security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rule fixes

Browse Source
This commit is contained in:
Florian Roth
2018-06-27 18:47:52 +02:00
parent 9705366060
commit a61052fc0a
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/win_alert_ad_user_backdoors.yml
+1 -1
View File
@@ -12,7 +12,7 @@ logsource:
detection:
selection1:
EventID: 4738
AllowedToDelegateTo: '*'
AllowedToDelegateTo: (any)
selection2:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
rules/windows/sysmon/sysmon_susp_net_execution.yml
+1 -1
View File
@@ -27,4 +27,4 @@ fields:
- ParentCommandLine
falsepositives:
- Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.
level: medium
level: low