From dae1f3fa7142ebc9b9a3b8a46d4656e65d4417b3 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 15:50:44 -0300
Subject: [PATCH] Update win_susp_ntlm_rdp.yml

---
 rules/windows/builtin/win_susp_ntlm_rdp.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_susp_ntlm_rdp.yml b/rules/windows/builtin/win_susp_ntlm_rdp.yml
index bed9e568a..96e1d00a8 100644
--- a/rules/windows/builtin/win_susp_ntlm_rdp.yml
+++ b/rules/windows/builtin/win_susp_ntlm_rdp.yml
@@ -16,7 +16,7 @@ logsource:
 detection:
     selection:
         EventID: 8001
-        TargetName: TERMSRV*
+        TargetName|startswith: TERMSRV
     condition: selection
 fields:
     - Computer