diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index 7acd66999..941dbee3b 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" min_stack_version = "8.4.0" -updated_date = "2023/10/23" +updated_date = "2024/01/29" [rule] author = ["Elastic"] @@ -88,7 +88,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.action:"Directory Service Access" and event.code:"4662" and +event.action:("Directory Service Access" or "object-operation-performed") and event.code:"4662" and winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 128169a1f..2d2a80f89 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2024/01/29" [rule] author = ["Elastic"] @@ -97,7 +97,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where event.action == "Directory Service Access" and +any where event.action : ("Directory Service Access", "object-operation-performed") and event.code == "4662" and winlog.event_data.Properties : ( /* Control Access Rights/Permissions Symbol */