Underscores in some Windows log based rules

[alekwisnia]

Recently I've run into issue with "ESCU - Kerberoasting spn request with RC4 encryption - Rule" rule, which is based on kerberoasting_spn_request_with_rc4_encryption.yml. They both mention fields Ticket_Options and Ticket_Encryption_Type (the rule also mentions Service_Name). It haven't worked well, because Windows event log contains those fields without underscores.

I use a standard setup with Splunk Windows app, so parsing the logs should be fine.

My guess is there might be more Windows rules containing underscores.

[ljstella]

Hey @alekwisnia

Thanks for reaching out. Can you confirm if your Windows logs are of the xmlwineventlog variant, or the wineventlog variant? It appears you're trying to use a detection that was built with one in mind and your logs are of the other sourcetype.

[alekwisnia]

Yes, I can confirm it's xmlwineventlog . Moreover, if you have a look at official MS documentation for EventCode 4769, it also mentions those fields without underscores.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769

[ljstella]

@alekwisnia Thanks for confirming that. This detection was built with the multiline wineventlog sourcetype originally. Some fields in these events have spaces in them, which are replaced by underscores by the Windows TA.

In an upcoming release, an update for this detection (along with other detections using wineventlog fieldnames) will be released that targets xmlwineventlog instead.

[josehelps]

@alekwisnia we have an internal effort tracked under ticket: TR-3611 to convert some remaining detections over to Windows XML log format. Hoping we can get this out asap please hang tight.