7.d,
@@ -35,14 +35,14 @@
60001
- ^AUDIT_SUCCESS|^success
+ ^AUDIT_SUCCESS$|^success$
Windows audit success event
no_full_log
60001
- ^AUDIT_FAILURE|^failure
+ ^AUDIT_FAILURE$|^failure$
Windows audit failure event
pci_dss_10.6.1,gdpr_IV_35.7.d,
no_full_log
@@ -512,7 +512,7 @@
60160,60141
- None
+ ^None$
Local User Group NONE
no_full_log
Bogus group user added to upon creation
diff --git a/rules/0585-win-application_rules.xml b/rules/0585-win-application_rules.xml
index 9f3ba3b70..9ef221976 100644
--- a/rules/0585-win-application_rules.xml
+++ b/rules/0585-win-application_rules.xml
@@ -11,14 +11,14 @@
60003
- ^INFORMATION
+ ^INFORMATION$
Windows Application informational event
no_full_log
60003
- ^WARNING
+ ^WARNING$
Windows Application warning event
no_full_log
gpg13_4.12,
@@ -26,7 +26,7 @@
60003
- ^ERROR
+ ^ERROR$
Windows Application error event
no_full_log
system_error,gpg13_4.3,gdpr_IV_35.7.d,
@@ -35,7 +35,7 @@
60602
- chromoting
+ ^chromoting$
\.*Access denied for client
Chrome Remote Desktop attempt - access denied $(win.eventdata.data)
no_full_log
@@ -44,7 +44,7 @@
60600
- chromoting
+ ^chromoting$
^1$
Chrome Remote Desktop attempt - Client connected $(win.eventdata.data)
no_full_log
@@ -53,7 +53,7 @@
60600
- chromoting
+ ^chromoting$
^2$
Chrome Remote Desktop attempt - disconnected ($(win.eventdata.data))
no_full_log
@@ -63,7 +63,7 @@
60600
- chromoting
+ ^chromoting$
^5$
Chrome Remote Desktop attempt - started connection from $(win.eventdata.data)
no_full_log
@@ -72,7 +72,7 @@
60600
- Microsoft-Windows-Defrag
+ ^Microsoft-Windows-Defrag$
^258$
Disk defragmenter successfully completed an analysis
no_full_log
@@ -80,7 +80,7 @@
60600
- Windows Error Reporting
+ ^Windows Error Reporting$
^1001$
Summary event of the report's signatures
no_full_log
@@ -88,7 +88,7 @@
60600
- MsiInstaller
+ ^MsiInstaller$
Group of MsiInstaller events
no_full_log
@@ -300,7 +300,7 @@
60600
- LocationNotifications
+ ^LocationNotifications$
^1$
A program accessed information from a location sensor or default location
no_full_log
@@ -308,7 +308,7 @@
60600
- Microsoft-Windows-Security-SPP
+ ^Microsoft-Windows-Security-SPP$
Group of SPP events
no_full_log
@@ -350,7 +350,7 @@
60602
- Microsoft-Windows-Security-SPP
+ ^Microsoft-Windows-Security-SPP$
^8198$
License Activation (slui.exe) failed
no_full_log
@@ -534,7 +534,7 @@
60601
- Microsoft-Windows-Search
+ ^Microsoft-Windows-Search$
^1008$
The Windows Search Service attempted to remove the old search index
no_full_log
@@ -543,7 +543,7 @@
60600
^1$
- Microsoft-Windows-Search-ProfileNotify
+ ^Microsoft-Windows-Search-ProfileNotify$
Windows Search Service indexed data for user successfully removed in response to user profile deletion
no_full_log
gdpr_IV_32.2,
@@ -552,7 +552,7 @@
60600
^16$
- Microsoft-Windows-Search-ProfileNotify
+ ^Microsoft-Windows-Search-ProfileNotify$
Created default configuration for user
no_full_log
gdpr_IV_32.2,
@@ -560,7 +560,7 @@
60600
- VSS
+ ^VSS$
Group of VSS events
no_full_log
@@ -770,7 +770,7 @@
60602
- VSS
+ ^VSS$
^12290$
Volume Shadow Copy Service warning: ESENT ERROR
no_full_log
@@ -778,7 +778,7 @@
60602
- VSS
+ ^VSS$
^12291$
Error creating or using the COM+ Writers publisher interface
no_full_log
@@ -786,7 +786,7 @@
60602
- VSS
+ ^VSS$
^12292$
Error creating the Shadow Copy Provider COM class with CLSID
no_full_log
@@ -794,7 +794,7 @@
60602
- VSS
+ ^VSS$
^12293$
Error calling a routine on a Shadow Copy Provider
no_full_log
@@ -844,7 +844,7 @@
60600
- System Restore
+ ^System Restore$
Group of System Restore events
no_full_log
@@ -900,7 +900,7 @@
60600
- Application Error
+ ^Application Error$
Group of Application Error events
no_full_log
@@ -921,7 +921,7 @@
60600
- Microsoft-Windows-WMI
+ ^Microsoft-Windows-WMI$
Group of WMI events
no_full_log
@@ -935,7 +935,7 @@
60602
- Microsoft-Windows-WMI
+ ^Microsoft-Windows-WMI$
^29$
WMI Service could not be initialized
no_full_log
@@ -1083,7 +1083,7 @@
60600
- Microsoft-Windows-EventSystem
+ ^Microsoft-Windows-EventSystem$
Group of EventSystem events
no_full_log
@@ -1231,7 +1231,7 @@
60600
- Desktop Window Manager
+ ^Desktop Window Manager$
Group of Desktop Window Manager events
no_full_log
@@ -1259,7 +1259,7 @@
60600
- Microsoft-Windows-Winlogon
+ ^Microsoft-Windows-Winlogon$
Group of Winlogon events
no_full_log
@@ -1407,7 +1407,7 @@
60600
- ESENT
+ ^ESENT$
Group of ESENT events
no_full_log
@@ -1603,7 +1603,7 @@
60600
- Microsoft-Windows-CEIP
+ ^Microsoft-Windows-CEIP$
^1005$
Customer Experience Improvement Program data successfully consolidated
no_full_log
@@ -1611,7 +1611,7 @@
60600
- Microsoft-Windows-CAPI2
+ ^Microsoft-Windows-CAPI2$
Group of CAPI2 events
no_full_log
@@ -1709,7 +1709,7 @@
60600
- Microsoft-Windows-MSDTC
+ ^Microsoft-Windows-MSDTC$
Group of MSDTC events
no_full_log
@@ -2957,7 +2957,7 @@
60602
- .NET Runtime
+ ^.NET Runtime$
Group of .NET Runtime events
no_full_log
@@ -2999,7 +2999,7 @@
60602
- Microsoft-Windows-LocationProvider
+ ^Microsoft-Windows-LocationProvider$
^2006$
There was an error with the Windows Location Provider database
no_full_log
@@ -3007,7 +3007,7 @@
60600
- Microsoft-Windows-LocationProvider
+ ^Microsoft-Windows-LocationProvider$
^2001$
Windows Location Provider started
no_full_log
@@ -3015,7 +3015,7 @@
60600
- Microsoft-Windows-LocationProvider
+ ^Microsoft-Windows-LocationProvider$
^2003$
The Windows Location Provider has shutdown
no_full_log
@@ -3023,7 +3023,7 @@
60600
- Microsoft-Windows-UserModePowerService
+ ^Microsoft-Windows-UserModePowerService$
^12$
Process $(win.eventdata.processPath) has reset policy scheme from $(win.eventdata.oldSchemeGuid) to $(win.eventdata.newSchemeGuid)
no_full_log
@@ -3031,7 +3031,7 @@
60600
- Application Management
+ ^Application Management$
Group of Application Management events
no_full_log
@@ -3094,7 +3094,7 @@
60600
- DNSCache
+ ^DNSCache$
^11050$
The DNS Client service could not contact any DNS servers for a repeated number of attempts
no_full_log
@@ -3102,7 +3102,7 @@
60600
- Disk
+ ^Disk$
Group of Disk events
no_full_log
@@ -3220,7 +3220,7 @@
- EventCreate
+ ^EventCreate$
^100$
Event created in the application log
no_full_log
@@ -3228,7 +3228,7 @@
60600
- Microsoft-Windows-EventCollector
+ ^Microsoft-Windows-EventCollector$
Group of EventCollector events
no_full_log
@@ -3270,7 +3270,7 @@
60600,60601,60602
- Microsoft-Windows-Perflib
+ ^Microsoft-Windows-Perflib$
^1008$
The Open Procedure for service Remote Access failed
no_full_log
diff --git a/rules/0590-win-system_rules.xml b/rules/0590-win-system_rules.xml
index 0993fd45e..e90675f1a 100644
--- a/rules/0590-win-system_rules.xml
+++ b/rules/0590-win-system_rules.xml
@@ -11,14 +11,14 @@
60002
- ^INFORMATION
+ ^INFORMATION$
Windows System informational event
no_full_log
60002
- ^WARNING
+ ^WARNING$
Windows System warning event
no_full_log
gpg13_4.12,
@@ -26,7 +26,7 @@
60002
- ^ERROR
+ ^ERROR$
Windows System error event
no_full_log
system_error,gpg13_4.3,gdpr_IV_35.7.d,
@@ -34,7 +34,7 @@
60002
- ^CRITICAL
+ ^CRITICAL$
Windows System critical event
no_full_log
system_error,gpg13_4.3,gdpr_IV_35.7.d,
@@ -53,7 +53,7 @@
61103
^41$
- ^Microsoft-Windows-Kernel-Power
+ ^Microsoft-Windows-Kernel-Power$
The system stopped responding, crashed or lost power unexpectedly
no_full_log
@@ -61,7 +61,7 @@
61101
^219$
- ^Microsoft-Windows-Kernel-PnP
+ ^Microsoft-Windows-Kernel-PnP$
The driver $(win.eventdata.failureName) failed to load for the device $(win.eventdata.driverName)
no_full_log
@@ -70,7 +70,7 @@
61102
^7031$
\.+
- ^Service Control Manager
+ ^Service Control Manager$
$(win.eventdata.param1) terminated unexpectedly
no_full_log
@@ -78,7 +78,7 @@
61102
^7022$
- ^Service Control Manager
+ ^Service Control Manager$
The Windows Search service hung on starting
no_full_log
@@ -86,7 +86,7 @@
61101
^1014$
- ^Microsoft-Windows-DNS-Client
+ ^Microsoft-Windows-DNS-Client$
Name resolution for the name $(win.eventdata.queryName) timed out
no_full_log
@@ -111,7 +111,7 @@
61100
- Browser
+ ^Browser$
Group of Browser events
no_full_log
diff --git a/rules/0595-win-sysmon_rules.xml b/rules/0595-win-sysmon_rules.xml
index 77e5be7c7..6d4a84847 100644
--- a/rules/0595-win-sysmon_rules.xml
+++ b/rules/0595-win-sysmon_rules.xml
@@ -11,14 +11,14 @@
60004
- ^INFORMATION
+ ^INFORMATION$
Windows Sysmon informational event
no_full_log
60004
- ^WARNING
+ ^WARNING$
Windows Sysmon warning event
no_full_log
gpg13_4.12,
@@ -26,7 +26,7 @@
60004
- ^ERROR
+ ^ERROR$
Windows Sysmon error event
no_full_log
system_error,gpg13_4.3,gdpr_IV_35.7.d,
diff --git a/rules/0600-win-wdefender_rules.xml b/rules/0600-win-wdefender_rules.xml
index 67bc8c50e..bac6094f0 100644
--- a/rules/0600-win-wdefender_rules.xml
+++ b/rules/0600-win-wdefender_rules.xml
@@ -12,14 +12,14 @@
60005
- ^INFORMATION
+ ^INFORMATION$
Windows Defender informational event
no_full_log
60005
- ^WARNING
+ ^WARNING$
Windows Defender warning event
no_full_log
gpg13_4.12,
@@ -27,7 +27,7 @@
60005
- ^ERROR
+ ^ERROR$
Windows Defender error event
no_full_log
system_error,gpg13_4.3,gdpr_IV_35.7.d,
@@ -38,7 +38,7 @@
62101
^1116$
- Windows Defender: detected potentially unwanted software $(win.eventdata.processName)
+ Windows Defender: detected potentially unwanted software $(win.eventdata.process Name)
no_full_log
gdpr_IV_35.7.d,
@@ -48,7 +48,7 @@
62100
^1117$
- Windows Defender: taken action to protect machine from unwanted software $(win.eventdata.processName)
+ Windows Defender: taken action to protect machine from unwanted software $(win.eventdata.process Name)
no_full_log
gdpr_IV_35.7.d,
diff --git a/rules/0605-win-mcafee_rules.xml b/rules/0605-win-mcafee_rules.xml
index 243960727..edf8ccf8b 100644
--- a/rules/0605-win-mcafee_rules.xml
+++ b/rules/0605-win-mcafee_rules.xml
@@ -17,14 +17,14 @@
60006
- ^INFORMATION
+ ^INFORMATION$
Windows McAfee informational event
no_full_log
60006
- ^WARNING
+ ^WARNING$
Windows McAfee warning event
no_full_log
gpg13_4.12,
@@ -32,7 +32,7 @@
60006
- ^ERROR
+ ^ERROR$
Windows McAfee error event
no_full_log
system_error,gpg13_4.3,gdpr_IV_35.7.d,
diff --git a/rules/0610-win-ms_logs_rules.xml b/rules/0610-win-ms_logs_rules.xml
index 33016bcee..c55f0f70a 100644
--- a/rules/0610-win-ms_logs_rules.xml
+++ b/rules/0610-win-ms_logs_rules.xml
@@ -13,14 +13,14 @@
60007
- ^INFORMATION
+ ^INFORMATION$
Windows Eventlog informational event
no_full_log
60007
- ^WARNING
+ ^WARNING$
Windows Eventlog warning event
no_full_log
gpg13_4.12,
@@ -28,7 +28,7 @@
60007
- ^ERROR
+ ^ERROR$
Windows Eventlog error event
no_full_log
system_error,gpg13_4.3,gdpr_IV_35.7.d,
diff --git a/rules/0615-win-ms-se_rules.xml b/rules/0615-win-ms-se_rules.xml
index af13e91f4..25f6fc906 100644
--- a/rules/0615-win-ms-se_rules.xml
+++ b/rules/0615-win-ms-se_rules.xml
@@ -12,14 +12,14 @@
60008
- ^INFORMATION
+ ^INFORMATION$
Microsoft Antimalware informational event
no_full_log
60008
- ^WARNING
+ ^WARNING$
Microsoft Antimalware warning event
no_full_log
gpg13_4.12,
@@ -27,7 +27,7 @@
60008
- ^ERROR
+ ^ERROR$
Microsoft Antimalware error event
no_full_log
system_error,gpg13_4.3,gdpr_IV_35.7.d,
diff --git a/rules/0620-win-generic_rules.xml b/rules/0620-win-generic_rules.xml
index 600d22809..bc314ee51 100644
--- a/rules/0620-win-generic_rules.xml
+++ b/rules/0620-win-generic_rules.xml
@@ -14,7 +14,7 @@
60009,60010,60011,60012
- ^File Replication Service
+ ^File Replication Service$
Group of Windows rules for Remote Access
no_full_log
@@ -45,7 +45,7 @@
60009,60010,60011,60012
- ^Microsoft-Windows-TerminalServices
+ ^Microsoft-Windows-TerminalServices$
Group of Windows rules for Terminal Services
no_full_log