From 5f98f00a362626e92ebbd9584e46396bf84e6b4c Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Tue, 1 Jun 2021 08:19:26 +0200
Subject: [PATCH] Filtering Platform Connection are in security channel not
 system

---
 rules/windows/builtin/win_global_catalog_enumeration.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/win_global_catalog_enumeration.yml b/rules/windows/builtin/win_global_catalog_enumeration.yml
index eb3392785..c87885a43 100644
--- a/rules/windows/builtin/win_global_catalog_enumeration.yml
+++ b/rules/windows/builtin/win_global_catalog_enumeration.yml
@@ -3,14 +3,16 @@ description: Detects enumeration of the global catalog (that can be performed us
 author: Chakib Gzenayi (@Chak092), Hosni Mribah
 id: 619b020f-0fd7-4f23-87db-3f51ef837a34
 date: 2020/05/11
-modified: 2020/08/23
+modified: 2021/06/01
+references:
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
 tags:
     - attack.discovery
     - attack.t1087          # an old one
     - attack.t1087.002
 logsource:
     product: windows
-    service: system
+    service: security
     definition: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success'
 detection:
     selection: