Merge pull request #780 from tatsu-i/master

Null field check to eliminate false positives

rules/windows/builtin/win_alert_ad_user_backdoors.yml

@@ -19,10 +19,10 @@ logsource:
 detection:
     selection1:
         EventID: 4738
+    filter_null:
+        AllowedToDelegateTo: null
     filter1:
-        AllowedToDelegateTo: 
-            - null
-            - '-'
+        AllowedToDelegateTo: '-'
     selection2:
         EventID: 5136
         AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
@@ -33,7 +33,7 @@ detection:
     selection4:
         EventID: 5136
         AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'
-    condition: (selection1 and not 1 of filter*) or selection2 or selection3 or selection4
+    condition: (selection1 and not filter1 and not filter_null) or selection2 or selection3 or selection4
 falsepositives:
     - Unknown
 level: high

rules/windows/builtin/win_susp_add_sid_history.yml

@@ -24,7 +24,9 @@ detection:
         SidHistory:
             - '-'
             - '%%1793'
-    condition: selection1 or (selection2 and not selection3)
+    filter_null:
+        SidHistory: null
+    condition: selection1 or (selection2 and not selection3 and not filter_null)
 falsepositives:
     - Migration of an account into a new domain
 level: medium