This article explain the default correlation rules included in SGBox

Package Windows Audit

[toggle title=”10079 – Win Audit – A disabled user was enabled and fails to logon” color=”Accent-Color” id=”b1″] [SGA][4722] Account Enabled  > [SGA][4625] Logon Failed  =  TargetUserName (300sec) [/toggle]
[toggle title=”10080 – Win Audit – A disabled user was enabled and logged on successfully” color=”Accent-Color” id=”b2″] [SGA][4722] Account Enabled  > [SGA][4624] Logon OK  =  TargetUserName  (300sec) [/toggle]
[toggle title=”10081 – Win Audit – Account created and deleted in a short time” color=”Accent-Color” id=”b3″] [SGA][4720] Account Created > [SGA][4726] Account Deleted =  TargetUserName  (300sec) [/toggle]
[toggle title=” 10082 – Win Audit – Account Locked Out ” color=”Accent-Color” id=b4″] [SGA][4740] Account Locked Out  (2sec) [/toggle]
[toggle title=” 10083 – Win Audit – Account logged on to a protected network ” color=”Accent-Color” id=b5″] [SGA][4624] Logon OK $IpAddress (2sec) [/toggle]
[toggle title=” 10084 – Win Audit – Administrative Account Locked Out ” color=”Accent-Color” id=b6″] [SGA][4624] Logon OK $TargetUserName  (2sec) [/toggle]
[toggle title=” 10085 – Win Audit – Administrative account login to multiple systems in a short time ” color=”Accent-Color” id=b7″] [SGA][4624] Logon OK $TargetUserName > [SGA][4624] Logon OK = TargetUserName,LogonType,IpAddress > [SGA][4624] Logon OK = TargetUserName,LogonType,IpAddress (180sec) [/toggle]
[toggle title=” 10086 – Win Audit – Administrative Interactive Logon out of hours ” color=”Accent-Color” id=b8″] T:NotWorkingHours [SGA][4624] Logon OK  $TargetUserName LogonType = 2,3,7,10,11 (2sec) [/toggle]
[toggle title=” 10087 – Win Audit – Administrative User Password Change ” color=”Accent-Color” id=b9″] [SGA][4723] Password Changed $TargetUserName (2sec) [/toggle]
[toggle title=” 10088 – Win Audit – Administrative User Password Change non Working hours ” color=”Accent-Color” id=b10″] T:NotWorkingHours [SGA][4723] Password Changed $TargetUserName (2sec) [/toggle]
[toggle title=” 10089 – WIN Audit – Administrative User Password Reset ” color=”Accent-Color” id=b11″] [SGA][4724] Password Reset $TargetUserName (2sec) [/toggle]
[toggle title=” 10090 – Win Audit – Administrative User Password Reset non Working hours ” color=”Accent-Color” id=b12″] T:NotWorkingHours [SGA][4724] Password Reset $TargetUserName (2sec) [/toggle]
[toggle title=” 10091 – Win Audit – Administrator access from an Unauthorised workstation ” color=”Accent-Color” id=b13″] [SGA][4624] Logon OK $TargetUserName,IpAddress (2sec) [/toggle]
[toggle title=” 10092 – Win Audit – Administrator access from an Unauthorised workstation (out of hours) ” color=”Accent-Color” id=b14″] T:NotWorkingHours [SGA][4624] Logon OK $TargetUserName,IpAddress (2sec) (300sec) [/toggle][toggle title=” 10093 – Win Audit – Event Log Backup” color=”Accent-Color” id=b15″] [SGA][1105] Event Log Backup (2sec) [/toggle]
[toggle title=” 10094 – Win Audit – Event Log Service Error ” color=”Accent-Color” id=b16″] [SGA][1108] Event Log Service Error (2sec) [/toggle]
[toggle title=” 10095 – Win Audit – Event Logging Service Shutdown ” color=”Accent-Color” id=b17″] [SGA][1100] Event Logging Service Shutdown   (1sec) [/toggle]
[toggle title=” 10096 – Win Audit – Failed logon to a disabled account ” color=”Accent-Color” id=b18″] [SGA][4625] Logon Failed SubStatus = 0xC0000072 (1sec) [/toggle]
[toggle title=” 10097 – Win Audit – Failed logon to an expired account ” color=”Accent-Color” id=b19″] [SGA][4625] Logon Failed SubStatus = 0xC0000193 (1sec) [/toggle]
[toggle title=” 10098 – Win Audit – Multiple failed logon for the same user ” color=”Accent-Color” id=b20″] [SGA][4625] Logon Failed > [SGA][4625] Logon Failed = TargetUserName > [SGA][4625] Logon Failed = TargetUserName (10sec) [/toggle]
[toggle title=” 10099 – Win Audit – Multiple failed logon from the same IP ” color=”Accent-Color” id=b21″] [SGA][4625] Logon Failed > [SGA][4625] Logon Failed = IpAddress >
[SGA][4625] Logon Failed = IpAddress (10sec) [/toggle]
[toggle title=” 101100 – Win Audit – Multiple failed logon on the same host ” color=”Accent-Color” id=b22″][SGA][4625] Logon Failed > [SGA][4625] Logon Failed = LogonType,PreviousHost > [SGA][4625] Logon Failed = LogonType,PreviousHost (5sec) [/toggle]
[toggle title=” 101101 – Win Audit – Multiple logon failed followed by a successful one (same User same SourceIP same Host) ” color=”Accent-Color” id=b23″][SGA][4625] Logon Failed > [SGA][4625] Logon Failed = PreviousHost,TartgetUserName,IpAddress > [SGA][4625] Logon Failed = PreviousHost,TartgetUserName,IpAddress > [SGA][4624] Logon OK = PreviousHost,TartgetUserName,IpAddress (15sec) [/toggle]
[toggle title=” 101102 – Win Audit – Multiple logon failed followed by a successful one (same User same SourceIP) ” color=”Accent-Color” id=b24″] SGA][4625] Logon Failed > [SGA][4625] Logon Failed = TartgetUserName,IpAddress > [SGA][4625] Logon Failed = TartgetUserName,IpAddress > [SGA][4624] Logon OK = TartgetUserName,IpAddress (15sec) [/toggle]
[toggle title=” 101103 – Win Audit – Multiple logon failed followed by a successful one (same User) ” color=”Accent-Color” id=b25″] [SGA][4625] Logon Failed = TartgetUserName > [SGA][4625] Logon Failed = TartgetUserName > [SGA][4624] Logon OK = TartgetUserName (15sec) [/toggle]
[toggle title=” 101104 – Win Audit – Multiple logon for the same account in short time ” color=”Accent-Color” id=b26″] [SGA][4624] Logon OK  > [SGA][4624] Logon OK = TartgetUserName > [SGA][4624] Logon OK = TartgetUserName  > [SGA][4624] Logon OK = TartgetUserName (30sec) [/toggle]
[toggle title=” 101105 – Win Audit – Multiple logon from the same IP Address in short time ” color=”Accent-Color” id=b27″] [SGA][4624] Logon OK  > [SGA][4624] Logon OK = IpAddress > [SGA][4624] Logon OK = IpAddress > [SGA][4624] Logon OK = IpAddress (30sec) [/toggle]
[toggle title=” 101106 – Win Audit – Multiple logon with different accounts from the same IP address ” color=”Accent-Color” id=b28″] [SGA][4624] Logon OK  > [SGA][4624] Logon OK = IpAddress  != TargetUserName > [SGA][4624] Logon OK = IpAddress != TargetUserName > [SGA][4624] Logon OK = IpAddress != TargetUserName  (30sec) [/toggle]
[toggle title=” 101107 – Win Audit – Possible Password Spray Attack ” color=”Accent-Color” id=b29″] SGA][4625] Logon Failed > [SGA][4625] Logon Failed = TartgetUserName,IpAddress > [SGA][4625] Logon Failed = TartgetUserName,IpAddress (5sec) [/toggle]

[toggle title=” 101108 – Win Audit – Probable Kerberoasting Attack (RC4 Ticket Encryption) ” color=”Accent-Color” id=b30″] SGA][4769] A Kerberos service ticket was requested TicketOption = 0x40810000 TicketEncryptionType = 0x17 (2sec) [/toggle]
[toggle title=” 101109 – Win Audit – Probable Pass-the-Hash Attack” color=”Accent-Color” id=b31″] [SGA][4624] Logon OK LogonType = 9 LogonProcessName ~ seclogo AuthenticationPackageName ~ Negotiate  (2sec) [/toggle]
[toggle title=” 101110 – Win Audit – Security Log Cleared ” color=”Accent-Color” id=b32″][SGA][1102] Audit Log Cleared  (1sec) [/toggle]
[toggle title=” 101111 – Win Audit – Security Log Full ” color=”Accent-Color” id=b33″] [SGA][1104] Security Log Full  (1sec) [/toggle]
[toggle title=” 101112 – Win Audit – System Audit policy change ” color=”Accent-Color” id=b34″] [SGA][4719] Audit policy changed (1sec)[/toggle]
[toggle title=” 101113 – Win Audit – Unauthorised account logged on out of hours ” color=”Accent-Color” id=b35″] T:NotWorkingHours [SGA][4624] Logon OK $TargetUserName (300sec) [/toggle]
[toggle title=” 101114 – Win Audit – Unauthorised Account logged on to a protected network ” color=”Accent-Color” id=b36″] [SGA][4624] Logon OK $TargetUserName $IpAddress(2sec) [/toggle]
[toggle title=” 101162 – Win Audit – User added to a Global Group and removed in a short time ” color=”Accent-Color” id=b37″] [SGA][4728] Member Added to Global Group  > [SGA][4729] Member Removed from Global Group (60sec) [/toggle]

[toggle title=” 101163 – Win Audit – User added to a Local Group and removed in a short time ” color=”Accent-Color” id=b38″] [SGA][4732] Member Added to Local Group >  [SGA][4733] Member Removed from Local Group  (60sec) [/toggle]
[toggle title=” 101164 – Win Audit – User added to a Universal Group and removed in a short time ” color=”Accent-Color” id=b39″] [SGA][4756] Member Added to Universal Group  > [SGA][4757] Member Removed from Universal Group  (60sec) [/toggle]
[toggle title=” 101115 – WIN Audit – User added to Domain Admins Group ” color=”Accent-Color” id=b40″] [SGA][4728] Member Added to Global Group $TargetUserName [/toggle]
[toggle title=” 101116 – Win Audit – User added to Enterprise Admins Group ” color=”Accent-Color” id=b41″] [SGA][4756] Member Added to Universal Group $TargetUserName  [/toggle]
[toggle title=” 101117 – Win Audit – User added to Global Group ” color=”Accent-Color” id=b42″] [SGA][4728] Member Added to Global Group $TargetUserName (1sec) [/toggle]
[toggle title=” 101118 – Win Audit – User added to Local Group ” color=”Accent-Color” id=b43″] [SGA][4732] Member Added to Local Group  $TargetUserName (1sec) [/toggle]
[toggle title=” 101119 – Win Audit – User added to Universal Group ” color=”Accent-Color” id=b44″] [SGA][4756] Member Added to Universal Group  (1sec) [/toggle]
[toggle title=” 101120 – Win Audit – User Interactive Logon out of hours ” color=”Accent-Color” id=b45″] T:NotWorkingHours [SGA][4624] Logon OK LogonType = 2,3,7,10,11 (2sec)[/toggle]
[toggle title=” 101121 – Win Audit – User Removed from Global Group ” color=”Accent-Color” id=b46″] [SGA][4729] Member Removed from Global Group (1sec)) [/toggle]
[toggle title=” 101122 – Win Audit – User removed from Local Group ” color=”Accent-Color” id=b47″] [SGA][4733] Member Removed from Local Group (1sec) [/toggle]
[toggle title=” 101123 – Win Audit – User removed from Universal Group ” color=”Accent-Color” id=b48″] [SGA][4757] Member Removed from Universal Group  (1sec) [/toggle]