From d2560cb4a1e11175c06a06e6e4cea3b8c20d2784 Mon Sep 17 00:00:00 2001
From: SOCFortress <95670863+socfortress@users.noreply.github.com>
Date: Mon, 8 Aug 2022 21:59:29 -0500
Subject: [PATCH] Create 91570-win_logonsessions_rules.xml

---
 .../91570-win_logonsessions_rules.xml               | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 Windows Logon Sessions/91570-win_logonsessions_rules.xml

diff --git a/Windows Logon Sessions/91570-win_logonsessions_rules.xml b/Windows Logon Sessions/91570-win_logonsessions_rules.xml
new file mode 100644
index 0000000..f73733e
--- /dev/null
+++ b/Windows Logon Sessions/91570-win_logonsessions_rules.xml	
@@ -0,0 +1,13 @@
+<group name="windows,">
+<rule id="91570" level="3">
+  <decoded_as>json</decoded_as>
+  <field name="LogonSession">\.+</field>
+  <field name="UserName">\.+</field>
+  <description>Windows Logon Sessions - Snapshot</description>
+  <mitre>
+   <id>T1078</id>
+  </mitre>
+  <options>no_full_log</options>
+  <group>windows_logonsessions,</group>
+</rule>
+</group>