add wse to security_event

Detections/SecurityEvent/ADFSKeyExportSysmon.yaml

@@ -10,6 +10,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 7d
 triggerOperator: gt

Detections/SecurityEvent/ExcessiveLogonFailures.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 8d
 triggerOperator: gt

Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml

@@ -9,6 +9,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvents
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt

Detections/SecurityEvent/GainCodeExecutionADFSViaSMB.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 7d
 triggerOperator: gt

Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml

@@ -9,6 +9,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt

Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 14d
 triggerOperator: gt

Detections/SecurityEvent/MultipleFailedFollowedBySuccess.yaml

@@ -11,6 +11,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 6h
 queryPeriod: 6h
 triggerOperator: gt

Detections/SecurityEvent/NOBELIUM_SuspiciousRundll32Exec.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 1d
 triggerOperator: gt

Detections/SecurityEvent/NOBELIUM_SuspiciousScriptRegistryWrite.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 1d
 triggerOperator: gt

Detections/SecurityEvent/PotentialBuildProcessCompromise.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 1d
 triggerOperator: gt

Detections/SecurityEvent/PotentialKerberoast.yaml

@@ -12,6 +12,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1h
 queryPeriod: 1d
 triggerOperator: gt

Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml

@@ -9,6 +9,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 8d
 triggerOperator: gt

Detections/SecurityEvent/RDP_Nesting.yaml

@@ -9,6 +9,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 8d
 triggerOperator: gt

Detections/SecurityEvent/RDP_RareConnection.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 14d
 triggerOperator: gt

Detections/SecurityEvent/SecurityEventLogCleared.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 1d
 triggerOperator: gt

Detections/SecurityEvent/StartStopHealthService.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 1d
 triggerOperator: gt

Detections/SecurityEvent/TimeSeriesAnomaly-ProcessExecutions.yaml

@@ -10,6 +10,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1h
 queryPeriod: 14d
 triggerOperator: gt

Detections/SecurityEvent/UserAccountAdd-Removed.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 1d
 triggerOperator: gt

Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 1d
 triggerOperator: gt

Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 2d
 triggerOperator: gt

Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 2d
 triggerOperator: gt

Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
      - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 1d
 triggerOperator: gt

Detections/SecurityEvent/base64_encoded_pefile.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 1d
 triggerOperator: gt

Detections/SecurityEvent/execute_base64_decodedpayload.yaml

@@ -10,6 +10,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 1d
 triggerOperator: gt

Detections/SecurityEvent/gte_6_FailedLogons_10m.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 10m
 queryPeriod: 10m
 triggerOperator: gt

Detections/SecurityEvent/malware_in_recyclebin.yaml

@@ -8,6 +8,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 1d
 triggerOperator: gt

Detections/SecurityEvent/password_never_expires.yaml

@@ -9,6 +9,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 1d
 triggerOperator: gt

Detections/SecurityEvent/password_not_set.yaml

@@ -11,6 +11,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 3d
 triggerOperator: gt

Detections/SecurityEvent/powershell_empire.yaml

@@ -7,6 +7,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
 queryFrequency: 1d
 queryPeriod: 1d
 triggerOperator: gt