Local_rules.xml XML-Validator/Validation Tool
34 views
Skip to first unread message
Andrehens Chicfici
Jan 30, 2026, 5:42:42 AM (3 days ago) Jan 30
to Wazuh | Mailing List
Hey,
I am running into an error that when I try to edit my local_rules.xml I am seeing "
Error validating XML". When I try to validate the xml with XML Validation or
similar tools everything seems all right. (Some tools complain about
not having root brackets but wazuh-xml seems weird and AFAIK it doesn't
need them.)
Is there any tool that can validate
my local_rules.xml? I tried to correct it manually for like 2 hours now
but it has around 1000 lines and I'm out of ideas WHAT is wrong....
For reference here is my local_rules.conf but I don't know if the formatting will break because of Google Groups.
Cheers
chic
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->
<group name="custom_win">
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="61638" level="11" overwrite="yes">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.image">dllhost.exe</field>
<description>Sysmon - Suspicious Process - dllhost.exe</description>
<mitre>
<id>T1055</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_SI.4,tsc_CC7.2,tsc_CC7.3,tsc_CC6.1,tsc_CC6.8,</group>
</rule>
<rule id="92032" level="3" overwrite="yes">
<if_sid>92031, 61603</if_sid>
<field name="win.eventdata.parentImage" type="pcre2">(?i)cmd\.EXE</field>
<field name="win.eventdata.parentCommandLine" type="pcre2">(?i)\s\/C\s</field>
<field name="win.eventdata.commandLine" negate="yes">find /i "Leitst.exe"</field>
<options>no_full_log</options>
<description>Suspicious Windows cmd shell execution</description>
<mitre>
<id>T1087</id>
<id>T1059.003</id>
</mitre>
</rule>
<!-- fehlt ausnahme für ebüs, triggert permanent wenn das programm läuft. Im Event aber nicht zu erkennen. Coden will gelernt sein -->
<rule id="61632" level="11" overwrite="yes">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.image">smss.exe</field>
<field name="win.eventdata.commandLine" negate="yes">Leitst.exe</field>
<description>Sysmon - Suspicious Process - smss.exe</description>
<mitre>
<id>T1055</id>
</mitre>
</rule>
<rule id="101104" level="12">
<decoded_as>windows_eventchannel</decoded_as>
<match>4739</match>
<description>[DEBUG] 4739 (match) auf $(win.system.computer)</description>
</rule>
<rule id="61640" level="11" overwrite="yes">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.image">\\explorer.exe</field>
<description>Sysmon - Suspicious Process - explorer.exe</description>
<mitre>
<id>T1055</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_SI.4,tsc_CC7.2,tsc_CC7.3,tsc_CC6.1,tsc_CC6.8,</group>
</rule>
<rule id="100014" level="0">
<if_sid>92650</if_sid>
<field name="win.eventdata.serviceName">tenable_mw_scan</field>
<description>Suppress alerts for Tenable vulnerability scanner service creation</description>
</rule>
<rule id="100015" level="0">
<if_sid>31168</if_sid>
<field name="full_log">nessusd|nessus-service</field>
<description>Exclude Shellshock alerts generated by Nessus scans.</description>
<options>no_full_log</options>
</rule>
<!-- Regel um USER-User zu ignorieren (EBUES) -->
<rule id="100098" level="0">
<if_sid>92656</if_sid>
<field name="win.eventdata.targetUserName" type="pcre2">USER</field>
<description>Ignore RDP logins for specific users to prevent false positives.</description>
</rule>
<rule id="100099" level="0">
<if_sid>60105</if_sid>
<field name="win.eventdata.targetUserName" type="pcre2">USER</field>
<description>Ignore RDP logins for specific users to prevent false positives.</description>
</rule>
<rule id="110000" level="0">
<if_sid>60104</if_sid>
<field name="win.eventdata.targetUserName" type="pcre2">USER</field>
<description>Ignore RDP logins for specific users to prevent false positives.</description>
</rule>
<rule id="110001" level="0">
<if_sid>60204</if_sid>
<field name="win.eventdata.targetUserName" type="pcre2">USER</field>
<description>Ignore RDP logins for specific users to prevent false positives.</description>
</rule>
<!-- Win lockout evt -->
<rule id="190015" level="12" overwrite="yes">
<!--<if_sid>60103</if_sid>-->
<field name="win.system.eventID">^644$|^4740$</field>
<description>User-Account $(win.eventdata.targetUserName) gesperrt auf $(win.system.computer)</description>
<options>no_full_log</options>
<group>authentication_failures,pci_dss_8.1.6,pci_dss_11.4,gpg13_7.5,gdpr_IV_35.7.d,hipaa_164.312.a.1,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
<mitre>
<id>T1531</id>
</mitre>
</rule>
</group>
<group name="windows,sql_cluster">
<rule id="110001" level="10">
<field name="win.system.eventID">^1641$</field>
<description>Cluster resource group taken offline on $(win.system.computer)</description>
</rule>
<!-- Cluster resource group successfully taken offline -->
<rule id="110002" level="5">
<field name="win.system.eventID">^1643$</field>
<description>Cluster resource group successfully taken offline on $(win.system.computer)</description>
</rule>
<!-- Cluster service failed to bring a clustered service/application online -->
<rule id="110003" level="12">
<field name="win.system.eventID">^1205$</field>
<description>Cluster service failed to bring a clustered service/application online on $(win.system.computer)</description>
</rule>
<!-- Cluster resource failed -->
<rule id="110004" level="12">
<field name="win.system.eventID">^1069$</field>
<description>Cluster resource failure on $(win.system.computer)</description>
</rule>
<!-- Cluster node removed from active membership -->
<rule id="110005" level="12">
<field name="win.system.eventID">^1135$</field>
<description>Cluster node was removed from active membership: $(win.system.computer)</description>
</rule>
<!-- Stopping cluster roles during updates -->
<rule id="110006" level="5">
<field name="win.system.eventID">^2057$</field>
<description>Cluster roles stopping for updates on $(win.system.computer)</description>
</rule>
<!-- Additional Failover Clustering events -->
<rule id="110007" level="10">
<field name="win.system.eventID">^1792$</field>
<description>Cluster node is joining or joined: $(win.system.computer)</description>
</rule>
<rule id="110008" level="10">
<field name="win.system.eventID">^1038$</field>
<description>Cluster resource state change detected on $(win.system.computer)</description>
</rule>
<rule id="110009" level="10">
<field name="win.system.eventID">^1795$</field>
<description>Cluster node left: $(win.system.computer)</description>
</rule>
</group>
<group name="local">
<!-- USER exception für winstation(rdp) und vertrauenswürdigen clients/user -->
<rule id="60108" level="12" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^682$|^683$|^4778$|^4779$</field>
<field name="win.eventdata.accountName" negate="yes">USER1</field>
<field name="win.eventdata.accountName" negate="yes">USER2</field>
<field name="win.eventdata.accountName" negate="yes">^USER3|^USER4</field>
<field name="win.eventdata.clientName" lookup="not_match_key">etc/lists/trusted-hosts</field>
<field name="win.eventdata.accountName" lookup="not_match_key">etc/lists/trusted-users</field>
<field name="win.eventdata.clientAddress" negate="yes">LOKAL</field>
<options>no_full_log</options>
<description>RDP-Session von nicht vertrautem Client/User. $(win.eventdata.accountName) von $(win.eventdata.clientName )</description>
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,gdpr_IV_35.7.d,hipaa_164.312.a.1,nist_800_53_AC.2,pci_dss_8.1.5,tsc_CC6.1,</group>
</rule>
</group>
<!-- win ht-admins -->
<group name="local">
<rule id="100096" level="12">
<if_sid>60106</if_sid>
<list field="win.eventdata.targetUserName" lookup="match_key">etc/lists/ht_users</list>
<field name="win.eventdata.processName" negate="yes">^C:\\\\Windows\\\\backupVssSupport\\\\backupGuestHelper.exe$</field>
<field name="win.eventdata.processName" negate="yes">^Program Files\\\\VMware\\\\vmtoolsd.exe$</field>
<field name="win.eventdata.processName" negate="yes">^C:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe</field>
<field name="win.eventdata.processName" negate="yes">^C:\\\\Program Files\\\\backup\\\\Endpoint Backup\\\\backup.EndPoint.Manager.exe$</field>
<description>Domänen-Admin eingeloggt: $(win.eventdata.targetUserName) auf $(win.system.computer)</description>
