Merge pull request #1635 from frack113/fix_win_susp_failed_logons_single_source_kerberos

Fix invalid field name

rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml

@@ -1,8 +1,9 @@
 title: Valid Users Failing to Authenticate From Single Source Using Kerberos
 id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98
 description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.
-author: Mauricio Velazco
+author: Mauricio Velazco, frack113
 date: 2021/06/01
+modified: 2021/07/06
 references:
     - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 tags:
@@ -14,13 +15,13 @@ logsource:
     service: security
 detection:
     selection:
-        EventID: '4771'
-        Failure_Code: '0x18'
-    filter:
-        Account_Name: '*$'
+        EventID: 4771
+        Status: '0x18'
+    filter_computer:
+        TargetUserName|endswith: '$'
     timeframe: 24h
     condition:
-        - selection and not filter | count(Account_Name) by Client_Address > 10
+        - selection and not filter_computer | count(TargetUserName) by IpAddress > 10
 falsepositives:
     - Vulnerability scanners
     - Missconfigured systems

rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml

@@ -1,8 +1,9 @@
 title: Disabled Users Failing To Authenticate From Source Using Kerberos
 id: 4b6fe998-b69c-46d8-901b-13677c9fb663
 description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.
-author: Mauricio Velazco
+author: Mauricio Velazco, frack113
 date: 2021/06/01
+modified: 2021/07/06
 references:
     - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 tags:
@@ -14,13 +15,13 @@ logsource:
     service: security
 detection:
     selection:
-        EventID: '4768'
-        Result_Code: '0x12'
-    filter:
-        Account_Name: '*$'
+        EventID: 4768
+        Status: '0x12'
+    filter_computer:
+        TargetUserName|endswith: '$'
     timeframe: 24h
     condition:
-        - selection and not filter | count(Account_Name) by Client_Address > 10
+        - selection and not filter_computer | count(TargetUserName) by IpAddress > 10
 falsepositives:
     - Vulnerability scanners
     - Missconfigured systems

rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml

@@ -1,8 +1,9 @@
 title: Invalid Users Failing To Authenticate From Source Using Kerberos
 id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564
 description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
-author: Mauricio Velazco
+author: Mauricio Velazco, frack113
 date: 2021/06/01
+modified: 2021/07/06
 references:
     - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 tags:
@@ -14,13 +15,13 @@ logsource:
     service: security
 detection:
     selection:
-        EventID: '4768'
-        Result_Code: '0x6'
-    filter:
-        Account_Name: '*$'
+        EventID: 4768
+        Status: '0x6'
+    filter_computer:
+        TargetUserName|endswith: '$'
     timeframe: 24h
     condition:
-        - selection and not filter | count(Account_Name) by Client_Address > 10
+        - selection and not filter_computer | count(TargetUserName) by IpAddress > 10
 falsepositives:
     - Vulnerability scanners
     - Missconfigured systems