Create 91570-win_logonsessions_rules.xml

2025-11-01 12:23:32 +00:00 · 2022-08-08 21:59:29 -05:00
parent 09221fd8c2
commit d2560cb4a1
1 changed files with 13 additions and 0 deletions
--- a/Sessions/91570-win_logonsessions_rules.xml
+++ b/Sessions/91570-win_logonsessions_rules.xml
@@ -0,0 +1,13 @@
+<group name="windows,">
+<rule id="91570" level="3">
+  <decoded_as>json</decoded_as>
+  <field name="LogonSession">\.+</field>
+  <field name="UserName">\.+</field>
+  <description>Windows Logon Sessions - Snapshot</description>
+  <mitre>
+   <id>T1078</id>
+  </mitre>
+  <options>no_full_log</options>
+  <group>windows_logonsessions,</group>
+</rule>
+</group>