</rule>
<rule id="111196" level="0">
<if_sid>100096</if_sid>
<regex>^Windows\\\\backupVssSupport\\\\backupGuestHelper.exe$</regex>
<description>Exception for backup</description>
</rule>
</group>
<group name="local,windows,security,logon_watch">
<!-- Raise only when user is in list AND domain matches -->
<rule id="110210" level="12">
<if_sid>60106</if_sid> <!-- 4624 success -->
<list field="win.eventdata.TargetUserName" lookup="match_key">etc/lists/logon_watch_users</list>
<field name="win.eventdata.TargetDomainName">^DOMAIN$</field>
<description>Test PDQ Login gefunden: $(win.eventdata.TargetDomainName)\$(win.eventdata.TargetUserName) on $(win.system.computer) (type $(win.eventdata.LogonType))</description>
<group>authentication_success,allowlist_hit</group>
</rule>
<!-- Lowercase casing variant if some hosts send lowercased fields -->
<rule id="110211" level="12">
<if_sid>60106</if_sid>
<list field="win.eventdata.targetUserName" lookup="match_key">etc/lists/logon_watch_users</list>
<field name="win.eventdata.targetDomainName">^DOMAIN$</field>
<description>Test PDQ Login gefunden (lowercase): $(win.eventdata.targetDomainName)\$(win.eventdata.targetUserName) on $(win.system.computer) (type $(win.eventdata.logonType))</description>
<group>authentication_success,allowlist_hit</group>
</rule>
<!-- Optional: mute service/batch logons for those users -->
<rule id="110214" level="0">
<if_sid>60106</if_sid>
<list field="win.eventdata.TargetUserName" lookup="match_key">etc/lists/logon_watch_users</list>
<description>Watch user service/batch logon (muted)</description>
</rule>
<rule id="110215" level="0">
<if_sid>60106</if_sid>
<list field="win.eventdata.targetUserName" lookup="match_key">etc/lists/logon_watch_users</list>
<description>Watch user service/batch logon (muted)</description>
</rule>
</group>
<!-- AE und Server ZK -->
<group name="windows,windows_security,local,">
<rule id="111096" level="13">
<if_sid>60106</if_sid>
<field name="win.event_data.LogonType">!2</field> <!-- Exclude Interactive logons -->
<list field="win.eventdata.targetUserName" lookup="not_match_key">etc/lists/ht_users</list>
<list field="win.system.computer" lookup="match_key">etc/lists/aes</list>
<description>Unerlaubter login: $(win.eventdata.targetUserName) auf $(win.system.computer)</description>
</rule>
</group>
<group name="windows_4739,local,">
<!-- 4739: Domainpolicy geändert -->
<rule id="101103" level="12">
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.eventID">^4739$</field>
<description>Domain-Policy wurde auf $(win.system.computer) geändert</description>
</rule>
<!-- RAW-Fallback: alles, was als windows_eventchannel kommt und 4739 im Log hat -->
<rule id="101120" level="10">
<decoded_as>windows_eventchannel</decoded_as>
<match>"eventID\":\"4739\"</match>
<description>[DEBUG] RAW 4739 auf $(win.system.computer)</description>
</rule>
</group>
<!--LINUX -->
<group name="linux">
<rule id="111097" level="12">
<if_sid>2502</if_sid>
<description>syslog: User missed the password more than one time</description>
<mitre>
<id>T1110</id>
</mitre>
</rule>
<rule id="111098" level="12">
<if_sid>5400</if_sid>
<if_fts />
<description>First time user executed sudo.</description>
<mitre>
<id>T1548.003</id>
</mitre>
</rule>
<!-- Regel um monitoring DOS/Bot false positives abzuwenden -->
<rule id="111199" level="0">
<if_sid>31533</if_sid>
<match>^monitoring$</match>
<description>Ignore Rule 31533 for monitoring</description>
</rule>
</group>
<group name="linux,nmap,">
<rule id="101100" level="3">
<decoded_as>json</decoded_as>
<field name="nmap_port">\.+</field>
<field name="nmap_port_service">\.+</field>
<description>NMAP: Host scan. Port $(nmap_port) is open and hosting the $(nmap_port_service) service.</description>
<options>no_full_log</options>
</rule>
</group>
<group name="linux">
<rule id="121102" level="5">
<if_sid>101100</if_sid>
<field name="nmap_port">\d+</field>
<description>NMAP: Host scan. Port $(nmap_port) is open.</description>
</rule>
<rule id="121103" level="5">
<if_sid>101100</if_sid>
<field name="nmap_port_service">^\s$</field>
<description>NMAP: Port $(nmap_port) is open but no service is found.</description>
</rule>
</group>
<group name="vcenter,syslog,">
<rule id="10010" level="3">
<decoded_as>esxi-syslog</decoded_as>
<description>vCenter syslog event</description>
<group>vcenter,syslog,</group>
<!-- Addressen aller vCenter -->
<srcip>192.166.0.51</srcip>
<srcip>192.166.0.52</srcip>
<srcip>192.166.0.53</srcip>
<srcip>192.166.0.54</srcip>
<srcip>192.169.0.5</srcip>
<srcip>192.169.0.6</srcip>
<srcip>192.166.0.54</srcip>
<srcip>192.166.0.59</srcip>
<options>no_full_log</options>
</rule>
</group>
<group name="windows,windows_security,">
<rule id="111099" level="0">
<if_sid>60001</if_sid>
<field name="win.system.severityValue">^AUDIT_FAILURE$|^failure$</field>
<match>win.eventdata.workstation:CUSTOMER</match>
<options>no_full_log</options>
<description>Windows audit failure event.</description>
<group>gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,pci_dss_10.6.1,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="60109" level="12" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^624$|^626$|^4720$|^4722$</field>
<description>User account $(win.eventdata.targetUserName) enabled or created</description>
<options>no_full_log</options>
<group>adduser,account_changed,</group>
<group>pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1098</id>
</mitre>
</rule>
<rule id="60110" level="12" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^628$|^642$|^685$|^4738$|^4781$</field>
<!-- Ausnahme für CMDUSR-->
<field name="win.eventdata.targetUserName" negate="yes">^CMDUSR$</field>
<description>User account $(win.eventdata.targetUserName) changed</description>
<group>pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1098</id>
</mitre>
</rule>
<rule id="60111" level="12" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^630$|^629$|^4725$|^4726$</field>
<description>User account $(win.eventdata.targetUserName) disabled or deleted</description>
<options>no_full_log</options>
<group>adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1098</id>
</mitre>
<mitre>
<id>T1531</id>
</mitre>
</rule>
<rule id="60115" level="12" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^644$|^4740$</field>
<description>User $(win.eventdata.targetUserName) gesperrt</description>
<options>no_full_log</options>
<group>authentication_failures,pci_dss_8.1.6,pci_dss_11.4,gpg13_7.5,gdpr_IV_35.7.d,hipaa_164.312.a.1,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
<mitre>
<id>T1531</id>
</mitre>
</rule>
<rule id="11102" level="0">
<!-- Match events from MAILSERVER with MAILBOX -->
<if_sid>60110</if_sid>
<field name="win.eventdata.targetUserName">^MAILBOX$</field>
<field name="win.eventdata.subjectUserName">^MAILSERVER\$$</field>
<description>Exclude MAILSERVER MAILBOX events</description>
<options>no_full_log</options>
</rule>
<rule id="60119" level="12" overwrite="yes">
<if_sid>60106</if_sid>
<if_fts />
<description>First time user $(win.eventdata.targetUserName) logged in this system</description>
<options>no_full_log</options>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1078</id>
</mitre>
</rule>
<rule id="111100" level="5">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^646$|^645$|^647$|^4741$|^4742$|^4743$</field>
<field name="EventChannel.EventData.TargetUserName">SQL-CL-/w+$</field>
<description>Computer account added/changed/deleted</description>
<options>no_full_log</options>
</rule>
<rule id="60126" level="12" overwrite="yes">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^533$</field>
<description>Logon Failure - User $(win.eventdata.targetUserName) not allowed to login at this computer</description>
<options>no_full_log</options>
<group>authentication_failed,login_denied,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1531</id>
</mitre>
</rule>
<rule id="60130" level="12" overwrite="yes">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^539$</field>
<description>Logon Failure - Account $(win.eventdata.targetUserName) locked out</description>
<options>no_full_log</options>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_8.1.6,gpg13_7.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1531</id>
