99 lines
2.8 KiB
YAML
99 lines
2.8 KiB
YAML
title: NIST 800-53 AU-2/AU-12 - Audit Event Generation
|
|
id: GENERATE-NEW-UUID
|
|
status: stable
|
|
description: |
|
|
Implements NIST SP 800-53 Rev. 5 audit event generation requirements.
|
|
Monitors security-relevant events as defined in AU-2 (Audit Events) and
|
|
AU-12 (Audit Generation) controls.
|
|
references:
|
|
- https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
|
|
author: Your Name
|
|
date: 2024/01/20
|
|
modified: 2024/01/20
|
|
tags:
|
|
- nist-800-53.au-2 # Audit Events
|
|
- nist-800-53.au-3 # Content of Audit Records
|
|
- nist-800-53.au-12 # Audit Generation
|
|
- nist-800-53.ac-2 # Account Management
|
|
- nist-800-53.ia-2 # Identification and Authentication
|
|
logsource:
|
|
category: authentication
|
|
product: windows
|
|
detection:
|
|
selection_authentication:
|
|
EventID:
|
|
- 4624 # Successful logon
|
|
- 4625 # Failed logon
|
|
- 4634 # Logoff
|
|
- 4648 # Logon using explicit credentials
|
|
selection_account_mgmt:
|
|
EventID:
|
|
- 4720 # Account created
|
|
- 4722 # Account enabled
|
|
- 4723 # Password change attempted
|
|
- 4724 # Password reset
|
|
- 4725 # Account disabled
|
|
- 4726 # Account deleted
|
|
- 4738 # Account modified
|
|
selection_privilege_use:
|
|
EventID:
|
|
- 4672 # Special privileges assigned
|
|
- 4673 # Sensitive privilege use
|
|
- 4674 # Privileged operation
|
|
condition: selection_authentication or selection_account_mgmt or selection_privilege_use
|
|
falsepositives:
|
|
- None - these are required audit events per NIST 800-53
|
|
level: low # Informational logging
|
|
fields:
|
|
- EventTime
|
|
- EventType
|
|
- Outcome
|
|
- SubjectIdentity
|
|
- ObjectIdentity
|
|
- SourceAddress
|
|
|
|
# NIST 800-53 Rev. 5 Audit Requirements:
|
|
#
|
|
# AU-2: Audit Events
|
|
# - Successful and unsuccessful account logon events
|
|
# - Account management events
|
|
# - Object access
|
|
# - Policy change
|
|
# - Privilege functions
|
|
# - Process tracking
|
|
# - System events
|
|
#
|
|
# AU-3: Content of Audit Records
|
|
# Required fields in each audit record:
|
|
# - Date and time of the event
|
|
# - Component where event occurred
|
|
# - Type of event
|
|
# - User/subject identity
|
|
# - Outcome (success/failure)
|
|
#
|
|
# AU-12: Audit Generation
|
|
# - Provide audit record generation for defined events
|
|
# - Allow authorized users to select events to be audited
|
|
# - Generate audit records for events with required content
|
|
#
|
|
# Additional NIST 800-53 Detection Rules:
|
|
#
|
|
# SI-4: System Monitoring
|
|
# logsource:
|
|
# category: process_creation
|
|
# detection:
|
|
# selection:
|
|
# CommandLine|contains:
|
|
# - 'mimikatz'
|
|
# - 'credential dump'
|
|
# tags:
|
|
# - nist-800-53.si-4
|
|
#
|
|
# AC-6: Least Privilege
|
|
# detection:
|
|
# selection:
|
|
# EventID: 4672 # Special privileges assigned
|
|
# PrivilegeList|contains: 'SeDebugPrivilege'
|
|
# tags:
|
|
# - nist-800-53.ac-6
|