Merge pull request SigmaHQ#4104 from YamatoSecurity/move-multi-line-condition-to-single-line

nasbench · web-flow · commit 5c91769251da · 2023-03-13T10:30:21.000+01:00
moved multi-line condition to single line for rules that use `count`
diff --git a/rules/windows/builtin/security/win_security_susp_failed_logons_single_process.yml b/rules/windows/builtin/security/win_security_susp_failed_logons_single_process.yml
@@ -7,7 +7,7 @@ references:
     - https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing
 author: Mauricio Velazco
 date: 2021/06/01
-modified: 2022/10/09
+modified: 2023/03/13
 tags:
     - attack.t1110.003
     - attack.initial_access
@@ -22,8 +22,7 @@ detection:
     filter:
         ProcessName: '-'
     timeframe: 24h
-    condition:
-        - selection1 and not filter | count(TargetUserName) by ProcessName > 10
+    condition: 'selection1 and not filter | count(TargetUserName) by ProcessName > 10'
 falsepositives:
     - Terminal servers
     - Jump servers
diff --git a/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos.yml
@@ -6,7 +6,7 @@ references:
     - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 author: Mauricio Velazco, frack113
 date: 2021/06/01
-modified: 2022/10/09
+modified: 2023/03/13
 tags:
     - attack.t1110.003
     - attack.initial_access
@@ -21,8 +21,7 @@ detection:
     filter_computer:
         TargetUserName|endswith: '$'
     timeframe: 24h
-    condition:
-        - selection and not filter_computer | count(TargetUserName) by IpAddress > 10
+    condition: 'selection and not filter_computer | count(TargetUserName) by IpAddress > 10'
 falsepositives:
     - Vulnerability scanners
     - Misconfigured systems
diff --git a/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos2.yml b/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos2.yml
@@ -6,7 +6,7 @@ references:
     - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 author: Mauricio Velazco, frack113
 date: 2021/06/01
-modified: 2022/10/09
+modified: 2023/03/13
 tags:
     - attack.t1110.003
     - attack.initial_access
@@ -21,8 +21,7 @@ detection:
     filter_computer:
         TargetUserName|endswith: '$'
     timeframe: 24h
-    condition:
-        - selection and not filter_computer | count(TargetUserName) by IpAddress > 10
+    condition: 'selection and not filter_computer | count(TargetUserName) by IpAddress > 10'
 falsepositives:
     - Vulnerability scanners
     - Misconfigured systems
diff --git a/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos3.yml b/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos3.yml
@@ -6,7 +6,7 @@ references:
     - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 author: Mauricio Velazco, frack113
 date: 2021/06/01
-modified: 2022/10/09
+modified: 2023/03/13
 tags:
     - attack.t1110.003
     - attack.initial_access
@@ -21,8 +21,7 @@ detection:
     filter_computer:
         TargetUserName|endswith: '$'
     timeframe: 24h
-    condition:
-        - selection and not filter_computer | count(TargetUserName) by IpAddress > 10
+    condition: 'selection and not filter_computer | count(TargetUserName) by IpAddress > 10'
 falsepositives:
     - Vulnerability scanners
     - Misconfigured systems
diff --git a/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm.yml b/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm.yml
@@ -6,7 +6,7 @@ references:
     - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 author: Mauricio Velazco
 date: 2021/06/01
-modified: 2022/10/09
+modified: 2023/03/13
 tags:
     - attack.t1110.003
     - attack.initial_access
@@ -21,8 +21,7 @@ detection:
     filter:
         TargetUserName: '*$'
     timeframe: 24h
-    condition:
-        - selection1 and not filter | count(TargetUserName) by Workstation > 10
+    condition: 'selection1 and not filter | count(TargetUserName) by Workstation > 10'
 falsepositives:
     - Terminal servers
     - Jump servers
diff --git a/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm2.yml b/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm2.yml
@@ -6,7 +6,7 @@ references:
     - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
 author: Mauricio Velazco
 date: 2021/06/01
-modified: 2022/10/09
+modified: 2023/03/13
 tags:
     - attack.t1110.003
     - attack.initial_access
@@ -21,8 +21,7 @@ detection:
     filter:
         TargetUserName: '*$'
     timeframe: 24h
-    condition:
-        - selection1 and not filter | count(TargetUserName) by Workstation > 10
+    condition: 'selection1 and not filter | count(TargetUserName) by Workstation > 10'
 falsepositives:
     - Terminal servers
     - Jump servers
