From 48f16a0ca8c9e581316d8ab2ca17543d2b05345c Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 26 Nov 2020 22:39:49 -0300
Subject: [PATCH] Update win_susp_net_recon_activity.yml

---
 rules/windows/builtin/win_susp_net_recon_activity.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml
index c73d5b2ed..cb5aa7a89 100644
--- a/rules/windows/builtin/win_susp_net_recon_activity.yml
+++ b/rules/windows/builtin/win_susp_net_recon_activity.yml
@@ -18,10 +18,16 @@ logsource:
     product: windows
     service: security
     definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
+logsource:
+    product: windows
+    service: security
+    definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
 detection:
     selection:
-        - EventID: 4661
-          ObjectType: 'SAM_USER'
+          EventID: 4661
+          ObjectType:
+            - 'SAM_USER'
+            - 'SAM_GROUP'
           ObjectName|startswith: 'S-1-5-21-'
           AccessMask: '0x2d'
     selection2: