Update windows_ad_abnormal_object_access_activity.yml

detections/endpoint/windows_ad_abnormal_object_access_activity.yml

@@ -9,13 +9,12 @@ description: Windows Active Directory contains numerous objects. A statistically
 data_source:
 - Windows Security 4662
 search: '`wineventlog_security` EventCode=4662  
-| `windows_ad_abnormal_object_access_filter`
 | stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count BY SubjectUserName
 | eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev
 | eval limit = round((average+(standarddev*3)),0), user = SubjectUserName 
 | where ObjectName_count > limit
 | `security_content_ctime(firstTime)` 
-| `security_content_ctime(lastTime)`'
+| `security_content_ctime(lastTime)`| `windows_ad_abnormal_object_access_activity_filter`'
 how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662 for relevant objects. Be awaren Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires.
 known_false_positives: Service accounts or applications that routinely query Active Directory for information. 
 references:
@@ -54,4 +53,4 @@ tests:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/4662_ad_enum/4662_priv_events.log
     source: XmlWinEventLog:Security
     sourcetype: XmlWinEventLog
-    update_timestamp: true
+    update_timestamp: true