[Tuning] DCSync Rules - 4662 event.action (#3410)

* Update credential_access_dcsync_newterm_subjectuser.toml * Update credential_access_dcsync_replication_rights.toml
2024-01-30 11:43:28 +00:00
parent 381ccf43ed
commit d7f4d7972e
2 changed files with 4 additions and 4 deletions
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
 min_stack_version = "8.4.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/29"

 [rule]
 author = ["Elastic"]
@@ -88,7 +88,7 @@ timestamp_override = "event.ingested"
 type = "new_terms"

 query = '''
-event.action:"Directory Service Access" and event.code:"4662" and
+event.action:("Directory Service Access" or "object-operation-performed") and event.code:"4662" and
 winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
                               *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or
                               *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and
@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/29"

 [rule]
 author = ["Elastic"]
@@ -97,7 +97,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-any where event.action == "Directory Service Access" and
+any where event.action : ("Directory Service Access", "object-operation-performed") and
  event.code == "4662" and winlog.event_data.Properties : (

    /* Control Access Rights/Permissions Symbol */