</mitre>
</rule>
<!-- Ausnahme für SQL-Cluster-accs - False-Positive!-->
<rule id="60133" level="12" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^671$|^4767$|^4724$</field>
<field name="win.eventdata.targetUserName" negate="yes">^FS-CL-2$|^FS$|^SQL-CL-2$|^SQL-CL-2-PROD$|^SQL-CL-2-DEV$</field>
<field name="win.eventdata.targetUserName" negate="yes">^MAILBOX$</field>
<field name="win.eventdata.targetUserName" type="pcre2" negate="yes">^CMDUSR$</field>
<description>User account $(win.eventdata.targetUserName) entsperrt</description>
<options>no_full_log</options>
<group>account_changed,pci_dss_10.2.5,pci_dss_8.1.6,gpg13_7.10,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1098</id>
</mitre>
</rule>
<rule id="60134" level="12" overwrite="yes">
<if_sid>60113</if_sid>
<field name="win.system.eventID">^631$|^635$|^658$</field>
<description>Security enabled group created</description>
<options>no_full_log</options>
<group>adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484.001</id>
</mitre>
</rule>
<rule id="60135" level="12" overwrite="yes">
<if_sid>60113</if_sid>
<field name="win.system.eventID">^634$|^638$|^662$</field>
<description>Security enabled group deleted</description>
<options>no_full_log</options>
<group>adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1531</id>
</mitre>
</rule>
<!-- Granular group rules -->
<rule id="60138" level="12" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^631$|^4727$|^635$|^4731$|^658$|^4754$|^648$|^4744$|^653$|
^4749$|^663$|^4759$</field>
<description>Group Account Created</description>
<options>no_full_log</options>
<group>group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<rule id="60139" level="12" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^634$|^4730$|^638$|^4734$|^662$|^4758$|^652$|^4748$|
^657$|^4753$|^667$|^4763$</field>
<description>Group Account Deleted</description>
<options>no_full_log</options>
<group>group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<rule id="60140" level="12" overwrite="yes">
<if_sid>60138</if_sid>
<field name="win.system.eventID">^631$|^4727$</field>
<description>Security Enabled Global Group Created</description>
<options>no_full_log</options>
<group>group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<rule id="60141" level="12" overwrite="yes">
<if_sid>60113</if_sid>
<field name="win.system.eventID">^632$|^4728$</field>
<description>Security Enabled Global Group Member Added $(win.eventdata.memberSid)</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<rule id="60142" level="12" overwrite="yes">
<if_sid>60113</if_sid>
<field name="win.system.eventID">^633$|^4729$</field>
<description>Security Enabled Global Group Member Removed $(win.eventdata.memberSid)</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<rule id="60143" level="12" overwrite="yes">
<if_sid>60138</if_sid>
<field name="win.system.eventID">^635$|^4731$</field>
<description>Security Enabled Local Group Created $(win.eventdata.memberSid)</description>
<options>no_full_log</options>
<group>group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<rule id="60144" level="12" overwrite="yes">
<if_sid>60113</if_sid>
<field name="win.system.eventID">^636$|^4732$</field>
<description>Security Enabled Local Group Member Added $(win.eventdata.memberSid)</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<rule id="60145" level="12" overwrite="yes">
<if_sid>60113</if_sid>
<field name="win.system.eventID">^637$|^4733$</field>
<description>Security Enabled Local Group Member Removed $(win.eventdata.memberSid)</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<rule id="60146" level="12" overwrite="yes">
<if_sid>60139</if_sid>
<field name="win.system.eventID">^638$|^4734$</field>
<description>Security Enabled Local Group Deleted</description>
<options>no_full_log</options>
<group>group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
</group>
<!-- Windows ADM Monitoring -->
<group name="Windows_Administrator_Logins">
<rule id="101001" level="12">
<decoded_as>windows-4624-user-sid</decoded_as>
<description>Local Administrator login detected: $(win.eventdata.targetUserName)</description>
<field name="target_user_sid">S-1-5-18</field>
</rule>
<rule id="101002" level="12">
<decoded_as>windows-4624-user-sid</decoded_as>
<description>Local Administrators Group login detected</description>
<field name="target_user_sid">S-1-5-32-544</field>
</rule>
<rule id="101003" level="12">
<decoded_as>windows-4624-user-sid</decoded_as>
<description>Domain Administrator login detected</description>
<regex field_name="target_user_sid">S-1-5-21-.+-500</regex>
</rule>
<rule id="101004" level="12">
<decoded_as>windows-4624-user-sid</decoded_as>
<description>Domain Admins Group login detected</description>
<regex field_name="target_user_sid">S-1-5-21-.+-512</regex>
</rule>
</group>
<group name="Win_sec_custom">
<rule id="101005" level="12">
<field name="win.system.eventID">^4739$</field>
<description>Die Kennwortrichtlinie wurde geaendert.</description>
</rule>
<!-- GPO Überwachung-->
<rule id="101006" level="12">
<field name="win.system.eventID">^5136$|^5137$</field>
<options>alert_by_email</options>
<description>Group Policy wurde erstellt/verändert von $(win.eventdata.subjectUserName) auf $(win.system.computer).</description>
</rule>
<rule id="101007" level="12">
<field name="win.system.eventID">^5139$|^5141$</field>
<options>alert_by_email</options>
<description>Group Policy wurde gelöscht oder verschoben von $(win.eventdata.subjectUserName) auf $(win.system.computer).</description>
</rule>
<rule id="101008" level="12">
<field name="win.system.eventID">^5138$</field>
<options>alert_by_email</options>
<description>Group Policy wurde wiederhergestellt von $(win.eventdata.subjectUserName) auf $(win.system.computer).</description>
</rule>
<rule id="60105" level="5" overwrite="yes">
<if_sid>60104</if_sid>
<field name="win.system.eventID">^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</field>
<field name="win.system.eventID">^682$|^683$|^4778$|^4779$</field>
<field name="win.eventdata.accountName" negate="yes">USER1</field>
<field name="win.eventdata.accountName" negate="yes">USER2</field>
<field name="win.eventdata.accountName" negate="yes">^USER3|^USER4</field>
<description>Windows Logon Failure</description>
<options>no_full_log</options>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1078</id>
</mitre>
</rule>
<rule id="60122" level="5" overwrite="yes">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^529$|^4625$</field>
<field name="win.eventdata.logonProcessName" negate="yes">^Schannel$</field>
<field name="win.eventdata.logonProcessName" negate="yes">Schannel</field>
<field name="win.eventdata.logonProcessName" negate="yes">^schannel$</field>
<field name="win.eventdata.logonProcessName">^(?!Schannel).*$</field>
<field name="win.eventdata.authenticationPackageName">^(?!Microsoft Unified Security Protocol Provider).*$</field>
<description>Logon Failure - Unknown user or bad password</description>
<options>no_full_log</options>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1531</id>
</mitre>
</rule>
</group>
<group name="linux_custom">
<!-- Exception für nessus ip -->
<rule id="101009" level="0">
<if_sid>5710</if_sid>
<match>illegal user|invalid user</match>
<srcip>192.166.0.24</srcip>
<description>sshd: Attempt to login using a non-existent user</description>
<mitre>
<id>T1110.001</id>
<id>T1021.004</id>
</mitre>
<group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
<group name="ssh_custom">
<rule id="5701" level="12" overwrite="yes">
<if_sid>5700</if_sid>
<match>Bad protocol version identification</match>
<description>sshd: Possible attack on the ssh server (or version gathering).</description>
<mitre>
<id>T1190</id>
</mitre>
<group>gdpr_IV_35.7.d,gpg13_4.12,nist_800_53_SI.4,pci_dss_11.4,recon,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5702" level="12" overwrite="yes">
<if_sid>5700</if_sid>
<match>^reverse mapping</match>
<regex>failed - POSSIBLE BREAK</regex>
<description>sshd: Reverse lookup error (bad ISP or attack).</description>
<group>gdpr_IV_35.7.d,gpg13_4.12,nist_800_53_SI.4,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5703" level="12" frequency="6" timeframe="360" overwrite="yes">
