User Logoff Event

Detects a user log-off activity. Could be used for example to correlate information during forensic investigations

Sigma rule (View on GitHub)

 1title: User Logoff Event
 2id: 0badd08f-c6a3-4630-90d3-6875cca440be
 3status: test
 4description: Detects a user log-off activity. Could be used for example to correlate information during forensic investigations
 5references:
 6    - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
 7    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634
 8    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647
 9author: frack113
10date: 2022-10-14
11tags:
12    - attack.impact
13    - attack.t1531
14logsource:
15    service: security
16    product: windows
17detection:
18    selection:
19        EventID:
20            - 4634
21            - 4647
22    condition: selection
23falsepositives:
24    - Unknown
25level: informational

References

Related rules

to-top