Initial commit

skills/incident-response/detection-sigma/assets/compliance-rules/iso27001-logging.yml

@@ -0,0 +1,110 @@
+title: ISO 27001 A.12.4 - Event Logging and Monitoring
+id: GENERATE-NEW-UUID
+status: stable
+description: |
+  Implements ISO/IEC 27001:2013 Annex A.12.4 event logging requirements.
+  Monitors user activities, exceptions, faults, and security events as
+  required by A.12.4.1 (Event logging).
+references:
+    - https://www.iso.org/standard/54534.html
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - iso27001.a.12.4.1  # Event logging
+    - iso27001.a.12.4.3  # Administrator and operator logs
+    - iso27001.a.9.2.1   # User registration and de-registration
+logsource:
+    category: authentication
+    product: windows
+detection:
+    selection_user_activity:
+        EventID:
+            - 4624  # User logons
+            - 4625  # Failed logons
+            - 4634  # Logoffs
+    selection_admin_activity:
+        EventID:
+            - 4624  # Successful logon
+        TargetUserName|contains:
+            - 'admin'
+            - 'Administrator'
+            - 'root'
+    selection_account_mgmt:
+        EventID:
+            - 4720  # User account created
+            - 4726  # User account deleted
+            - 4738  # User account changed
+    condition: selection_user_activity or selection_admin_activity or selection_account_mgmt
+falsepositives:
+    - None - required logging per ISO 27001
+level: informational
+fields:
+    - UserID
+    - DateTime
+    - EventType
+    - SystemActivity
+    - DeviceIdentity
+    - Location
+    - Outcome
+
+# ISO 27001:2013 Annex A.12.4 - Logging and Monitoring
+#
+# A.12.4.1 Event logging
+# Event logs shall record:
+# - User IDs
+# - System activities
+# - Dates, times and details of key events (e.g. log-on, log-off)
+# - Device identity or location if possible
+# - Records of successful and rejected system access attempts
+# - Records of successful and rejected data and other resource access attempts
+# - Changes to system configuration
+# - Use of privileges
+# - Use of system utilities and applications
+# - Files accessed and the kind of access
+# - Network addresses and protocols
+# - Alarms raised by the access control system
+# - Activation and de-activation of protection systems
+#
+# A.12.4.2 Protection of log information
+# Detection for unauthorized log access/modification:
+# logsource:
+#     category: file_event
+# detection:
+#     selection:
+#         TargetFilename|contains: '\Logs\'
+#         EventType: 'Delete'
+# tags:
+#     - iso27001.a.12.4.2
+#
+# A.12.4.3 Administrator and operator logs
+# System administrator and operator activities shall be logged:
+# logsource:
+#     category: process_creation
+# detection:
+#     selection:
+#         User|contains:
+#             - 'admin'
+#             - 'root'
+# tags:
+#     - iso27001.a.12.4.3
+#
+# A.9.2.1 User registration and de-registration
+# logsource:
+#     category: authentication
+# detection:
+#     selection:
+#         EventID:
+#             - 4720  # Account created
+#             - 4726  # Account deleted
+# tags:
+#     - iso27001.a.9.2.1
+#
+# A.9.4.1 Information access restriction
+# logsource:
+#     category: file_event
+# detection:
+#     selection:
+#         TargetFilename|contains: '\Confidential\'
+# tags:
+#     - iso27001.a.9.4.1

skills/incident-response/detection-sigma/assets/compliance-rules/nist-800-53-audit.yml

