[Tuning] DCSync Rules - 4662 event.action (#3410)

Samirbous · web-flow · commit d7f4d7972edd · 2024-01-30T11:43:28.000Z
* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_replication_rights.toml
diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
 min_stack_version = "8.4.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/29"
 
 [rule]
 author = ["Elastic"]
@@ -88,7 +88,7 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-event.action:"Directory Service Access" and event.code:"4662" and
+event.action:("Directory Service Access" or "object-operation-performed") and event.code:"4662" and
  winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
                                *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or
                                *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and
diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml
@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/23"
+updated_date = "2024/01/29"
 
 [rule]
 author = ["Elastic"]
@@ -97,7 +97,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.action == "Directory Service Access" and
+any where event.action : ("Directory Service Access", "object-operation-performed") and
   event.code == "4662" and winlog.event_data.Properties : (
 
     /* Control Access Rights/Permissions Symbol */