<if_matched_sid>5702</if_matched_sid>
<same_source_ip />
<description>sshd: Possible breakin attempt (high number of reverse lookup errors).</description>
<mitre>
<id>T1110</id>
</mitre>
<group>gdpr_IV_35.7.d,gpg13_4.12,nist_800_53_SI.4,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5705" level="12" frequency="6" timeframe="360" overwrite="yes">
<if_matched_sid>5704</if_matched_sid>
<description>sshd: Possible scan or breakin attempt (high number of login timeouts).</description>
<mitre>
<id>T1190</id>
<id>T1110</id>
</mitre>
<group>gdpr_IV_35.7.d,gpg13_4.12,nist_800_53_SI.4,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5706" level="12" overwrite="yes">
<if_sid>5700</if_sid>
<match>Did not receive identification string from</match>
<description>sshd: insecure connection attempt (scan).</description>
<mitre>
<id>T1021.004</id>
</mitre>
<group>gdpr_IV_35.7.d,gpg13_4.12,nist_800_53_SI.4,pci_dss_11.4,recon,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5707" level="14" overwrite="yes">
<if_sid>5700</if_sid>
<match>fatal: buffer_get_string: bad string</match>
<description>sshd: OpenSSH challenge-response exploit.</description>
<mitre>
<id>T1210</id>
<id>T1068</id>
</mitre>
<group>exploit_attempt,gdpr_IV_35.7.d,gpg13_4.12,nist_800_53_SI.4,nist_800_53_SI.2,pci_dss_11.4,pci_dss_6.2,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5710" level="12" overwrite="yes">
<if_sid>5700</if_sid>
<match>illegal user|invalid user</match>
<description>sshd: Attempt to login using a non-existent user</description>
<mitre>
<id>T1110.001</id>
<id>T1021.004</id>
</mitre>
<group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5712" level="12" frequency="8" timeframe="120" ignore="60" overwrite="yes">
<if_matched_sid>5710</if_matched_sid>
<same_source_ip />
<description>sshd: brute force trying to get access to the system. Non existent user.</description>
<mitre>
<id>T1110</id>
</mitre>
<group>authentication_failures,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_SI.4,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5716" level="12" overwrite="yes">
<if_sid>5700</if_sid>
<match>^Failed|^error: PAM: Authentication</match>
<description>sshd: authentication failed.</description>
<mitre>
<id>T1110</id>
</mitre>
</rule>
<rule id="10300" level="12" frequency="3" timeframe="60">
<if_matched_sid>5760</if_matched_sid>
<same_srcip />
<description>sshd: Multiple authentication failures from same IP (3 times in 180s)</description>
<mitre>
<id>T1110.001</id>
<id>T1021.004</id>
</mitre>
<group>authentication_failed,sshd,bruteforce,</group>
</rule>
<rule id="5404" level="12" overwrite="yes">
<if_sid>5401</if_sid>
<match>3 incorrect password attempts</match>
<description>Three failed attempts to run sudo</description>
<mitre>
<id>T1548.003</id>
</mitre>
<group>pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="204" level="10" overwrite="yes">
<if_sid>201</if_sid>
<field name="level">flooded</field>
<description>Agent event queue is flooded. Check the agent configuration.</description>
<group>agent_flooding,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
</rule>
</group>
<group name="win-custom">
<rule id="103000" level="0">
<if_sid>60107</if_sid>
<field name="win.system.computer">DEVICE1|DEVICE2h|DEVICE3</field>
<description>Failed attempt to perform a privileged operation</description>
<options>no_full_log</options>
<group>pci_dss_10.2.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1078</id>
</mitre>
</rule>
<rule id="103001" level="0">
<if_sid>60107</if_sid>
<field name="win.eventdata.processName">FWNTPSERVICENtpService.exe</field>
<description>Failed attempt to perform a privileged operation</description>
<options>no_full_log</options>
<group>pci_dss_10.2.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1078</id>
</mitre>
</rule>
<rule id="60137" level="3" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^538$|^551$|^4634$|^4647$</field>
<description>Windows User Logoff</description>
<field name="win.eventdata.targetUserName" negate="yes">MAILSERVER|MAILBOX|MAILSTORE</field>
<options>no_full_log</options>
<group>pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<!-- aktuell nicht auf lvl 15 nutzbar, loest permanent bei camcontrol etc. aus, braucht workaround -->
<rule id="92213" level="11" overwrite="yes">
<if_group>sysmon_event_11</if_group>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+\.(exe|com|dll|vbs|js|bat|cmd|pif|wsh|ps1|msi|vbe)</field>
<options>no_full_log</options>
<description>Executable file dropped in folder commonly used by malware</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
</group>
<!---
<group name="backup,authentication,failed">
<rule id="100200" level="10">
<description>backup Backup Replication authentication failure</description>
<mitre>T1110</mitre>
<options>no_full_log</options>
</rule>
</group>
-->
<!--
<group name="FWNTPSERVICE-xgs">
<rule id="102000" level="0">
<decoded_as>FWNTPSERVICE-xgs</decoded_as>
<description>General rule for FWNTPSERVICE events.</description>
</rule>
<rule id="102001" level="12">
<if_sid>102000</if_sid>
<match>couldn't sign in to web admin console. wrong credentials</match>
<description>FWNTPSERVICE XGS: Failed login attempt to Web Admin Console by user $(user_name)</description>
</rule>
<rule id="102002" level="12">
<if_sid>102000</if_sid>
<regex>\w+ Settings were changed by</regex>
<description>FWNTPSERVICE XGS: Configuration was changed by $(user_name)</description>
</rule>
<rule id="102003" level="12">
<if_sid>102000</if_sid>
<regex>message="Firewall Rule '[^"]+' was added by '[^"]+' from '[^"]+' using '[^"]+'</regex>
<description>FWNTPSERVICE XGS: Firewall rule was added by $(user_name)</description>
</rule>
<rule id="102004" level="12">
<if_sid>102000</if_sid>
<regex>message="Firewall Rule '[^"]+' was deleted by '[^"]+' from '[^"]+' using '[^"]+'</regex>
<description>FWNTPSERVICE XGS: Firewall rule was deleted by $(user_name)</description>
</rule>
<rule id="102005" level="12">
<if_sid>102000</if_sid>
<regex>.+ message="Firewall rule group '[^"]+' was updated by .+</regex>
<description>FWNTPSERVICE XGS: Firewall rule group was updated by $(user_name)</description>
</rule>
<rule id="102006" level="12">
<if_sid>102000</if_sid>
<regex>message="Order for Firewall Rule '[^"]+' were changed by '[^"]+' from '[^"]+' using '[^"]+'</regex>
<description>FWNTPSERVICE XGS: Firewall rule order was changed by $(user_name)</description>
</rule>
<rule id="102007" level="10">
<if_sid>102000</if_sid>
<regex>access_type="Remote Access" user_name="</regex>
<description>FWNTPSERVICE XGS: $(user_name) connected via SSL VPN</description>
</rule>
<rule id="102008" level="10">
<if_sid>102000</if_sid>
<regex>access_type="Remote Access" Reason="Logout"</regex>
<description>FWNTPSERVICE XGS: $(user_name) SSL VPN-SESSION TERMINATED</description>
</rule>
<rule id="102009" level="12">
<if_sid>102000</if_sid>
<regex>Administrator 'support' logged in successfully</regex>
<description>FWNTPSERVICE XGS: FWNTPSERVICE Support logged in</description>
</rule>
<!-- SSH login failed (CLI/Admin, tolerant tail) -->
<!--
<rule id="102010" level="11">
<if_sid>102000</if_sid>
<regex>message="User '</regex>
<description>FWNTPSERVICE XGS: SSH login failed user $(user_name) from $(src_ip)</description>
<group>authentication_failed,ssh,FWNTPSERVICE,xgs,</group>
<mitre><id>T1110</id></mitre>
</rule>
</group>
-->
<group name="backup,authentication,failed">
<rule id="100200" level="12">
<field name="Description">authentication has failed</field>
<description>Backup Replication authentication failure</description>
<group>backup, authentication</group>
<match>Description</match>
</rule>
</group>
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->
<group name="custom_win">
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="61638" level="11" overwrite="yes">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.image">dllhost.exe</field>
<description>Sysmon - Suspicious Process - dllhost.exe</description>
<mitre>
<id>T1055</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_SI.4,tsc_CC7.2,tsc_CC7.3,tsc_CC6.1,tsc_CC6.8,</group>
</rule>
<rule id="92032" level="3" overwrite="yes">
<if_sid>92031, 61603</if_sid>
