Merge branch 'main' into docs_windows_audit

Author: w0rk3r

rules/windows/credential_access_bruteforce_admin_account.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/29"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [transform]
 [[transform.osquery]]
@@ -107,7 +107,8 @@ type = "eql"
 
 query = '''
 sequence by winlog.computer_name, source.ip with maxspan=10s
-  [authentication where event.action == "logon-failed" and winlog.logon.type : "Network" and
+  [authentication where host.os.type == "windows" and
+    event.action == "logon-failed" and winlog.logon.type : "Network" and
     source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and user.name : "*admin*" and
 
     /* noisy failure status codes often associated to authentication misconfiguration */

rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/29"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [transform]
 [[transform.osquery]]
@@ -111,7 +111,7 @@ type = "eql"
 
 query = '''
 sequence by winlog.computer_name, source.ip with maxspan=5s
-  [authentication where event.action == "logon-failed" and
+  [authentication where host.os.type == "windows" and event.action == "logon-failed" and
     /* event 4625 need to be logged */
     winlog.logon.type : "Network" and user.id != null and 
     source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and 
@@ -120,7 +120,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s
 
     /* noisy failure status codes often associated to authentication misconfiguration */
     not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=5
-  [authentication where event.action == "logged-in" and
+  [authentication where host.os.type == "windows" and event.action == "logged-in" and
     /* event 4624 need to be logged */
     winlog.logon.type : "Network" and
     source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and

rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/29"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [transform]
 [[transform.osquery]]
@@ -121,7 +121,7 @@ type = "eql"
 
 query = '''
 sequence by winlog.computer_name, source.ip with maxspan=10s
-  [authentication where event.action == "logon-failed" and
+  [authentication where host.os.type == "windows" and event.action == "logon-failed" and
     /* event 4625 need to be logged */
     winlog.logon.type : "Network" and
     source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and

rules/windows/credential_access_dcsync_newterm_subjectuser.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/12/19"
 integration = ["windows", "system"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -95,11 +95,12 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-event.code:"4662" and winlog.event_data.Properties:(
-                               *DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
-                               *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or
-                               *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and
- not winlog.event_data.SubjectUserName:(*$ or MSOL_*)
+event.code:"4662" and host.os.type:"windows" and 
+  winlog.event_data.Properties:(
+    *DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
+    *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or
+    *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and
+  not winlog.event_data.SubjectUserName:(*$ or MSOL_*)
 '''
 
 

rules/windows/credential_access_dcsync_user_backdoor.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/07/10"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -92,7 +92,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.code:"5136" and
+event.code:"5136" and host.os.type:"windows" and
   winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and
   winlog.event_data.AttributeValue : (
     (

rules/windows/credential_access_kerberos_coerce.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/06/14"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/06/14"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -93,8 +93,11 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-(event.code:4662 and winlog.event_data.AdditionalInfo: *UWhRC*BAAAA*MicrosoftDNS*) or 
-(event.code:5137 and winlog.event_data.ObjectDN: *UWhRC*BAAAA*MicrosoftDNS*)
+host.os.type:"windows" and
+(
+  (event.code:4662 and winlog.event_data.AdditionalInfo: *UWhRC*BAAAA*MicrosoftDNS*) or 
+  (event.code:5137 and winlog.event_data.ObjectDN: *UWhRC*BAAAA*MicrosoftDNS*)
+)
 '''
 
 

rules/windows/credential_access_ldap_attributes.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/11/09"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -89,7 +89,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.code == "4662" and
+any where host.os.type == "windows" and event.code == "4662" and
 
   not winlog.event_data.SubjectUserSid : "S-1-5-18" and
 

rules/windows/credential_access_machine_account_smb_relay.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/06/16"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/06/16"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -69,7 +69,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-file where event.code == "5145" and endswith(user.name, "$") and
+file where host.os.type == "windows" and event.code == "5145" and endswith(user.name, "$") and
 
  /* compare computername with user.name and make sure they match */
  startswith~(winlog.computer_name, substring(user.name, 0, -1)) and

rules/windows/credential_access_saved_creds_vault_winlog.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/08/30"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -73,12 +73,12 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s
 
  /* 2 consecutive vault reads from same pid for web creds */
 
- [any where event.code : "5382" and
+ [any where host.os.type == "windows" and event.code == "5382" and
   (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
   not winlog.event_data.SubjectLogonId : "0x3e7" and
   not winlog.event_data.Resource : "http://localhost/"]
 
- [any where event.code : "5382" and
+ [any where host.os.type == "windows" and event.code == "5382" and
   (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
   not winlog.event_data.SubjectLogonId : "0x3e7" and
   not winlog.event_data.Resource : "http://localhost/"]

rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/01/27"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/11/14"
 
 [rule]
 author = ["Elastic"]
@@ -90,7 +90,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.code:4704 and winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege"
+event.code:4704 and host.os.type:"windows" and winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege"
 '''