Add iis configuration rules

Open frack113 opened this issue 1 year ago • 0 comments

Summary of the Pull Request

Add new rules with the Microsoft-IIS-Configuration/Operational channel

test with aurora lite

    windows-iis-configuration:
        product: windows
        service: iis-configuration
        sources:
            - "WinEventLog:Microsoft-IIS-Configuration/Operational"

Changelog

new: IIS Add Module new: IIS Disable HTTP Logging new: IIS Remove ETW Logging new: IIS Remove W3C HTTP Logging

Example Log Event

<EventData>
  <Data Name="PhysicalPath">\\?\C:\Windows\system32\inetsrv\config\applicationHost.config</Data> 
  <Data Name="ConfigPath">MACHINE/WEBROOT/APPHOST</Data> 
  <Data Name="EffectiveLocationPath" /> 
  <Data Name="Configuration">/system.applicationHost/sites/siteDefaults/logFile/@logFormat</Data> 
  <Data Name="EditOperationType">3</Data> 
  <Data Name="OldValue">W3C</Data> 
  <Data Name="NewValue">IIS</Data> 
  </EventData>

<EventData>
  <Data Name="PhysicalPath">\\?\C:\Windows\system32\inetsrv\config\applicationHost.config</Data> 
  <Data Name="ConfigPath">MACHINE/WEBROOT/APPHOST</Data> 
  <Data Name="EffectiveLocationPath" /> 
  <Data Name="Configuration">/system.webServer/httpLogging/@dontLog</Data> 
  <Data Name="EditOperationType">3</Data> 
  <Data Name="OldValue">false</Data> 
  <Data Name="NewValue">true</Data> 
  </EventData>

<EventData>
  <Data Name="PhysicalPath">\\?\C:\Windows\system32\inetsrv\config\applicationHost.config</Data> 
  <Data Name="ConfigPath">MACHINE/WEBROOT/APPHOST</Data> 
  <Data Name="EffectiveLocationPath" /> 
  <Data Name="Configuration">/system.applicationHost/sites/siteDefaults/logFile/@logTargetW3C</Data> 
  <Data Name="EditOperationType">3</Data> 
  <Data Name="OldValue">File, ETW</Data> 
  <Data Name="NewValue">File</Data> 
  </EventData>

Fixed Issues

SigmaHQ Rule Creation Conventions

If your PR adds new rules, please consider following and applying these conventions

$frack113 avatar$ Jul 27 '24 06:07 frack113