@@ -0,0 +1,98 @@
+title: NIST 800-53 AU-2/AU-12 - Audit Event Generation
+id: GENERATE-NEW-UUID
+status: stable
+description: |
+  Implements NIST SP 800-53 Rev. 5 audit event generation requirements.
+  Monitors security-relevant events as defined in AU-2 (Audit Events) and
+  AU-12 (Audit Generation) controls.
+references:
+    - https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - nist-800-53.au-2   # Audit Events
+    - nist-800-53.au-3   # Content of Audit Records
+    - nist-800-53.au-12  # Audit Generation
+    - nist-800-53.ac-2   # Account Management
+    - nist-800-53.ia-2   # Identification and Authentication
+logsource:
+    category: authentication
+    product: windows
+detection:
+    selection_authentication:
+        EventID:
+            - 4624  # Successful logon
+            - 4625  # Failed logon
+            - 4634  # Logoff
+            - 4648  # Logon using explicit credentials
+    selection_account_mgmt:
+        EventID:
+            - 4720  # Account created
+            - 4722  # Account enabled
+            - 4723  # Password change attempted
+            - 4724  # Password reset
+            - 4725  # Account disabled
+            - 4726  # Account deleted
+            - 4738  # Account modified
+    selection_privilege_use:
+        EventID:
+            - 4672  # Special privileges assigned
+            - 4673  # Sensitive privilege use
+            - 4674  # Privileged operation
+    condition: selection_authentication or selection_account_mgmt or selection_privilege_use
+falsepositives:
+    - None - these are required audit events per NIST 800-53
+level: low  # Informational logging
+fields:
+    - EventTime
+    - EventType
+    - Outcome
+    - SubjectIdentity
+    - ObjectIdentity
+    - SourceAddress
+
+# NIST 800-53 Rev. 5 Audit Requirements:
+#
+# AU-2: Audit Events
+# - Successful and unsuccessful account logon events
+# - Account management events
+# - Object access
+# - Policy change
+# - Privilege functions
+# - Process tracking
+# - System events
+#
+# AU-3: Content of Audit Records
+# Required fields in each audit record:
+# - Date and time of the event
+# - Component where event occurred
+# - Type of event
+# - User/subject identity
+# - Outcome (success/failure)
+#
+# AU-12: Audit Generation
+# - Provide audit record generation for defined events
+# - Allow authorized users to select events to be audited
+# - Generate audit records for events with required content
+#
+# Additional NIST 800-53 Detection Rules:
+#
+# SI-4: System Monitoring
+# logsource:
+#     category: process_creation
+# detection:
+#     selection:
+#         CommandLine|contains:
+#             - 'mimikatz'
+#             - 'credential dump'
+# tags:
+#     - nist-800-53.si-4
+#
+# AC-6: Least Privilege
+# detection:
+#     selection:
+#         EventID: 4672  # Special privileges assigned
+#         PrivilegeList|contains: 'SeDebugPrivilege'
+# tags:
+#     - nist-800-53.ac-6

skills/incident-response/detection-sigma/assets/compliance-rules/pci-dss-monitoring.yml

@@ -0,0 +1,72 @@
+title: PCI-DSS 10.2 - Audit Trail Monitoring
+id: GENERATE-NEW-UUID
+status: stable
+description: |
+  Implements PCI-DSS requirement 10.2 automated audit trails for security events.
+  Monitors critical security-relevant events required by PCI-DSS.
+references:
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - pci-dss.10.2.1  # Access to cardholder data
+    - pci-dss.10.2.2  # Administrative actions
+    - pci-dss.10.2.4  # Invalid access attempts
+    - pci-dss.10.2.5  # Authentication mechanism use
+    - pci-dss.10.2.7  # System-level object creation/deletion
+logsource:
+    category: authentication  # Adjust based on specific requirement
+    product: windows
+detection:
+    selection_failed_logon:
+        EventID: 4625  # Failed logon (10.2.4)
+    selection_admin_logon:
+        EventID: 4624  # Successful logon
+        TargetUserName|contains:  # Administrative accounts (10.2.2)
+            - 'admin'
+            - 'Administrator'
+    selection_account_mgmt:
+        EventID:  # Account management (10.2.5, 10.2.7)
+            - 4720  # Account created
+            - 4722  # Account enabled
+            - 4724  # Password reset
+            - 4726  # Account deleted
+            - 4738  # Account changed
+    condition: selection_failed_logon or selection_admin_logon or selection_account_mgmt
+falsepositives:
+    - Legitimate administrative activity must be logged per PCI-DSS
+level: medium
+fields:
+    - ComputerName
+    - TargetUserName
+    - WorkstationName
+    - IpAddress
+    - Timestamp
+
+# PCI-DSS 10.2 Requirements:
+#
+# 10.2.1 - All individual user accesses to cardholder data
+# 10.2.2 - All actions taken by individuals with root or administrative privileges
+# 10.2.3 - Access to all audit trails
+# 10.2.4 - Invalid logical access attempts
+# 10.2.5 - Use of identification and authentication mechanisms
+# 10.2.6 - Initialization of audit logs
+# 10.2.7 - Creation and deletion of system-level objects
+#
+# Additional PCI-DSS Detection Rules:
+#
+# File Access to Cardholder Data (10.2.1):
+# logsource:
+#     category: file_event
+# detection:
+#     selection:
+#         TargetFilename|contains: '\cardholder-data\'
+#
+# Service Creation (10.2.7):
+# logsource:
+#     category: process_creation
+# detection:
+#     selection:
+#         Image|endswith: '\sc.exe'
+#         CommandLine|contains: 'create'