Merge pull request #3541 from jwindley/patch-2

ljstella · web-flow · commit 1e6cc1228e72 · 2025-05-30T11:18:53.000-05:00
Update detect_remote_access_software_usage_traffic.yml
diff --git a/detections/network/detect_remote_access_software_usage_traffic.yml b/detections/network/detect_remote_access_software_usage_traffic.yml
@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage Traffic
 id: 885ea672-07ee-475a-879e-60d28aa5dd42
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-05-30'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -16,7 +16,7 @@ description: The following analytic detects network traffic associated with know
 data_source:
 - Palo Alto Network Traffic
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime values(All_Traffic.dest_port) as dest_port latest(user) as user from
+  as lastTime values(All_Traffic.dest_port) as dest_port latest(All_Traffic.user) as user from
   datamodel=Network_Traffic by All_Traffic.action All_Traffic.app All_Traffic.bytes
   All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest All_Traffic.dest_ip
   All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version
