Initial commit

2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
--- a/skills/incident-response/detection-sigma/assets/compliance-rules/pci-dss-monitoring.yml
+++ b/skills/incident-response/detection-sigma/assets/compliance-rules/pci-dss-monitoring.yml
@@ -0,0 +1,72 @@
+title: PCI-DSS 10.2 - Audit Trail Monitoring
+id: GENERATE-NEW-UUID
+status: stable
+description: |
+  Implements PCI-DSS requirement 10.2 automated audit trails for security events.
+  Monitors critical security-relevant events required by PCI-DSS.
+references:
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+author: Your Name
+date: 2024/01/20
+modified: 2024/01/20
+tags:
+    - pci-dss.10.2.1  # Access to cardholder data
+    - pci-dss.10.2.2  # Administrative actions
+    - pci-dss.10.2.4  # Invalid access attempts
+    - pci-dss.10.2.5  # Authentication mechanism use
+    - pci-dss.10.2.7  # System-level object creation/deletion
+logsource:
+    category: authentication  # Adjust based on specific requirement
+    product: windows
+detection:
+    selection_failed_logon:
+        EventID: 4625  # Failed logon (10.2.4)
+    selection_admin_logon:
+        EventID: 4624  # Successful logon
+        TargetUserName|contains:  # Administrative accounts (10.2.2)
+            - 'admin'
+            - 'Administrator'
+    selection_account_mgmt:
+        EventID:  # Account management (10.2.5, 10.2.7)
+            - 4720  # Account created
+            - 4722  # Account enabled
+            - 4724  # Password reset
+            - 4726  # Account deleted
+            - 4738  # Account changed
+    condition: selection_failed_logon or selection_admin_logon or selection_account_mgmt
+falsepositives:
+    - Legitimate administrative activity must be logged per PCI-DSS
+level: medium
+fields:
+    - ComputerName
+    - TargetUserName
+    - WorkstationName
+    - IpAddress
+    - Timestamp
+
+# PCI-DSS 10.2 Requirements:
+#
+# 10.2.1 - All individual user accesses to cardholder data
+# 10.2.2 - All actions taken by individuals with root or administrative privileges
+# 10.2.3 - Access to all audit trails
+# 10.2.4 - Invalid logical access attempts
+# 10.2.5 - Use of identification and authentication mechanisms
+# 10.2.6 - Initialization of audit logs
+# 10.2.7 - Creation and deletion of system-level objects
+#
+# Additional PCI-DSS Detection Rules:
+#
+# File Access to Cardholder Data (10.2.1):
+# logsource:
+#     category: file_event
+# detection:
+#     selection:
+#         TargetFilename|contains: '\cardholder-data\'
+#
+# Service Creation (10.2.7):
+# logsource:
+#     category: process_creation
+# detection:
+#     selection:
+#         Image|endswith: '\sc.exe'
+#         CommandLine|contains: 'create'