Update old Data Needed documents to the new structure

[yugoslavskiy]

Please refer to the #10 for information about changes that need to be implemented, new templates, and so on.
The workflow is the following:

1. Fetch the new_structure branch and switch to it:

$ git fetch origin new_structure
$ git checkout new_structure

2. Comment in this PR with a task you are going to solve, so the others will not intersect with you.

3. Modify existing file (only content, we will work out filenames later) and commit changes:

$ git add <path to file you've modified>
$ git commit -m 'update DN_XXXX'

4. Push back your local updates to the remote new_structure branch:

$ git push origin new_structure

The list of tasks/DNs to update

NOTE: All the documents that need to be converted located in atc-data-new-structure/data.

macOS:

• mount_log/santa_diskappear
• mount_log/santa_diskdisappear
• process/santa_exec

Windows:

• process/DN_0001_windows_wel_4688_new_process_has_been_created_without_commandline
• process/DN_0002_windows_wel_4688_new_process_has_been_created_with_commandline
• process/DN_0003_windows_sysmon_1_process_creation
• process/DN_0007_3_windows_sysmon_network_connection
• process/DN_0009_5_windows_sysmon_process_terminated
• process/DN_0012_8_windows_sysmon_CreateRemoteThread
• process/DN_0014_10_windows_sysmon_ProcessAccess
• process/DN_0087_5156_windows_filtering_platform_has_permitted_connection
• process/DN_0085_22_windows_sysmon_DnsQuery
• authentication_log/DN_0057_4625_account_failed_to_logon
• authentication_log/DN_0042_675_kerberos_preauthentication_failed - deprecated
• authentication_log/DN_0004_4624_windows_account_logon
• authentication_log/DN_0077_4769_kerberos_service_ticket_was_requested
• authentication_log/DN_0078_4771_kerberos_pre_authentication_failed
• authentication_log/DN_0082_8002_ntlm_server_blocked_audit
• authentication_log/DN_0040_528_user_successfully_logged_on_to_a_computer - deprecated
• authentication_log/DN_0076_4768_kerberos_authentication_ticket_was_requested
• authentication_log/DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account
• authentication_log/DN_0041_529_logon_failure - deprecated
• mount_log/DN_0054_2102_pnp_or_power_operation_for_usb_device
• mount_log/DN_0053_2100_pnp_or_power_operation_for_usb_device
• mount_log/DN_0052_2003_query_to_load_usb_drivers
• powershell_log/DN_0038_400_engine_state_is_changed_from_none_to_available
• powershell_log/DN_0037_4103_windows_powershell_executing_pipeline
• powershell_log/DN_0036_4104_windows_powershell_script_block
• multiple/DN_0060_4658_handle_to_an_object_was_closed
• multiple/DN_0058_4656_handle_to_an_object_was_requested
• multiple/DN_0061_4660_object_was_deleted
• multiple/DN_0062_4663_attempt_was_made_to_access_an_object
• file/DN_0015_11_windows_sysmon_FileCreate
• file/DN_0032_5145_network_share_object_was_accessed_detailed
• file/DN_0019_15_windows_sysmon_FileCreateStreamHash
• file/DN_0033_5140_network_share_object_was_accessed
• file/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time
• module/DN_0011_7_windows_sysmon_image_loaded
• named_pipe/DN_0021_18_windows_sysmon_PipeEvent
• named_pipe/DN_0020_17_windows_sysmon_PipeEvent
• active_directory/DN_0026_5136_windows_directory_service_object_was_modified
• active_directory/DN_0030_4662_operation_was_performed_on_an_object
• active_directory/DN_0028_4794_directory_services_restore_mode_admin_password_set
• active_directory/DN_0074_4765_sid_history_was_added_to_an_account
• active_directory/DN_0029_4661_handle_to_an_object_was_requested
• active_directory/DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed
• user_account/DN_0070_4735_security_enabled_local_group_was_changed
• user_account/DN_0068_4728_member_was_added_to_security_enabled_global_group
• user_account/DN_0066_4704_user_right_was_assigned
• user_account/DN_0072_4755_security_enabled_universal_group_was_changed
• user_account/DN_0073_4756_member_was_added_to_a_security_enabled_universal_group
• user_account/DN_0027_4738_user_account_was_changed
• user_account/DN_0069_4732_member_was_added_to_security_enabled_local_group
• user_account/DN_0071_4737_security_enabled_global_group_was_changed
• user_account/DN_0086_4720_user_account_was_created
• registry/DN_0059_4657_registry_value_was_modified
• registry/DN_0017_13_windows_sysmon_RegistryEvent
• registry/DN_0016_12_windows_sysmon_RegistryEvent
• registry/DN_0018_14_windows_sysmon_RegistryEvent
• service/DN_0064_4698_scheduled_task_was_created
• service/DN_0005_7045_windows_service_insatalled
• service/DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls
• service/DN_0049_1034_dhcp_service_failed_to_load_callout_dlls
• service/DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception
• service/DN_0010_6_windows_sysmon_driver_loaded
• service/DN_0063_4697_service_was_installed_in_the_system
• service/DN_0008_4_windows_sysmon_sysmon_service_state_changed
• service/DN_0065_4701_scheduled_task_was_disabled
• service/DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception
• service/DN_0031_7036_service_started_stopped
• service/DN_0035_106_task_scheduler_task_registered
• wmi_object/DN_0081_5861_wmi_activity
• wmi_object/DN_0023_20_windows_sysmon_WmiEvent
• wmi_object/DN_0080_5859_wmi_activity
• wmi_object/DN_0024_21_windows_sysmon_WmiEvent
• wmi_object/DN_0022_19_windows_sysmon_WmiEvent
• uncategorised/DN_0050_1102_audit_log_was_cleared
• uncategorised/DN_0090_50_terminal_server_security_layer_detected_an_error
• uncategorised/DN_0044_1000_application_crashed
• uncategorised/DN_0083_16_access_history_in_hive_was_cleared
• uncategorised/DN_0088_4616_system_time_was_changed
• uncategorised/DN_0039_524_system_catalog_has_been_deleted
• uncategorised/DN_0051_1121_attack_surface_reduction_blocking_mode_event
• uncategorised/DN_0013_9_windows_sysmon_RawAccessRead
• uncategorised/DN_0089_56_terminal_server_security_layer_detected_an_error
• uncategorised/DN_0034_104_log_file_was_cleared
• uncategorised/DN_0043_770_dns_server_plugin_dll_has_been_loaded
• uncategorised/DN_0067_4719_system_audit_policy_was_changed
• uncategorised/DN_0045_1001_windows_error_reporting
• uncategorised/DN_0108_150_dns_server_could_not_load_dll

Linux:

• multiple/DN_0056_linux_auditd_syscall
• file/DN_0055_linux_auditd_read_access_to_file
• uncategorised/DN_0093_linux_clamav_log
• uncategorised/DN_0096_linux_named_client_security_log
• uncategorised/DN_0094_linux_sshd_log
• uncategorised/DN_0095_linux_auth_pam_log
• uncategorised/DN_0097_linux_daemon_log
• uncategorised/DN_0091_linux_modsecurity_log
• uncategorised/DN_0098_linux_vsftpd_log
• process/DN_0054_linux_auditd_execve

Other:

• av/DN_0084_av_alert
• network/passivedns/DN_0100_Passive_DNS_log
• network/bind/DN_0099_Bind_DNS_query
• unix/DN_0092_unix_generic_syslog

[yugoslavskiy]

I'll take:

• process/DN_0007_3_windows_sysmon_network_connection
• process/DN_0009_5_windows_sysmon_process_terminated
• process/DN_0012_8_windows_sysmon_CreateRemoteThread
• process/DN_0014_10_windows_sysmon_ProcessAccess
• process/DN_0087_5156_windows_filtering_platform_has_permitted_connection

[yugoslavskiy]

I'll take:

• process/DN_0085_22_windows_sysmon_DnsQuery
• authentication_log/DN_0057_4625_account_failed_to_logon
• authentication_log/DN_0042_675_kerberos_preauthentication_failed
• authentication_log/DN_0004_4624_windows_account_logon
• authentication_log/DN_0077_4769_kerberos_service_ticket_was_requested

[yugoslavskiy]

I'll take:

• authentication_log/DN_0078_4771_kerberos_pre_authentication_failed
• authentication_log/DN_0082_8002_ntlm_server_blocked_audit
• authentication_log/DN_0040_528_user_successfully_logged_on_to_a_computer
• authentication_log/DN_0076_4768_kerberos_authentication_ticket_was_requested
• authentication_log/DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account
• authentication_log/DN_0041_529_logon_failure

[yugoslavskiy]

I'll handle:

• mount_log/DN_0054_2102_pnp_or_power_operation_for_usb_device
• mount_log/DN_0053_2100_pnp_or_power_operation_for_usb_device
• mount_log/DN_0052_2003_query_to_load_usb_drivers
• powershell_log/DN_0038_400_engine_state_is_changed_from_none_to_available
• powershell_log/DN_0037_4103_windows_powershell_executing_pipeline
• powershell_log/DN_0036_4104_windows_powershell_script_block
• multiple/DN_0060_4658_handle_to_an_object_was_closed
• multiple/DN_0058_4656_handle_to_an_object_was_requested
• multiple/DN_0061_4660_object_was_deleted
• multiple/DN_0062_4663_attempt_was_made_to_access_an_object

[yugoslavskiy]

I'll take:

• file/DN_0015_11_windows_sysmon_FileCreate
• file/DN_0032_5145_network_share_object_was_accessed_detailed
• file/DN_0019_15_windows_sysmon_FileCreateStreamHash
• file/DN_0033_5140_network_share_object_was_accessed
• file/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time
• module/DN_0011_7_windows_sysmon_image_loaded
• named_pipe/DN_0021_18_windows_sysmon_PipeEvent
• named_pipe/DN_0020_17_windows_sysmon_PipeEvent