You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
contains this condition: condition: selection and not 1 of filter_main_*
but in the detection just created on filter_main_...
this:
filter_main_:
ServiceName|endswith:
- 'krbtgt' # Ignore requests for the krbtgt service
- '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
TargetUserName|contains: '$@' # Ignore requests from machines
Based on our experiens with the logs I think so, the TargetUserName and ServiceName filtering are in or relation and not in and relation.
So may be need to modify the rule like this:
this:
filter_main_servicename:
ServiceName|endswith:
- 'krbtgt' # Ignore requests for the krbtgt service
- '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
filter_main_targetusername:
TargetUserName|contains: '$@' # Ignore requests from machines
The text was updated successfully, but these errors were encountered:
Rule UUID
d04ae2b8-ad54-4de0-bd87-4bc1da66aa59
Example EventLog
example log line which generate alerts based on this rule:
Description
in https:/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_kerberoasting_activity.yml#L28
contains this condition:
condition: selection and not 1 of filter_main_*
but in the detection just created on filter_main_...
this:
Based on our experiens with the logs I think so, the TargetUserName and ServiceName filtering are in or relation and not in and relation.
So may be need to modify the rule like this:
this:
The text was updated successfully, but these errors were encountered: