adding DataTypes

osmontero · osmontero · commit 5a1a26b863eb · 2023-11-06T09:36:38.000+02:00
diff --git a/windows/user_account_disabled.yml b/windows/user_account_disabled.yml
@@ -12,6 +12,7 @@
       or account-related policies."
   category: "Persistence"
   tactic: "Account Manipulation"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0003/"
     - "https://attack.mitre.org/techniques/T1098/"
diff --git a/windows/user_account_enabled_or_created.yml b/windows/user_account_enabled_or_created.yml
@@ -12,6 +12,7 @@
       or account-related policies."
   category: "Persistence"
   tactic: "Account Manipulation"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0003/"
     - "https://attack.mitre.org/techniques/T1098/"
diff --git a/windows/user_account_locked.yml b/windows/user_account_locked.yml
@@ -7,6 +7,7 @@
             Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services."
   category: "Potentially Malicious Activity"
   tactic: "Brute Force"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/techniques/T1110/"
   frequency: 60
diff --git a/windows/volume_shadow_copy_deletion_or_resized_via_vssadmin.yml b/windows/volume_shadow_copy_deletion_or_resized_via_vssadmin.yml
@@ -20,6 +20,7 @@
       Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector."
   category: "Impact"
   tactic: "Inhibit System Recovery"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0040/"
     - "https://attack.mitre.org/techniques/T1490/"
diff --git a/windows/volume_shadow_copy_deletion_via_powershell.yml b/windows/volume_shadow_copy_deletion_via_powershell.yml
@@ -20,6 +20,7 @@
       Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector."
   category: "Impact"
   tactic: "Inhibit System Recovery"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0040/"
     - "https://attack.mitre.org/techniques/T1490/"
diff --git a/windows/volume_shadow_copy_deletion_via_wmic.yml b/windows/volume_shadow_copy_deletion_via_wmic.yml
@@ -20,6 +20,7 @@
       Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector."
   category: "Impact"
   tactic: "Inhibit System Recovery"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0040/"
     - "https://attack.mitre.org/techniques/T1490/"
diff --git a/windows/volume_shadow_copy_service.yml b/windows/volume_shadow_copy_service.yml
@@ -10,6 +10,7 @@
       Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations."
   category: "Potentially Malicious Activity"
   tactic: "Create or Modify System Process: Windows Service"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/techniques/T1543/003/"
   frequency: 60
diff --git a/windows/webshell_detection.yml b/windows/webshell_detection.yml
@@ -15,6 +15,7 @@
       Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector."
   category: "Persistence"
   tactic: "Web Shell"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0003/"
     - "https://attack.mitre.org/techniques/T1505/003/"
diff --git a/windows/whoami_command_activity..yml b/windows/whoami_command_activity..yml
@@ -11,6 +11,7 @@
       Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector."
   category: "Discovery"
   tactic: "System Owner/User Discovery"
+  dataTypes: ["wineventlog"]
   reference:
     - "https://attack.mitre.org/tactics/TA0007/"
     - "https://attack.mitre.org/techniques/T1033/"
diff --git a/windows/windows_defender_code_async_call_pending.yml b/windows/windows_defender_code_async_call_pending.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_actions_failed.yml b/windows/windows_defender_error_actions_failed.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_active_threats.yml b/windows/windows_defender_error_active_threats.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_bad_action.yml b/windows/windows_defender_error_bad_action.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_bad_configuration.yml b/windows/windows_defender_error_bad_configuration.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_bad_database.yml b/windows/windows_defender_error_bad_database.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_bad_db_content.yml b/windows/windows_defender_error_bad_db_content.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_bad_db_header.yml b/windows/windows_defender_error_bad_db_header.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_bad_db_not_signed.yml b/windows/windows_defender_error_bad_db_not_signed.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_bad_db_old_engine.yml b/windows/windows_defender_error_bad_db_old_engine.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_bad_db_open.yml b/windows/windows_defender_error_bad_db_open.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_bad_ehandle.yml b/windows/windows_defender_error_bad_ehandle.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_bad_global_storage.yml b/windows/windows_defender_error_bad_global_storage.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_bad_init_modules.yml b/windows/windows_defender_error_bad_init_modules.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_bad_input_data.yml b/windows/windows_defender_error_bad_input_data.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_bad_scan_id.yml b/windows/windows_defender_error_bad_scan_id.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_bad_ufs.yml b/windows/windows_defender_error_bad_ufs.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_bad_user_db_version.yml b/windows/windows_defender_error_bad_user_db_version.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_callisto_required.yml b/windows/windows_defender_error_callisto_required.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_code_already_shutdown.yml b/windows/windows_defender_error_code_already_shutdown.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_code_bad_regexp.yml b/windows/windows_defender_error_code_bad_regexp.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_code_cancelled.yml b/windows/windows_defender_error_code_cancelled.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_code_o_targetos.yml b/windows/windows_defender_error_code_o_targetos.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_duplicate_scan_id.yml b/windows/windows_defender_error_duplicate_scan_id.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_full_scan_required.yml b/windows/windows_defender_error_full_scan_required.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_lua_cancellation.yml b/windows/windows_defender_error_lua_cancellation.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_manual_steps_required.yml b/windows/windows_defender_error_manual_steps_required.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_no_engine.yml b/windows/windows_defender_error_no_engine.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_no_internet_connection.yml b/windows/windows_defender_error_no_internet_connection.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_no_memory.yml b/windows/windows_defender_error_no_memory.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_no_more_items.yml b/windows/windows_defender_error_no_more_items.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_not_found.yml b/windows/windows_defender_error_not_found.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_not_supported.yml b/windows/windows_defender_error_not_supported.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_obsolete.yml b/windows/windows_defender_error_obsolete.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_platform_outdated.yml b/windows/windows_defender_error_platform_outdated.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_quarantine_failed.yml b/windows/windows_defender_error_quarantine_failed.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_reboot_required.yml b/windows/windows_defender_error_reboot_required.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_relo_kernel_noit_loaded.yml b/windows/windows_defender_error_relo_kernel_noit_loaded.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_remove_failed.yml b/windows/windows_defender_error_remove_failed.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_remove_low_medium_disabled.yml b/windows/windows_defender_error_remove_low_medium_disabled.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_remove_not_supported.yml b/windows/windows_defender_error_remove_not_supported.yml
@@ -4,6 +4,7 @@
   severity: "High"
   category: "Potentially Compromised System"
   frequency: 60
+  dataTypes: ["wineventlog"]
   cache:
     - allOf:
         - field: "logx.wineventlog.log_name"
diff --git a/windows/windows_defender_error_rescan_required.yml b/windows/windows_defender_error_rescan_required.yml
diff --git a/windows/windows_defender_error_restore_failed.yml b/windows/windows_defender_error_restore_failed.yml
diff --git a/windows/windows_defender_error_scan_aborted.yml b/windows/windows_defender_error_scan_aborted.yml
diff --git a/windows/windows_defender_error_sig_backup_disabled.yml b/windows/windows_defender_error_sig_backup_disabled.yml
diff --git a/windows/windows_defender_error_test_induces_error.yml b/windows/windows_defender_error_test_induces_error.yml
diff --git a/windows/windows_defender_error_threat_not_found.yml b/windows/windows_defender_error_threat_not_found.yml
diff --git a/windows/windows_defender_error_ui_consolidation_base.yml b/windows/windows_defender_error_ui_consolidation_base.yml
diff --git a/windows/windows_file_system_full.yml b/windows/windows_file_system_full.yml
diff --git a/windows/windows_firewall_rule_has_been_added_modified_or_deleted_to_the_windows_defender_firewall_exception_list.yml b/windows/windows_firewall_rule_has_been_added_modified_or_deleted_to_the_windows_defender_firewall_exception_list.yml
diff --git a/windows/windows_service_via_unusual_client.yml b/windows/windows_service_via_unusual_client.yml
diff --git a/windows/windows_system_critical_event.yml b/windows/windows_system_critical_event.yml
diff --git a/windows/wireless_creds_dumping.yml b/windows/wireless_creds_dumping.yml
diff --git a/windows/workfolders_control_execution.yml b/windows/workfolders_control_execution.yml
