From 12fb71b83b2f564376df978ec200240438c14ac3 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Tue, 6 Jul 2021 12:53:38 +0200
Subject: [PATCH] fix invalid field name

---
 ...in_susp_failed_logons_single_source_kerberos.yml | 13 +++++++------
 ...n_susp_failed_logons_single_source_kerberos2.yml | 13 +++++++------
 ...n_susp_failed_logons_single_source_kerberos3.yml | 13 +++++++------
 3 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
index 17114308a..5f7fb4bc1 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml
@@ -1,8 +1,9 @@
 title: Valid Users Failing to Authenticate From Single Source Using Kerberos
 id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98
 description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.
-author: Mauricio Velazco
+author: Mauricio Velazco, frack113
 date: 2021/06/01
+modified: 2021/07/06
 references:
     - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 tags:
@@ -14,13 +15,13 @@ logsource:
     service: security
 detection:
     selection:
-        EventID: '4771'
-        Failure_Code: '0x18'
-    filter:
-        Account_Name: '*$'
+        EventID: 4771
+        Status: '0x18'
+    filter_computer:
+        TargetUserName|endswith: '$'
     timeframe: 24h
     condition:
-        - selection and not filter | count(Account_Name) by Client_Address > 10
+        - selection and not filter_computer | count(TargetUserName) by IpAddress > 10
 falsepositives:
     - Vulnerability scanners
     - Missconfigured systems
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
index 7da50919a..480663d1c 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml
@@ -1,8 +1,9 @@
 title: Disabled Users Failing To Authenticate From Source Using Kerberos
 id: 4b6fe998-b69c-46d8-901b-13677c9fb663
 description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.
-author: Mauricio Velazco
+author: Mauricio Velazco, frack113
 date: 2021/06/01
+modified: 2021/07/06
 references:
     - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 tags:
@@ -14,13 +15,13 @@ logsource:
     service: security
 detection:
     selection:
-        EventID: '4768'
-        Result_Code: '0x12'
-    filter:
-        Account_Name: '*$'
+        EventID: 4768
+        Status: '0x12'
+    filter_computer:
+        TargetUserName|endswith: '$'
     timeframe: 24h
     condition:
-        - selection and not filter | count(Account_Name) by Client_Address > 10
+        - selection and not filter_computer | count(TargetUserName) by IpAddress > 10
 falsepositives:
     - Vulnerability scanners
     - Missconfigured systems
diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
index 514ec94fd..8bc4d8b84 100644
--- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
+++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml
@@ -1,8 +1,9 @@
 title: Invalid Users Failing To Authenticate From Source Using Kerberos
 id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564
 description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
-author: Mauricio Velazco
+author: Mauricio Velazco, frack113
 date: 2021/06/01
+modified: 2021/07/06
 references:
     - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 tags:
@@ -14,13 +15,13 @@ logsource:
     service: security
 detection:
     selection:
-        EventID: '4768'
-        Result_Code: '0x6'
-    filter:
-        Account_Name: '*$'
+        EventID: 4768
+        Status: '0x6'
+    filter_computer:
+        TargetUserName|endswith: '$'
     timeframe: 24h
     condition:
-        - selection and not filter | count(Account_Name) by Client_Address > 10
+        - selection and not filter_computer | count(TargetUserName) by IpAddress > 10
 falsepositives:
     - Vulnerability scanners
     - Missconfigured systems