Closed rubinatorz closed 2 years ago
Thank you Ruben 🙏 We will review it and let you know if we have any comment or question.
Best, Jose
Comments on: user_created_logon_session.yml
Comments on: user_created_pipe & process_created_pipe
hi @Cyb3rPandaH,
Regarding user_created_logon_session.yml I often use both Microsoft docs and ultimatewindowssecurity.com. It doesn't happen much, but for 4776 the description on the UWS website differs from the one at MS docs: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4776 UWS is stating "4776: The domain controller attempted to validate the credentials for an account", so I got directed into the domain controller direction. Anyways, your recommended changes seems good!
Regarding user_created_pipe & process_created_pipe I think I overlooked the process-connected to-pipe relationship file. So I totally agree with the recommended changes. As there's only "Named Pipe Metadata" as data component within "Named Pipe" data source I think this is the best option we currently have.
Comments on drive_created.yml:
Comments on drive_modified.yml:
Comments on firewall_policy_loaded.yml:
In other yml files we have used the term firewall to represent the firewall service. Based on the description of the event, what do you think of this idea for the behavior: firewall --> attempted to load --> policy ? We could use the entity policy for other relationships in the future.
Comments on sensor_health_changed:
Thank you again @rubinatorz ! We are merging the PR and make a few changes later based on the comments I provided to a few sections.
hi guys,
As announced, my contribution of a set of Windows events. I also included some small fixes (typos).
If you have any questions or comments, please contact me via Slack.
regards, Ruben