Initial commit

skills/incident-response/detection-sigma/assets/compliance-rules/iso27001-logging.yml

@@ -0,0 +1,110 @@
+title: ISO 27001 A.12.4 - Event Logging and Monitoring
+id: GENERATE-NEW-UUID
+status: stable
+description: |
+  Implements ISO/IEC 27001:2013 Annex A.12.4 event logging requirements.
+  Monitors user activities, exceptions, faults, and security events as
+  required by A.12.4.1 (Event logging).
+references:
+    - https://www.iso.org/standard/54534.html
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - iso27001.a.12.4.1  # Event logging
+    - iso27001.a.12.4.3  # Administrator and operator logs
+    - iso27001.a.9.2.1   # User registration and de-registration
+logsource:
+    category: authentication
+    product: windows
+detection:
+    selection_user_activity:
+        EventID:
+            - 4624  # User logons
+            - 4625  # Failed logons
+            - 4634  # Logoffs
+    selection_admin_activity:
+        EventID:
+            - 4624  # Successful logon
+        TargetUserName|contains:
+            - 'admin'
+            - 'Administrator'
+            - 'root'
+    selection_account_mgmt:
+        EventID:
+            - 4720  # User account created
+            - 4726  # User account deleted
+            - 4738  # User account changed
+    condition: selection_user_activity or selection_admin_activity or selection_account_mgmt
+falsepositives:
+    - None - required logging per ISO 27001
+level: informational
+fields:
+    - UserID
+    - DateTime
+    - EventType
+    - SystemActivity
+    - DeviceIdentity
+    - Location
+    - Outcome
+
+# ISO 27001:2013 Annex A.12.4 - Logging and Monitoring
+#
+# A.12.4.1 Event logging
+# Event logs shall record:
+# - User IDs
+# - System activities
+# - Dates, times and details of key events (e.g. log-on, log-off)
+# - Device identity or location if possible
+# - Records of successful and rejected system access attempts
+# - Records of successful and rejected data and other resource access attempts
+# - Changes to system configuration
+# - Use of privileges
+# - Use of system utilities and applications
+# - Files accessed and the kind of access
+# - Network addresses and protocols
+# - Alarms raised by the access control system
+# - Activation and de-activation of protection systems
+#
+# A.12.4.2 Protection of log information
+# Detection for unauthorized log access/modification:
+# logsource:
+#     category: file_event
+# detection:
+#     selection:
+#         TargetFilename|contains: '\Logs\'
+#         EventType: 'Delete'
+# tags:
+#     - iso27001.a.12.4.2
+#
+# A.12.4.3 Administrator and operator logs
+# System administrator and operator activities shall be logged:
+# logsource:
+#     category: process_creation
+# detection:
+#     selection:
+#         User|contains:
+#             - 'admin'
+#             - 'root'
+# tags:
+#     - iso27001.a.12.4.3
+#
+# A.9.2.1 User registration and de-registration
+# logsource:
+#     category: authentication
+# detection:
+#     selection:
+#         EventID:
+#             - 4720  # Account created
+#             - 4726  # Account deleted
+# tags:
+#     - iso27001.a.9.2.1
+#
+# A.9.4.1 Information access restriction
+# logsource:
+#     category: file_event
+# detection:
+#     selection:
+#         TargetFilename|contains: '\Confidential\'
+# tags:
+#     - iso27001.a.9.4.1