Update filter

splunk · Sep 11, 2023 · e743b6a · e743b6a
1 parent 545dcb7
commit e743b6a
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 4 deletions.
diff --git a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml
@@ -14,7 +14,7 @@ description: This analytic leverages PowerShell Script Block Logging (EventCode=
 search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*" 
   | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
-  | `get_domainou_with_powershell_script_block_filter`'
+  | `windows_find_domain_organizational_units_with_getdomainou_filter`'
 how_to_implement: The following Hunting analytic requires PowerShell operational logs
   to be imported. Modify the powershell macro as needed to match the sourcetype or
   add index. This analytic is specific to 4104, or PowerShell Script Block Logging.

diff --git a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml
@@ -15,7 +15,7 @@ description: This analytic leverages PowerShell Script Block Logging (EventCode=
 search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainAcl*" 
   | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
-  | `find_interestingdomainacl_with_powershell_script_block_filter`' 
+  | `windows_find_interesting_acl_with_findinterestingdomainacl_filter`' 
 how_to_implement: The following Hunting analytic requires PowerShell operational logs
   to be imported. Modify the powershell macro as needed to match the sourcetype or
   add index. This analytic is specific to 4104, or PowerShell Script Block Logging.

diff --git a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml
@@ -14,7 +14,7 @@ description: This analytic utilizes PowerShell Script Block Logging (EventCode=4
 search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*" 
   | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
-  | `get_forestdomain_with_powershell_script_block_filter`'
+  | `windows_forest_discovery_with_getforestdomain_filter`'
 how_to_implement: The following Hunting analytic requires PowerShell operational logs
   to be imported. Modify the powershell macro as needed to match the sourcetype or
   add index. This analytic is specific to 4104, or PowerShell Script Block Logging.

diff --git a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml
@@ -15,7 +15,7 @@ search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-LocalAdminAccess*"
   | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID  
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` 
-  | `find_localadminaccess_with_powershell_script_block_filter`'
+  | `windows_get_local_admin_with_findlocaladminaccess_filter`'
 how_to_implement: The following Hunting analytic requires PowerShell operational logs
   to be imported. Modify the powershell macro as needed to match the sourcetype or
   add index. This analytic is specific to 4104, or PowerShell Script Block Logging.