fix detection

2021-12-15 10:04:37 +01:00
parent 8908c4ca8e
commit 4f866f8da3
1 changed files with 5 additions and 2 deletions
@@ -13,16 +13,19 @@ logsource:
    product: windows
    service: system
 detection:
-    selection:
+    selection_1:
        Provider_Name: Microsoft-Windows-Kerberos-Key-Distribution-Center  # Active Directory
        EventID:
            - 35
            - 36
            - 37
            - 38
+    selection_2:
+        Provider_Name: Microsoft-Windows-Directory-Services-SAM  # Active Directory
+        EventID:
            - 16990
            - 16991
-    condition: selection
+    condition: selection_1 or selection_2
 fields:
    - samAccountName
 falsepositives: