From 50d734a17a40b267083aec192475bef78e5cdf6e Mon Sep 17 00:00:00 2001
From: mvelazco <mauricio.velazco@gmail.com>
Date: Thu, 3 Jun 2021 17:51:47 -0400
Subject: [PATCH 1/5] Adding 4 initial sigma rules

---
 ...usp_failed_logons_explicit_credentials.yml | 24 ++++++++++++++++
 .../win_susp_failed_logons_single_process.yml | 27 ++++++++++++++++++
 ...p_failed_logons_single_source_kerberos.yml | 28 +++++++++++++++++++
 ..._susp_failed_logons_single_source_ntlm.yml | 27 ++++++++++++++++++
 4 files changed, 106 insertions(+)
 create mode 100644 rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml
 create mode 100644 rules/windows/builtin/win_susp_failed_logons_single_process.yml
 create mode 100644 rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
 create mode 100644 rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml

diff --git a/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml
new file mode 100644
index 000000000..332b0d4e5
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml
@@ -0,0 +1,24 @@
+title: Multiple Users Attempting To Authenticate Using Explicit Credentials
+id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9
+description: Detects a source user failing to authenticate with multiple users using explicit credentials on a host.
+author: Mauricio Velazco
+date: 2021/05/05
+tags:
+    - attack.t1110.003
+    - attack.initial_access
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: '4648'
+    timeframe: 24h
+    condition:
+        - selection1 | count(Account_Name) by ComputerName > 10
+falsepositives:
+    - Terminal servers
+    - Jump servers
+    - Other multiuser systems like Citrix server farms
+    - Workstations with frequently changing users
+level: medium
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_process.yml b/rules/windows/builtin/win_susp_failed_logons_single_process.yml
new file mode 100644
index 000000000..3f703b3fe
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_logons_single_process.yml
@@ -0,0 +1,27 @@
+title: Multiple Accounts Failing to Authenticate from Single Process
+id: fe563ab6-ded4-4916-b49f-a3a8445fe280
+description: Detects failed logins with multiple accounts from a single process on the system.
+author: Mauricio Velazco
+date: 2021/05/05
+tags:
+    - attack.t1110.003
+    - attack.initial_access
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: '4625'
+        Logon_Type: '2'
+    filter:
+        Caller_Process_Name: '-'
+    timeframe: 24h
+    condition:
+        - selection1 and not filter | count(Account_Name) by Caller_Process_Name > 10
+falsepositives:
+    - Terminal servers
+    - Jump servers
+    - Other multiuser systems like Citrix server farms
+    - Workstations with frequently changing users
+level: medium
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
new file mode 100644
index 000000000..4413751e6
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
@@ -0,0 +1,28 @@
+title: Multiple Valid Accounts Failing to Authenticate from Single Source using Kerberos
+id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98
+description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.
+author: Mauricio Velazco
+date: 2021/05/05
+tags:
+    - attack.t1110.003
+    - attack.initial_access
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: '4771'
+        Failure_Code: '0x18'
+    filter:
+        Account_Name: '*$'
+    timeframe: 24h
+    condition:
+        - selection and not filter | count(Account_Name) by Client_Address > 10
+falsepositives:
+    - Vulnerability scanners
+    - Missconfigured systems
+    - Remote administration tools
+    - VPN terminators
+    - Multiuser systems like Citrix server farms
+level: medium
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml
new file mode 100644
index 000000000..c06bd7ade
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml
@@ -0,0 +1,27 @@
+title: Multiple Valid Accounts Failing to Authenticate from Single Source using NTLM
+id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470
+description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.
+author: Mauricio Velazco
+date: 2021/05/05
+tags:
+    - attack.t1110.003
+    - attack.initial_access
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: '4776'
+        action: 'failure'
+    filter:
+        Logon_Account: '*$'
+    timeframe: 24h
+    condition:
+        - selection1 and not filter | count(Logon_Account) by Source_Workstation > 10
+falsepositives:
+    - Terminal servers
+    - Jump servers
+    - Other multiuser systems like Citrix server farms
+    - Workstations with frequently changing users
+level: medium

From 103fe2b34477117ddc40714d3afd290b0ceb9ed7 Mon Sep 17 00:00:00 2001
From: mvelazco <mauricio.velazco@gmail.com>
Date: Thu, 3 Jun 2021 18:26:07 -0400
Subject: [PATCH 2/5] minor fixes and 3 extra sigma rules

---
 ...usp_failed_logons_explicit_credentials.yml |  2 +-
 .../win_susp_failed_logons_single_process.yml |  2 +-
 .../win_susp_failed_logons_single_source.yml  |  5 ++--
 ...p_failed_logons_single_source_kerberos.yml |  2 +-
 ..._failed_logons_single_source_kerberos2.yml | 28 +++++++++++++++++++
 ..._failed_logons_single_source_kerberos3.yml | 28 +++++++++++++++++++
 ..._susp_failed_logons_single_source_ntlm.yml |  5 ++--
 ...susp_failed_logons_single_source_ntlm2.yml | 28 +++++++++++++++++++
 ...usp_failed_remote_logons_single_source.yml | 27 ++++++++++++++++++
 9 files changed, 119 insertions(+), 8 deletions(-)
 create mode 100644 rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
 create mode 100644 rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
 create mode 100644 rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml
 create mode 100644 rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml

diff --git a/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml
index 332b0d4e5..fec64346f 100644
--- a/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml
@@ -2,7 +2,7 @@ title: Multiple Users Attempting To Authenticate Using Explicit Credentials
 id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9
 description: Detects a source user failing to authenticate with multiple users using explicit credentials on a host.
 author: Mauricio Velazco
-date: 2021/05/05
+date: 2021/06/01
 tags:
     - attack.t1110.003
     - attack.initial_access
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_process.yml b/rules/windows/builtin/win_susp_failed_logons_single_process.yml
index 3f703b3fe..f3d39af3c 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_process.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_process.yml
@@ -2,7 +2,7 @@ title: Multiple Accounts Failing to Authenticate from Single Process
 id: fe563ab6-ded4-4916-b49f-a3a8445fe280
 description: Detects failed logins with multiple accounts from a single process on the system.
 author: Mauricio Velazco
-date: 2021/05/05
+date: 2021/06/01
 tags:
     - attack.t1110.003
     - attack.initial_access
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml
index d8727c314..79e244c7a 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml
@@ -1,6 +1,6 @@
 title: Failed Logins with Different Accounts from Single Source System
 id: e98374a6-e2d9-4076-9b5c-11bdb2569995
-description: Detects suspicious failed logins with different user accounts from a single source system
+description: Detects failed logins with multiple user accounts from a single source system.
 author: Florian Roth
 date: 2017/01/10
 tags:
@@ -13,8 +13,7 @@ logsource:
 detection:
     selection1:
         EventID:
-            - 529
-            - 4625
+            - 4771
         UserName: '*'
         WorkstationName: '*'
     selection2:
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
index 4413751e6..195a204a8 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
@@ -2,7 +2,7 @@ title: Multiple Valid Accounts Failing to Authenticate from Single Source using
 id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98
 description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.
 author: Mauricio Velazco
-date: 2021/05/05
+date: 2021/06/01
 tags:
     - attack.t1110.003
     - attack.initial_access
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
new file mode 100644
index 000000000..3747a7b3c
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
@@ -0,0 +1,28 @@
+title: Multiple Disabled Users Failing To Authenticate From Single Source Using Kerberos
+id: 4b6fe998-b69c-46d8-901b-13677c9fb663
+description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.
+author: Mauricio Velazco
+date: 2021/06/01
+tags:
+    - attack.t1110.003
+    - attack.initial_access
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: '4768'
+        Result_Code: '0x12'
+    filter:
+        Account_Name: '*$'
+    timeframe: 24h
+    condition:
+        - selection and not filter | count(Account_Name) by Client_Address > 10
+falsepositives:
+    - Vulnerability scanners
+    - Missconfigured systems
+    - Remote administration tools
+    - VPN terminators
+    - Multiuser systems like Citrix server farms
+level: medium
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
new file mode 100644
index 000000000..b32489a4a
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
@@ -0,0 +1,28 @@
+title: Multiple Invalid Users Failing To Authenticate From Single Source Using Kerberos
+id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564
+description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
+author: Mauricio Velazco
+date: 2021/06/01
+tags:
+    - attack.t1110.003
+    - attack.initial_access
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: '4768'
+        Result_Code: '0x6'
+    filter:
+        Account_Name: '*$'
+    timeframe: 24h
+    condition:
+        - selection and not filter | count(Account_Name) by Client_Address > 10
+falsepositives:
+    - Vulnerability scanners
+    - Missconfigured systems
+    - Remote administration tools
+    - VPN terminators
+    - Multiuser systems like Citrix server farms
+level: medium
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml
index c06bd7ade..40f64ff90 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml
@@ -1,8 +1,8 @@
 title: Multiple Valid Accounts Failing to Authenticate from Single Source using NTLM
 id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470
-description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.
+description: Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.
 author: Mauricio Velazco
-date: 2021/05/05
+date: 2021/06/01
 tags:
     - attack.t1110.003
     - attack.initial_access
@@ -14,6 +14,7 @@ detection:
     selection1:
         EventID: '4776'
         action: 'failure'
+        Message: '*0xC000006A'
     filter:
         Logon_Account: '*$'
     timeframe: 24h
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml
new file mode 100644
index 000000000..79b55bc54
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml
@@ -0,0 +1,28 @@
+title: Multiple Invalid Users Failing To Authenticate From Host Using NTLM
+id: 56d62ef8-3462-4890-9859-7b41e541f8d5
+description: Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.
+author: Mauricio Velazco
+date: 2021/06/01
+tags:
+    - attack.t1110.003
+    - attack.initial_access
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: '4776'
+        action: 'failure'
+        Message: '*0xC0000064'
+    filter:
+        Logon_Account: '*$'
+    timeframe: 24h
+    condition:
+        - selection1 and not filter | count(Logon_Account) by Source_Workstation > 10
+falsepositives:
+    - Terminal servers
+    - Jump servers
+    - Other multiuser systems like Citrix server farms
+    - Workstations with frequently changing users
+level: medium
diff --git a/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml
new file mode 100644
index 000000000..9f37e91a9
--- /dev/null
+++ b/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml
@@ -0,0 +1,27 @@
+title: Multiple Users Remotely Failing To Authenticate From Single Source
+id: add2ef8d-dc91-4002-9e7e-f2702369f53a
+description: Detects a source system failing to authenticate against a remote host with multiple users.
+author: Mauricio Velazco
+date: 2021/06/01
+tags:
+    - attack.t1110.003
+    - attack.initial_access
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: '4625'
+        Logon_Type: '3'
+    filter:
+        Source_Network_Address: '-'
+    timeframe: 24h
+    condition:
+        - selection1 and not filter | count(Account_Name) by Source_Network_Address > 10
+falsepositives:
+    - Terminal servers
+    - Jump servers
+    - Other multiuser systems like Citrix server farms
+    - Workstations with frequently changing users
+level: medium

From d4f66f2af6197daeac36dd931e4988e893b4ac51 Mon Sep 17 00:00:00 2001
From: mvelazco <mauricio.velazco@gmail.com>
Date: Thu, 3 Jun 2021 18:29:06 -0400
Subject: [PATCH 3/5] rolling back unwanted changes

---
 .../builtin/win_susp_failed_logons_single_source.yml       | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml
index 79e244c7a..dad0b88d8 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml
@@ -1,6 +1,6 @@
 title: Failed Logins with Different Accounts from Single Source System
 id: e98374a6-e2d9-4076-9b5c-11bdb2569995
-description: Detects failed logins with multiple user accounts from a single source system.
+description: Detects suspicious failed logins with different user accounts from a single source system
 author: Florian Roth
 date: 2017/01/10
 tags:
@@ -13,7 +13,8 @@ logsource:
 detection:
     selection1:
         EventID:
-            - 4771
+            - 529
+            - 4625
         UserName: '*'
         WorkstationName: '*'
     selection2:
@@ -29,4 +30,4 @@ falsepositives:
     - Jump servers
     - Other multiuser systems like Citrix server farms
     - Workstations with frequently changing users
-level: medium
+level: medium
\ No newline at end of file

From d8aa0ae124bc1d2251727e302015d2d4608cae0a Mon Sep 17 00:00:00 2001
From: mvelazco <mauricio.velazco@gmail.com>
Date: Thu, 3 Jun 2021 23:38:10 -0400
Subject: [PATCH 4/5] adding references

---
 .../builtin/win_susp_failed_logons_explicit_credentials.yml     | 2 ++
 rules/windows/builtin/win_susp_failed_logons_single_process.yml | 2 ++
 .../builtin/win_susp_failed_logons_single_source_kerberos.yml   | 2 ++
 .../builtin/win_susp_failed_logons_single_source_kerberos2.yml  | 2 ++
 .../builtin/win_susp_failed_logons_single_source_kerberos3.yml  | 2 ++
 .../builtin/win_susp_failed_logons_single_source_ntlm.yml       | 2 ++
 .../builtin/win_susp_failed_logons_single_source_ntlm2.yml      | 2 ++
 .../builtin/win_susp_failed_remote_logons_single_source.yml     | 2 ++
 8 files changed, 16 insertions(+)

diff --git a/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml
index fec64346f..a64133d28 100644
--- a/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml
@@ -3,6 +3,8 @@ id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9
 description: Detects a source user failing to authenticate with multiple users using explicit credentials on a host.
 author: Mauricio Velazco
 date: 2021/06/01
+references:
+    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 tags:
     - attack.t1110.003
     - attack.initial_access
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_process.yml b/rules/windows/builtin/win_susp_failed_logons_single_process.yml
index f3d39af3c..606b7143a 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_process.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_process.yml
@@ -3,6 +3,8 @@ id: fe563ab6-ded4-4916-b49f-a3a8445fe280
 description: Detects failed logins with multiple accounts from a single process on the system.
 author: Mauricio Velazco
 date: 2021/06/01
+references:
+    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 tags:
     - attack.t1110.003
     - attack.initial_access
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
index 195a204a8..94185623f 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
@@ -3,6 +3,8 @@ id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98
 description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.
 author: Mauricio Velazco
 date: 2021/06/01
+references:
+    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 tags:
     - attack.t1110.003
     - attack.initial_access
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
index 3747a7b3c..9f1278f85 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
@@ -3,6 +3,8 @@ id: 4b6fe998-b69c-46d8-901b-13677c9fb663
 description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.
 author: Mauricio Velazco
 date: 2021/06/01
+references:
+    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 tags:
     - attack.t1110.003
     - attack.initial_access
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
index b32489a4a..7bb6cd385 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
@@ -3,6 +3,8 @@ id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564
 description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
 author: Mauricio Velazco
 date: 2021/06/01
+references:
+    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 tags:
     - attack.t1110.003
     - attack.initial_access
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml
index 40f64ff90..abea9ffd6 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml
@@ -3,6 +3,8 @@ id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470
 description: Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.
 author: Mauricio Velazco
 date: 2021/06/01
+references:
+    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 tags:
     - attack.t1110.003
     - attack.initial_access
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml
index 79b55bc54..66c123d87 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml
@@ -3,6 +3,8 @@ id: 56d62ef8-3462-4890-9859-7b41e541f8d5
 description: Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.
 author: Mauricio Velazco
 date: 2021/06/01
+references:
+    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 tags:
     - attack.t1110.003
     - attack.initial_access
diff --git a/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml
index 9f37e91a9..1f574e942 100644
--- a/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml
+++ b/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml
@@ -2,6 +2,8 @@ title: Multiple Users Remotely Failing To Authenticate From Single Source
 id: add2ef8d-dc91-4002-9e7e-f2702369f53a
 description: Detects a source system failing to authenticate against a remote host with multiple users.
 author: Mauricio Velazco
+references:
+    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 date: 2021/06/01
 tags:
     - attack.t1110.003

From 178df3f05618b57aac2766fe55c3b6ad0a473bf0 Mon Sep 17 00:00:00 2001
From: mvelazco <mauricio.velazco@gmail.com>
Date: Fri, 4 Jun 2021 10:57:52 -0400
Subject: [PATCH 5/5] fixing title lengths

---
 rules/windows/builtin/win_susp_failed_logons_single_process.yml | 2 +-
 .../builtin/win_susp_failed_logons_single_source_kerberos.yml   | 2 +-
 .../builtin/win_susp_failed_logons_single_source_kerberos2.yml  | 2 +-
 .../builtin/win_susp_failed_logons_single_source_kerberos3.yml  | 2 +-
 .../builtin/win_susp_failed_logons_single_source_ntlm.yml       | 2 +-
 .../builtin/win_susp_failed_logons_single_source_ntlm2.yml      | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/rules/windows/builtin/win_susp_failed_logons_single_process.yml b/rules/windows/builtin/win_susp_failed_logons_single_process.yml
index 606b7143a..716bc8ae6 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_process.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_process.yml
@@ -1,4 +1,4 @@
-title: Multiple Accounts Failing to Authenticate from Single Process
+title: Multiple Users Failing to Authenticate from Single Process
 id: fe563ab6-ded4-4916-b49f-a3a8445fe280
 description: Detects failed logins with multiple accounts from a single process on the system.
 author: Mauricio Velazco
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
index 94185623f..17114308a 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
@@ -1,4 +1,4 @@
-title: Multiple Valid Accounts Failing to Authenticate from Single Source using Kerberos
+title: Valid Users Failing to Authenticate From Single Source Using Kerberos
 id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98
 description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.
 author: Mauricio Velazco
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
index 9f1278f85..7da50919a 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
@@ -1,4 +1,4 @@
-title: Multiple Disabled Users Failing To Authenticate From Single Source Using Kerberos
+title: Disabled Users Failing To Authenticate From Source Using Kerberos
 id: 4b6fe998-b69c-46d8-901b-13677c9fb663
 description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.
 author: Mauricio Velazco
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
index 7bb6cd385..514ec94fd 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
@@ -1,4 +1,4 @@
-title: Multiple Invalid Users Failing To Authenticate From Single Source Using Kerberos
+title: Invalid Users Failing To Authenticate From Source Using Kerberos
 id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564
 description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
 author: Mauricio Velazco
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml
index abea9ffd6..b260bb585 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml
@@ -1,4 +1,4 @@
-title: Multiple Valid Accounts Failing to Authenticate from Single Source using NTLM
+title: Valid Users Failing to Authenticate from Single Source Using NTLM
 id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470
 description: Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.
 author: Mauricio Velazco
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml
index 66c123d87..ba48c1b97 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml
@@ -1,4 +1,4 @@
-title: Multiple Invalid Users Failing To Authenticate From Host Using NTLM
+title: Invalid Users Failing To Authenticate From Single Source Using NTLM
 id: 56d62ef8-3462-4890-9859-7b41e541f8d5
 description: Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.
 author: Mauricio Velazco