Listing 1: Minimale YAML-Datei

title: Minimales Beispiel
logsource:
category: web
product: apache
service: access
detection:
success: 200
failure: 404
condition: success and not failure



Listing 2: Windows-Logins analysieren

title: Suspicious Failed Logins in
Active Directory
logsource:
product: windows
detection:
selection:
EventLog: Security
EventID: 4625
TargetDomainName: "WORKGROUP"
Status: Failure
LogonType: [2, 10]
condition: selection
timeframe: 60m