<field name="win.eventdata.parentImage" type="pcre2">(?i)cmd\.EXE</field>
<field name="win.eventdata.parentCommandLine" type="pcre2">(?i)\s\/C\s</field>
<field name="win.eventdata.commandLine" negate="yes">find /i "Leitst.exe"</field>
<options>no_full_log</options>
<description>Suspicious Windows cmd shell execution</description>
<mitre>
<id>T1087</id>
<id>T1059.003</id>
</mitre>
</rule>
<!-- fehlt ausnahme für ebüs, triggert permanent wenn das programm läuft. Im Event aber nicht zu erkennen. Coden will gelernt sein -->
<rule id="61632" level="11" overwrite="yes">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.image">smss.exe</field>
<field name="win.eventdata.commandLine" negate="yes">Leitst.exe</field>
<description>Sysmon - Suspicious Process - smss.exe</description>
<mitre>
<id>T1055</id>
</mitre>
</rule>
<rule id="101104" level="12">
<decoded_as>windows_eventchannel</decoded_as>
<match>4739</match>
<description>[DEBUG] 4739 (match) auf $(win.system.computer)</description>
</rule>
<rule id="61640" level="11" overwrite="yes">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.image">\\explorer.exe</field>
<description>Sysmon - Suspicious Process - explorer.exe</description>
<mitre>
<id>T1055</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_11.4,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_SI.4,tsc_CC7.2,tsc_CC7.3,tsc_CC6.1,tsc_CC6.8,</group>
</rule>
<rule id="100014" level="0">
<if_sid>92650</if_sid>
<field name="win.eventdata.serviceName">tenable_mw_scan</field>
<description>Suppress alerts for Tenable vulnerability scanner service creation</description>
</rule>
<rule id="100015" level="0">
<if_sid>31168</if_sid>
<field name="full_log">nessusd|nessus-service</field>
<description>Exclude Shellshock alerts generated by Nessus scans.</description>
<options>no_full_log</options>
</rule>
<!-- Regel um USER-User zu ignorieren (EBUES) -->
<rule id="100098" level="0">
<if_sid>92656</if_sid>
<field name="win.eventdata.targetUserName" type="pcre2">USER</field>
<description>Ignore RDP logins for specific users to prevent false positives.</description>
</rule>
<rule id="100099" level="0">
<if_sid>60105</if_sid>
<field name="win.eventdata.targetUserName" type="pcre2">USER</field>
<description>Ignore RDP logins for specific users to prevent false positives.</description>
</rule>
<rule id="110000" level="0">
<if_sid>60104</if_sid>
<field name="win.eventdata.targetUserName" type="pcre2">USER</field>
<description>Ignore RDP logins for specific users to prevent false positives.</description>
</rule>
<rule id="110001" level="0">
<if_sid>60204</if_sid>
<field name="win.eventdata.targetUserName" type="pcre2">USER</field>
<description>Ignore RDP logins for specific users to prevent false positives.</description>
</rule>
<!-- Win lockout evt -->
<rule id="190015" level="12" overwrite="yes">
<!--<if_sid>60103</if_sid>-->
<field name="win.system.eventID">^644$|^4740$</field>
<description>User-Account $(win.eventdata.targetUserName) gesperrt auf $(win.system.computer)</description>
<options>no_full_log</options>
<group>authentication_failures,pci_dss_8.1.6,pci_dss_11.4,gpg13_7.5,gdpr_IV_35.7.d,hipaa_164.312.a.1,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
<mitre>
<id>T1531</id>
</mitre>
</rule>
</group>
<group name="windows,sql_cluster">
<rule id="110001" level="10">
<field name="win.system.eventID">^1641$</field>
<description>Cluster resource group taken offline on $(win.system.computer)</description>
</rule>
<!-- Cluster resource group successfully taken offline -->
<rule id="110002" level="5">
<field name="win.system.eventID">^1643$</field>
<description>Cluster resource group successfully taken offline on $(win.system.computer)</description>
</rule>
<!-- Cluster service failed to bring a clustered service/application online -->
<rule id="110003" level="12">
<field name="win.system.eventID">^1205$</field>
<description>Cluster service failed to bring a clustered service/application online on $(win.system.computer)</description>
</rule>
<!-- Cluster resource failed -->
<rule id="110004" level="12">
<field name="win.system.eventID">^1069$</field>
<description>Cluster resource failure on $(win.system.computer)</description>
</rule>
<!-- Cluster node removed from active membership -->
<rule id="110005" level="12">
<field name="win.system.eventID">^1135$</field>
<description>Cluster node was removed from active membership: $(win.system.computer)</description>
</rule>
<!-- Stopping cluster roles during updates -->
<rule id="110006" level="5">
<field name="win.system.eventID">^2057$</field>
<description>Cluster roles stopping for updates on $(win.system.computer)</description>
</rule>
<!-- Additional Failover Clustering events -->
<rule id="110007" level="10">
<field name="win.system.eventID">^1792$</field>
<description>Cluster node is joining or joined: $(win.system.computer)</description>
</rule>
<rule id="110008" level="10">
<field name="win.system.eventID">^1038$</field>
<description>Cluster resource state change detected on $(win.system.computer)</description>
</rule>
<rule id="110009" level="10">
<field name="win.system.eventID">^1795$</field>
<description>Cluster node left: $(win.system.computer)</description>
</rule>
</group>
<group name="local">
<!-- USER exception für winstation(rdp) und vertrauenswürdigen clients/user -->
<rule id="60108" level="12" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^682$|^683$|^4778$|^4779$</field>
<field name="win.eventdata.accountName" negate="yes">USER1</field>
<field name="win.eventdata.accountName" negate="yes">USER2</field>
<field name="win.eventdata.accountName" negate="yes">^USER3|^USER4</field>
<field name="win.eventdata.clientName" lookup="not_match_key">etc/lists/trusted-hosts</field>
<field name="win.eventdata.accountName" lookup="not_match_key">etc/lists/trusted-users</field>
<field name="win.eventdata.clientAddress" negate="yes">LOKAL</field>
<options>no_full_log</options>
<description>RDP-Session von nicht vertrautem Client/User. $(win.eventdata.accountName) von $(win.eventdata.clientName )</description>
<mitre>
<id>T1078</id>
</mitre>
<group>authentication_success,gdpr_IV_35.7.d,hipaa_164.312.a.1,nist_800_53_AC.2,pci_dss_8.1.5,tsc_CC6.1,</group>
</rule>
</group>
<!-- win ht-admins -->
<group name="local">
<rule id="100096" level="12">
<if_sid>60106</if_sid>
<list field="win.eventdata.targetUserName" lookup="match_key">etc/lists/ht_users</list>
<field name="win.eventdata.processName" negate="yes">^C:\\\\Windows\\\\backupVssSupport\\\\backupGuestHelper.exe$</field>
<field name="win.eventdata.processName" negate="yes">^Program Files\\\\VMware\\\\vmtoolsd.exe$</field>
<field name="win.eventdata.processName" negate="yes">^C:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe</field>
<field name="win.eventdata.processName" negate="yes">^C:\\\\Program Files\\\\backup\\\\Endpoint Backup\\\\backup.EndPoint.Manager.exe$</field>
<description>Domänen-Admin eingeloggt: $(win.eventdata.targetUserName) auf $(win.system.computer)</description>
</rule>
<rule id="111196" level="0">
<if_sid>100096</if_sid>
<regex>^Windows\\\\backupVssSupport\\\\backupGuestHelper.exe$</regex>
<description>Exception for backup</description>
</rule>
</group>
<group name="local,windows,security,logon_watch">
<!-- Raise only when user is in list AND domain matches -->
<rule id="110210" level="12">
<if_sid>60106</if_sid> <!-- 4624 success -->
<list field="win.eventdata.TargetUserName" lookup="match_key">etc/lists/logon_watch_users</list>
<field name="win.eventdata.TargetDomainName">^DOMAIN$</field>
<description>Test PDQ Login gefunden: $(win.eventdata.TargetDomainName)\$(win.eventdata.TargetUserName) on $(win.system.computer) (type $(win.eventdata.LogonType))</description>
<group>authentication_success,allowlist_hit</group>
</rule>
<!-- Lowercase casing variant if some hosts send lowercased fields -->
<rule id="110211" level="12">
<if_sid>60106</if_sid>
<list field="win.eventdata.targetUserName" lookup="match_key">etc/lists/logon_watch_users</list>
<field name="win.eventdata.targetDomainName">^DOMAIN$</field>
<description>Test PDQ Login gefunden (lowercase): $(win.eventdata.targetDomainName)\$(win.eventdata.targetUserName) on $(win.system.computer) (type $(win.eventdata.logonType))</description>
<group>authentication_success,allowlist_hit</group>
</rule>
<!-- Optional: mute service/batch logons for those users -->
<rule id="110214" level="0">
<if_sid>60106</if_sid>
<list field="win.eventdata.TargetUserName" lookup="match_key">etc/lists/logon_watch_users</list>
<description>Watch user service/batch logon (muted)</description>
</rule>
<rule id="110215" level="0">
<if_sid>60106</if_sid>
<list field="win.eventdata.targetUserName" lookup="match_key">etc/lists/logon_watch_users</list>
<description>Watch user service/batch logon (muted)</description>
</rule>
</group>
<!-- AE und Server ZK -->
<group name="windows,windows_security,local,">
<rule id="111096" level="13">
<if_sid>60106</if_sid>
<field name="win.event_data.LogonType">!2</field> <!-- Exclude Interactive logons -->
<list field="win.eventdata.targetUserName" lookup="not_match_key">etc/lists/ht_users</list>
<list field="win.system.computer" lookup="match_key">etc/lists/aes</list>
<description>Unerlaubter login: $(win.eventdata.targetUserName) auf $(win.system.computer)</description>
</rule>
</group>
<group name="windows_4739,local,">
<!-- 4739: Domainpolicy geändert -->
<rule id="101103" level="12">
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.eventID">^4739$</field>
<description>Domain-Policy wurde auf $(win.system.computer) geändert</description>
</rule>
<!-- RAW-Fallback: alles, was als windows_eventchannel kommt und 4739 im Log hat -->
<rule id="101120" level="10">
<decoded_as>windows_eventchannel</decoded_as>
<match>"eventID\":\"4739\"</match>
<description>[DEBUG] RAW 4739 auf $(win.system.computer)</description>
</rule>
</group>
<!--LINUX -->
<group name="linux">
<rule id="111097" level="12">
<if_sid>2502</if_sid>
<description>syslog: User missed the password more than one time</description>
<mitre>
<id>T1110</id>
</mitre>
</rule>
<rule id="111098" level="12">
<if_sid>5400</if_sid>
<if_fts />
<description>First time user executed sudo.</description>
<mitre>
<id>T1548.003</id>
</mitre>
</rule>
<!-- Regel um monitoring DOS/Bot false positives abzuwenden -->
<rule id="111199" level="0">
<if_sid>31533</if_sid>
<match>^monitoring$</match>
<description>Ignore Rule 31533 for monitoring</description>
</rule>
</group>
<group name="linux,nmap,">
<rule id="101100" level="3">
<decoded_as>json</decoded_as>
<field name="nmap_port">\.+</field>
<field name="nmap_port_service">\.+</field>
<description>NMAP: Host scan. Port $(nmap_port) is open and hosting the $(nmap_port_service) service.</description>
<options>no_full_log</options>
</rule>
</group>
<group name="linux">
<rule id="121102" level="5">
<if_sid>101100</if_sid>
<field name="nmap_port">\d+</field>
<description>NMAP: Host scan. Port $(nmap_port) is open.</description>
</rule>
<rule id="121103" level="5">
<if_sid>101100</if_sid>
<field name="nmap_port_service">^\s$</field>
<description>NMAP: Port $(nmap_port) is open but no service is found.</description>
</rule>
</group>
<group name="vcenter,syslog,">
<rule id="10010" level="3">
<decoded_as>esxi-syslog</decoded_as>
<description>vCenter syslog event</description>
<group>vcenter,syslog,</group>
<!-- Addressen aller vCenter -->
<srcip>192.166.0.51</srcip>
<srcip>192.166.0.52</srcip>
<srcip>192.166.0.53</srcip>
<srcip>192.166.0.54</srcip>
<srcip>192.169.0.5</srcip>
<srcip>192.169.0.6</srcip>
<srcip>192.166.0.54</srcip>
<srcip>192.166.0.59</srcip>
<options>no_full_log</options>
</rule>
</group>
<group name="windows,windows_security,">
<rule id="111099" level="0">
<if_sid>60001</if_sid>
<field name="win.system.severityValue">^AUDIT_FAILURE$|^failure$</field>
<match>win.eventdata.workstation:CUSTOMER</match>
<options>no_full_log</options>
<description>Windows audit failure event.</description>
<group>gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,pci_dss_10.6.1,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="60109" level="12" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^624$|^626$|^4720$|^4722$</field>
<description>User account $(win.eventdata.targetUserName) enabled or created</description>
<options>no_full_log</options>
<group>adduser,account_changed,</group>
<group>pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1098</id>
</mitre>
</rule>
<rule id="60110" level="12" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^628$|^642$|^685$|^4738$|^4781$</field>
<!-- Ausnahme für CMDUSR-->
<field name="win.eventdata.targetUserName" negate="yes">^CMDUSR$</field>
<description>User account $(win.eventdata.targetUserName) changed</description>
<group>pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1098</id>
</mitre>
</rule>
<rule id="60111" level="12" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^630$|^629$|^4725$|^4726$</field>
<description>User account $(win.eventdata.targetUserName) disabled or deleted</description>
<options>no_full_log</options>
<group>adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1098</id>
</mitre>
<mitre>
<id>T1531</id>
</mitre>
</rule>
<rule id="60115" level="12" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^644$|^4740$</field>
<description>User $(win.eventdata.targetUserName) gesperrt</description>
<options>no_full_log</options>
<group>authentication_failures,pci_dss_8.1.6,pci_dss_11.4,gpg13_7.5,gdpr_IV_35.7.d,hipaa_164.312.a.1,nist_800_53_AC.7,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1110</id>
</mitre>
<mitre>
<id>T1531</id>
</mitre>
</rule>
<rule id="11102" level="0">
<!-- Match events from MAILSERVER with MAILBOX -->
<if_sid>60110</if_sid>
<field name="win.eventdata.targetUserName">^MAILBOX$</field>
<field name="win.eventdata.subjectUserName">^MAILSERVER\$$</field>
<description>Exclude MAILSERVER MAILBOX events</description>
<options>no_full_log</options>
</rule>
<rule id="60119" level="12" overwrite="yes">
<if_sid>60106</if_sid>
<if_fts />
<description>First time user $(win.eventdata.targetUserName) logged in this system</description>
<options>no_full_log</options>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1078</id>
</mitre>
</rule>
<rule id="111100" level="5">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^646$|^645$|^647$|^4741$|^4742$|^4743$</field>
<field name="EventChannel.EventData.TargetUserName">SQL-CL-/w+$</field>
<description>Computer account added/changed/deleted</description>
<options>no_full_log</options>
</rule>
<rule id="60126" level="12" overwrite="yes">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^533$</field>
<description>Logon Failure - User $(win.eventdata.targetUserName) not allowed to login at this computer</description>
<options>no_full_log</options>
<group>authentication_failed,login_denied,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1531</id>
</mitre>
</rule>
<rule id="60130" level="12" overwrite="yes">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^539$</field>
<description>Logon Failure - Account $(win.eventdata.targetUserName) locked out</description>
<options>no_full_log</options>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_8.1.6,gpg13_7.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1531</id>
</mitre>
</rule>
<!-- Ausnahme für SQL-Cluster-accs - False-Positive!-->
<rule id="60133" level="12" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^671$|^4767$|^4724$</field>
<field name="win.eventdata.targetUserName" negate="yes">^FS-CL-2$|^FS$|^SQL-CL-2$|^SQL-CL-2-PROD$|^SQL-CL-2-DEV$</field>
<field name="win.eventdata.targetUserName" negate="yes">^MAILBOX$</field>
<field name="win.eventdata.targetUserName" type="pcre2" negate="yes">^CMDUSR$</field>
<description>User account $(win.eventdata.targetUserName) entsperrt</description>
<options>no_full_log</options>
<group>account_changed,pci_dss_10.2.5,pci_dss_8.1.6,gpg13_7.10,gdpr_IV_32.2,hipaa_164.312.b,hipaa_164.312.a.1,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1098</id>
</mitre>
</rule>
<rule id="60134" level="12" overwrite="yes">
<if_sid>60113</if_sid>
<field name="win.system.eventID">^631$|^635$|^658$</field>
<description>Security enabled group created</description>
<options>no_full_log</options>
<group>adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484.001</id>
</mitre>
</rule>
<rule id="60135" level="12" overwrite="yes">
<if_sid>60113</if_sid>
<field name="win.system.eventID">^634$|^638$|^662$</field>
<description>Security enabled group deleted</description>
<options>no_full_log</options>
<group>adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1531</id>
</mitre>
</rule>
<!-- Granular group rules -->
<rule id="60138" level="12" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^631$|^4727$|^635$|^4731$|^658$|^4754$|^648$|^4744$|^653$|
^4749$|^663$|^4759$</field>
<description>Group Account Created</description>
<options>no_full_log</options>
<group>group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<rule id="60139" level="12" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^634$|^4730$|^638$|^4734$|^662$|^4758$|^652$|^4748$|
^657$|^4753$|^667$|^4763$</field>
<description>Group Account Deleted</description>
<options>no_full_log</options>
<group>group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<rule id="60140" level="12" overwrite="yes">
<if_sid>60138</if_sid>
<field name="win.system.eventID">^631$|^4727$</field>
<description>Security Enabled Global Group Created</description>
<options>no_full_log</options>
<group>group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<rule id="60141" level="12" overwrite="yes">
<if_sid>60113</if_sid>
<field name="win.system.eventID">^632$|^4728$</field>
<description>Security Enabled Global Group Member Added $(win.eventdata.memberSid)</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<rule id="60142" level="12" overwrite="yes">
<if_sid>60113</if_sid>
<field name="win.system.eventID">^633$|^4729$</field>
<description>Security Enabled Global Group Member Removed $(win.eventdata.memberSid)</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<rule id="60143" level="12" overwrite="yes">
<if_sid>60138</if_sid>
<field name="win.system.eventID">^635$|^4731$</field>
<description>Security Enabled Local Group Created $(win.eventdata.memberSid)</description>
<options>no_full_log</options>
<group>group_created,win_group_created,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<rule id="60144" level="12" overwrite="yes">
<if_sid>60113</if_sid>
<field name="win.system.eventID">^636$|^4732$</field>
<description>Security Enabled Local Group Member Added $(win.eventdata.memberSid)</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<rule id="60145" level="12" overwrite="yes">
<if_sid>60113</if_sid>
<field name="win.system.eventID">^637$|^4733$</field>
<description>Security Enabled Local Group Member Removed $(win.eventdata.memberSid)</description>
<options>no_full_log</options>
<group>group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
<rule id="60146" level="12" overwrite="yes">
<if_sid>60139</if_sid>
<field name="win.system.eventID">^638$|^4734$</field>
<description>Security Enabled Local Group Deleted</description>
<options>no_full_log</options>
<group>group_deleted,win_group_deleted,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_IA.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1484</id>
</mitre>
</rule>
</group>
<!-- Windows ADM Monitoring -->
<group name="Windows_Administrator_Logins">
<rule id="101001" level="12">
<decoded_as>windows-4624-user-sid</decoded_as>
<description>Local Administrator login detected: $(win.eventdata.targetUserName)</description>
<field name="target_user_sid">S-1-5-18</field>
</rule>
<rule id="101002" level="12">
<decoded_as>windows-4624-user-sid</decoded_as>
<description>Local Administrators Group login detected</description>
<field name="target_user_sid">S-1-5-32-544</field>
</rule>
<rule id="101003" level="12">
<decoded_as>windows-4624-user-sid</decoded_as>
<description>Domain Administrator login detected</description>
<regex field_name="target_user_sid">S-1-5-21-.+-500</regex>
</rule>
<rule id="101004" level="12">
<decoded_as>windows-4624-user-sid</decoded_as>
<description>Domain Admins Group login detected</description>
<regex field_name="target_user_sid">S-1-5-21-.+-512</regex>
</rule>
</group>
<group name="Win_sec_custom">
<rule id="101005" level="12">
<field name="win.system.eventID">^4739$</field>
<description>Die Kennwortrichtlinie wurde geaendert.</description>
</rule>
<!-- GPO Überwachung-->
<rule id="101006" level="12">
<field name="win.system.eventID">^5136$|^5137$</field>
<options>alert_by_email</options>
<description>Group Policy wurde erstellt/verändert von $(win.eventdata.subjectUserName) auf $(win.system.computer).</description>
</rule>
<rule id="101007" level="12">
<field name="win.system.eventID">^5139$|^5141$</field>
<options>alert_by_email</options>
<description>Group Policy wurde gelöscht oder verschoben von $(win.eventdata.subjectUserName) auf $(win.system.computer).</description>
</rule>
<rule id="101008" level="12">
<field name="win.system.eventID">^5138$</field>
<options>alert_by_email</options>
<description>Group Policy wurde wiederhergestellt von $(win.eventdata.subjectUserName) auf $(win.system.computer).</description>
</rule>
<rule id="60105" level="5" overwrite="yes">
<if_sid>60104</if_sid>
<field name="win.system.eventID">^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</field>
<field name="win.system.eventID">^682$|^683$|^4778$|^4779$</field>
<field name="win.eventdata.accountName" negate="yes">USER1</field>
<field name="win.eventdata.accountName" negate="yes">USER2</field>
<field name="win.eventdata.accountName" negate="yes">^USER3|^USER4</field>
<description>Windows Logon Failure</description>
<options>no_full_log</options>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1078</id>
</mitre>
</rule>
<rule id="60122" level="5" overwrite="yes">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^529$|^4625$</field>
<field name="win.eventdata.logonProcessName" negate="yes">^Schannel$</field>
<field name="win.eventdata.logonProcessName" negate="yes">Schannel</field>
<field name="win.eventdata.logonProcessName" negate="yes">^schannel$</field>
<field name="win.eventdata.logonProcessName">^(?!Schannel).*$</field>
<field name="win.eventdata.authenticationPackageName">^(?!Microsoft Unified Security Protocol Provider).*$</field>
<description>Logon Failure - Unknown user or bad password</description>
<options>no_full_log</options>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1531</id>
</mitre>
</rule>
</group>
<group name="linux_custom">
<!-- Exception für nessus ip -->
<rule id="101009" level="0">
<if_sid>5710</if_sid>
<match>illegal user|invalid user</match>
<srcip>192.166.0.24</srcip>
<description>sshd: Attempt to login using a non-existent user</description>
<mitre>
<id>T1110.001</id>
<id>T1021.004</id>
</mitre>
<group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
<group name="ssh_custom">
<rule id="5701" level="12" overwrite="yes">
<if_sid>5700</if_sid>
<match>Bad protocol version identification</match>
<description>sshd: Possible attack on the ssh server (or version gathering).</description>
<mitre>
<id>T1190</id>
</mitre>
<group>gdpr_IV_35.7.d,gpg13_4.12,nist_800_53_SI.4,pci_dss_11.4,recon,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5702" level="12" overwrite="yes">
<if_sid>5700</if_sid>
<match>^reverse mapping</match>
<regex>failed - POSSIBLE BREAK</regex>
<description>sshd: Reverse lookup error (bad ISP or attack).</description>
<group>gdpr_IV_35.7.d,gpg13_4.12,nist_800_53_SI.4,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5703" level="12" frequency="6" timeframe="360" overwrite="yes">
<if_matched_sid>5702</if_matched_sid>
<same_source_ip />
<description>sshd: Possible breakin attempt (high number of reverse lookup errors).</description>
<mitre>
<id>T1110</id>
</mitre>
<group>gdpr_IV_35.7.d,gpg13_4.12,nist_800_53_SI.4,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5705" level="12" frequency="6" timeframe="360" overwrite="yes">
<if_matched_sid>5704</if_matched_sid>
<description>sshd: Possible scan or breakin attempt (high number of login timeouts).</description>
<mitre>
<id>T1190</id>
<id>T1110</id>
</mitre>
<group>gdpr_IV_35.7.d,gpg13_4.12,nist_800_53_SI.4,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5706" level="12" overwrite="yes">
<if_sid>5700</if_sid>
<match>Did not receive identification string from</match>
<description>sshd: insecure connection attempt (scan).</description>
<mitre>
<id>T1021.004</id>
</mitre>
<group>gdpr_IV_35.7.d,gpg13_4.12,nist_800_53_SI.4,pci_dss_11.4,recon,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5707" level="14" overwrite="yes">
