You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The rule "Kerberos TGT Request Using RC4 Encryption" in 4.16.0 uses the non-CIM field "Account_Name" rather than the standard field "user". This doesn't appear to have been the case as recently as 4.14.0; our allowlisting in the macro kerberos_tgt_request_using_rc4_encryption_filter used the field "user" and operated as expected, breaking only during an upgrade performed today.
Expected behavior
The field "user" should be utilized in order to ensure queries looking for that CIM field in the notable index find Notables related to this rule.
App Version:
ESCU: 4.16.0
The text was updated successfully, but these errors were encountered:
This detection does not operate against a datamodel but instead against the raw Windows event logs hence, it is not using a CIM field. Can you give me an example of what you believe the "fixed" query should look like?
Describe the bug
The rule "Kerberos TGT Request Using RC4 Encryption" in 4.16.0 uses the non-CIM field "Account_Name" rather than the standard field "user". This doesn't appear to have been the case as recently as 4.14.0; our allowlisting in the macro
kerberos_tgt_request_using_rc4_encryption_filter
used the field "user" and operated as expected, breaking only during an upgrade performed today.Expected behavior
The field "user" should be utilized in order to ensure queries looking for that CIM field in the notable index find Notables related to this rule.
App Version:
The text was updated successfully, but these errors were encountered: