updating version and risk object

dluxtron · dluxtron · commit 0923a79c49a6 · 2025-02-28T11:50:22.000+10:00
diff --git a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml
@@ -1,6 +1,6 @@
 name: Windows AD Replication Request Initiated by User Account
 id: 51307514-1236-49f6-8686-d46d93cc2821
-version: 7
+version: 8
 date: '2025-02-10'
 author: Dean Luxton
 type: TTP
@@ -54,14 +54,15 @@ drilldown_searches:
   latest_offset: $info_max_time$
 rba:
   message: Windows Active Directory Replication Request Initiated by User Account
-    $user$ at $src_ip$
+    $user$ from $src_ip$
   risk_objects:
   - field: user
     type: user
     score: 100
-  threat_objects:
   - field: src_ip
-    type: ip_address
+    type: system
+    score: 100
+  threat_objects: []
 tags:
   analytic_story:
   - Compromised Windows Host
diff --git a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml
@@ -66,9 +66,10 @@ rba:
   - field: user
     type: user
     score: 100
-  threat_objects:
   - field: src_ip
-    type: ip_address
+    type: system
+    score: 100
+  threat_objects: []
 tags:
   analytic_story:
   - Compromised Windows Host