<if_sid>5700</if_sid>
<match>fatal: buffer_get_string: bad string</match>
<description>sshd: OpenSSH challenge-response exploit.</description>
<mitre>
<id>T1210</id>
<id>T1068</id>
</mitre>
<group>exploit_attempt,gdpr_IV_35.7.d,gpg13_4.12,nist_800_53_SI.4,nist_800_53_SI.2,pci_dss_11.4,pci_dss_6.2,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5710" level="12" overwrite="yes">
<if_sid>5700</if_sid>
<match>illegal user|invalid user</match>
<description>sshd: Attempt to login using a non-existent user</description>
<mitre>
<id>T1110.001</id>
<id>T1021.004</id>
</mitre>
<group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5712" level="12" frequency="8" timeframe="120" ignore="60" overwrite="yes">
<if_matched_sid>5710</if_matched_sid>
<same_source_ip />
<description>sshd: brute force trying to get access to the system. Non existent user.</description>
<mitre>
<id>T1110</id>
</mitre>
<group>authentication_failures,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_SI.4,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="5716" level="12" overwrite="yes">
<if_sid>5700</if_sid>
<match>^Failed|^error: PAM: Authentication</match>
<description>sshd: authentication failed.</description>
<mitre>
<id>T1110</id>
</mitre>
</rule>
<rule id="10300" level="12" frequency="3" timeframe="60">
<if_matched_sid>5760</if_matched_sid>
<same_srcip />
<description>sshd: Multiple authentication failures from same IP (3 times in 180s)</description>
<mitre>
<id>T1110.001</id>
<id>T1021.004</id>
</mitre>
<group>authentication_failed,sshd,bruteforce,</group>
</rule>
<rule id="5404" level="12" overwrite="yes">
<if_sid>5401</if_sid>
<match>3 incorrect password attempts</match>
<description>Three failed attempts to run sudo</description>
<mitre>
<id>T1548.003</id>
</mitre>
<group>pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="204" level="10" overwrite="yes">
<if_sid>201</if_sid>
<field name="level">flooded</field>
<description>Agent event queue is flooded. Check the agent configuration.</description>
<group>agent_flooding,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
</rule>
</group>
<group name="win-custom">
<rule id="103000" level="0">
<if_sid>60107</if_sid>
<field name="win.system.computer">DEVICE1|DEVICE2h|DEVICE3</field>
<description>Failed attempt to perform a privileged operation</description>
<options>no_full_log</options>
<group>pci_dss_10.2.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1078</id>
</mitre>
</rule>
<rule id="103001" level="0">
<if_sid>60107</if_sid>
<field name="win.eventdata.processName">FWNTPSERVICENtpService.exe</field>
<description>Failed attempt to perform a privileged operation</description>
<options>no_full_log</options>
<group>pci_dss_10.2.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.6,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1078</id>
</mitre>
</rule>
<rule id="60137" level="3" overwrite="yes">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^538$|^551$|^4634$|^4647$</field>
<description>Windows User Logoff</description>
<field name="win.eventdata.targetUserName" negate="yes">MAILSERVER|MAILBOX|MAILSTORE</field>
<options>no_full_log</options>
<group>pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<!-- aktuell nicht auf lvl 15 nutzbar, loest permanent bei camcontrol etc. aus, braucht workaround -->
<rule id="92213" level="11" overwrite="yes">
<if_group>sysmon_event_11</if_group>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+\.(exe|com|dll|vbs|js|bat|cmd|pif|wsh|ps1|msi|vbe)</field>
<options>no_full_log</options>
<description>Executable file dropped in folder commonly used by malware</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
</group>
<!---
<group name="backup,authentication,failed">
<rule id="100200" level="10">
<description>backup Backup Replication authentication failure</description>
<mitre>T1110</mitre>
<options>no_full_log</options>
</rule>
</group>
-->
<!--
<group name="FWNTPSERVICE-xgs">
<rule id="102000" level="0">
<decoded_as>FWNTPSERVICE-xgs</decoded_as>
<description>General rule for FWNTPSERVICE events.</description>
</rule>
<rule id="102001" level="12">
<if_sid>102000</if_sid>
<match>couldn't sign in to web admin console. wrong credentials</match>
<description>FWNTPSERVICE XGS: Failed login attempt to Web Admin Console by user $(user_name)</description>
</rule>
<rule id="102002" level="12">
<if_sid>102000</if_sid>
<regex>\w+ Settings were changed by</regex>
<description>FWNTPSERVICE XGS: Configuration was changed by $(user_name)</description>
</rule>
<rule id="102003" level="12">
<if_sid>102000</if_sid>
<regex>message="Firewall Rule '[^"]+' was added by '[^"]+' from '[^"]+' using '[^"]+'</regex>
<description>FWNTPSERVICE XGS: Firewall rule was added by $(user_name)</description>
</rule>
<rule id="102004" level="12">
<if_sid>102000</if_sid>
<regex>message="Firewall Rule '[^"]+' was deleted by '[^"]+' from '[^"]+' using '[^"]+'</regex>
<description>FWNTPSERVICE XGS: Firewall rule was deleted by $(user_name)</description>
</rule>
<rule id="102005" level="12">
<if_sid>102000</if_sid>
<regex>.+ message="Firewall rule group '[^"]+' was updated by .+</regex>
<description>FWNTPSERVICE XGS: Firewall rule group was updated by $(user_name)</description>
</rule>
<rule id="102006" level="12">
<if_sid>102000</if_sid>
<regex>message="Order for Firewall Rule '[^"]+' were changed by '[^"]+' from '[^"]+' using '[^"]+'</regex>
<description>FWNTPSERVICE XGS: Firewall rule order was changed by $(user_name)</description>
</rule>
<rule id="102007" level="10">
<if_sid>102000</if_sid>
<regex>access_type="Remote Access" user_name="</regex>
<description>FWNTPSERVICE XGS: $(user_name) connected via SSL VPN</description>
</rule>
<rule id="102008" level="10">
<if_sid>102000</if_sid>
<regex>access_type="Remote Access" Reason="Logout"</regex>
<description>FWNTPSERVICE XGS: $(user_name) SSL VPN-SESSION TERMINATED</description>
</rule>
<rule id="102009" level="12">
<if_sid>102000</if_sid>
<regex>Administrator 'support' logged in successfully</regex>
<description>FWNTPSERVICE XGS: FWNTPSERVICE Support logged in</description>
</rule>
<!-- SSH login failed (CLI/Admin, tolerant tail) -->
<!--
<rule id="102010" level="11">
<if_sid>102000</if_sid>
<regex>message="User '</regex>
<description>FWNTPSERVICE XGS: SSH login failed user $(user_name) from $(src_ip)</description>
<group>authentication_failed,ssh,FWNTPSERVICE,xgs,</group>
<mitre><id>T1110</id></mitre>
</rule>
</group>
-->
<group name="backup,authentication,failed">
<rule id="100200" level="12">
<field name="Description">authentication has failed</field>
<description>Backup Replication authentication failure</description>
<group>backup, authentication</group>
<match>Description</match>
</rule>
</group>
diego....@wazuh.com
Jan 30, 2026, 6:24:41 AM (3 days ago) Jan 30
to Wazuh | Mailing List
Hello Andrehens Chicfici,
I've been checking your rules and the only apparent error I see is that you forgot to close a comment tag right after rule: 102009
If the issue still persists, let me know in fine detail what changes have you made recently as checking each rule one by one is quite tedious.
Andrehens Chicfici
Jan 30, 2026, 6:58:17 AM (3 days ago) Jan 30
to Wazuh | Mailing List
Yes, that worked!
Stupid, that comments will still be read... but yeah! Thanks a lot!
But is there any XML-Validator that works with wazuh xml? This would make everything so much easier...
cheers
chic
diego....@wazuh.com
Jan 30, 2026, 9:24:56 AM (3 days ago) Jan 30
to Wazuh | Mailing List
Hello,
Glad to help!
I tried this validator and it seemed to work -> https://www.liquid-technologies.com/online-xml-validator
However I normally see the error in the Wazuh UI, and it helps me out.
You can access it by going to any rule file in the UI, and if there's an XML error, it will show. However, it will not show wrong regex formation.
Glad to help!
I tried this validator and it seemed to work -> https://www.liquid-technologies.com/online-xml-validator
However I normally see the error in the Wazuh UI, and it helps me out.
You can access it by going to any rule file in the UI, and if there's an XML error, it will show. However, it will not show wrong regex formation.
Reply all
Reply to author
Forward
0 new messages