update pw spraying via explicit creds rules

rules/windows/builtin/security/win_security_susp_failed_logons_explicit_credentials.yml

@@ -1,12 +1,12 @@
-title: Multiple Users Attempting To Authenticate Using Explicit Credentials
+title: Password Spraying via Explicit Credentials
 id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9
 status: test
-description: Detects a source user failing to authenticate with multiple users using explicit credentials on a host.
+description: Detects a single user failing to authenticate to multiple users using explicit credentials.
 references:
     - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
-author: Mauricio Velazco
+author: Mauricio Velazco, Zach Mathis
 date: 2021/06/01
-modified: 2022/10/09
+modified: 2023/01/27
 tags:
     - attack.t1110.003
     - attack.initial_access
@@ -15,14 +15,15 @@ logsource:
     product: windows
     service: security
 detection:
-    selection1:
+    selection:
         EventID: 4648
-    timeframe: 24h
-    condition:
-        - selection1 | count(Account_Name) by ComputerName > 10
+    filter:
+        SubjectUserName|endswith: '$' # There will be much noise from computer accounts to UMFD-0, DWM-1, etc...
+    timeframe: 1h
+    condition: selection and not filter | count(TargetUserName) by SubjectUserName > 10
 falsepositives:
     - Terminal servers
     - Jump servers
     - Other multiuser systems like Citrix server farms
     - Workstations with frequently changing users
-level: medium
+level: medium