Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Important Windows Event Auditing Disabled
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Important Windows Event Auditing Disabled
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Important Windows Event Auditing Disabled
id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
related:
- id: 69aeb277-f15f-4d2d-b32a-55e883609563
type: derived
status: test
description: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
references:
- https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
- https://github.com/SigmaHQ/sigma/blob/ad1bfd3d28aa0ccc9656240f845022518ef65a2e/documentation/logsource-guides/windows/service/security.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-20
modified: 2023-11-17
tags:
- attack.defense-evasion
- attack.t1562.002
logsource:
product: windows
service: security
definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
detection:
selection_state_success_and_failure:
EventID: 4719
SubcategoryGuid:
# Note: Add or remove GUID as you see fit in your env
- '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
- '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
- '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
- '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
- '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
- '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
- '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
- '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
- '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
- '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
- '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
- '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
- '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
- '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service
AuditPolicyChanges|contains:
- '%%8448' # This is "Success removed"
- '%%8450' # This is "Failure removed"
selection_state_success_only:
EventID: 4719
SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
AuditPolicyChanges|contains: '%%8448'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml