zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-agentsecops-secopsagentkit/skills/incident-response/detection-sigma/assets/compliance-rules/iso27001-logging.yml
Zhongwei Li ff1f4bd119 Initial commit
2025-11-29 17:51:02 +08:00

111 lines
3.1 KiB
YAML
Raw Permalink Blame History

title: ISO 27001 A.12.4 - Event Logging and Monitoring
id: GENERATE-NEW-UUID
status: stable
description: |
Implements ISO/IEC 27001:2013 Annex A.12.4 event logging requirements.
Monitors user activities, exceptions, faults, and security events as
required by A.12.4.1 (Event logging).
references:
- https://www.iso.org/standard/54534.html
author: Your Name
date: 2024/01/20
modified: 2024/01/20
tags:
- iso27001.a.12.4.1 # Event logging
- iso27001.a.12.4.3 # Administrator and operator logs
- iso27001.a.9.2.1 # User registration and de-registration
logsource:
category: authentication
product: windows
detection:
selection_user_activity:
EventID:
- 4624 # User logons
- 4625 # Failed logons
- 4634 # Logoffs
selection_admin_activity:
EventID:
- 4624 # Successful logon
TargetUserName|contains:
- 'admin'
- 'Administrator'
- 'root'
selection_account_mgmt:
EventID:
- 4720 # User account created
- 4726 # User account deleted
- 4738 # User account changed
condition: selection_user_activity or selection_admin_activity or selection_account_mgmt
falsepositives:
- None - required logging per ISO 27001
level: informational
fields:
- UserID
- DateTime
- EventType
- SystemActivity
- DeviceIdentity
- Location
- Outcome
# ISO 27001:2013 Annex A.12.4 - Logging and Monitoring
#
# A.12.4.1 Event logging
# Event logs shall record:
# - User IDs
# - System activities
# - Dates, times and details of key events (e.g. log-on, log-off)
# - Device identity or location if possible
# - Records of successful and rejected system access attempts
# - Records of successful and rejected data and other resource access attempts
# - Changes to system configuration
# - Use of privileges
# - Use of system utilities and applications
# - Files accessed and the kind of access
# - Network addresses and protocols
# - Alarms raised by the access control system
# - Activation and de-activation of protection systems
#
# A.12.4.2 Protection of log information
# Detection for unauthorized log access/modification:
# logsource:
# category: file_event
# detection:
# selection:
# TargetFilename|contains: '\Logs\'
# EventType: 'Delete'
# tags:
# - iso27001.a.12.4.2
#
# A.12.4.3 Administrator and operator logs
# System administrator and operator activities shall be logged:
# logsource:
# category: process_creation
# detection:
# selection:
# User|contains:
# - 'admin'
# - 'root'
# tags:
# - iso27001.a.12.4.3
#
# A.9.2.1 User registration and de-registration
# logsource:
# category: authentication
# detection:
# selection:
# EventID:
# - 4720 # Account created
# - 4726 # Account deleted
# tags:
# - iso27001.a.9.2.1
#
# A.9.4.1 Information access restriction
# logsource:
# category: file_event
# detection:
# selection:
# TargetFilename|contains: '\Confidential\'
# tags:
# - iso27001.a.9.4.1
Reference in New Issue View Git Blame Copy Permalink