Update credential_access_dcsync_newterm_subjectuser.toml

Samirbous · web-flow · commit 8b0be535b556 · 2024-01-29T15:51:51.000Z
diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
 min_stack_version = "8.4.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/29"
 
 [rule]
 author = ["Elastic"]
@@ -88,7 +88,7 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-event.action:"Directory Service Access" and event.code:"4662" and
+event.action:("Directory Service Access" or "object-operation-performed") and event.code:"4662" and
  winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
                                *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or
                                *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and
