Skip to content

Commit 1d98293

Browse files
dluxtrondluxtron
committed
Updating detections
1 parent 8598be7 commit 1d98293

File tree

2 files changed

+6
-6
lines changed

2 files changed

+6
-6
lines changed

detections/application/authentication_dm_distributed_password_spray.yml renamed to detections/application/detect_distributed_password_spray_attempts.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
name: Authentication DM Distributed Password Spray
1+
name: Detect Distributed Password Spray Attempts
22
id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57
33
version: 1
44
date: '2023-11-01'
@@ -28,9 +28,9 @@ search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS un
2828
| foreach *
2929
[ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)]
3030
| table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id
31-
| sort - total_failures | `authentication_dm_distributed_password_spray_filter`'
31+
| sort - total_failures | `detect_distributed_password_spray_attempts_filter`'
3232
how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly.
33-
known_false_positives: Mondays.
33+
known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings.
3434
references:
3535
- https://attack.mitre.org/techniques/T1110/003/
3636
tags:
@@ -42,7 +42,7 @@ tags:
4242
- 90bc2e54-6c84-47a5-9439-0a2a92b4b175
4343
confidence: 70
4444
impact: 70
45-
message: This is not a risk rule
45+
message: Distributed Password Spray Attempt Detected
4646
mitre_attack_id:
4747
- T1110.003
4848
- T1110

detections/application/authentication_dm_password_spray.yml renamed to detections/application/detect_password_spray_attempts.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
name: Authentication DM Password Spray
1+
name: Detect Password Spray Attempts
22
id: 086ab581-8877-42b3-9aee-4a7ecb0923af
33
version: 1
44
date: '2023-11-01'
@@ -26,7 +26,7 @@ search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS un
2626
| where isOutlier=1
2727
| foreach * [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)]
2828
| table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id
29-
| `authentication_dm_password_spray_filter`'
29+
| `detect_password_spray_attempts_filter`'
3030
how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly.
3131
known_false_positives: Unknown
3232
references:

0 commit comments

Comments
 (0)