Merge pull request #3104 from splunk/439_integration

4.39.0 integration fixes
splunk · Aug 26, 2024 · f7112e6 · f7112e6
2 parents fb8b96d + 728bf98
commit f7112e6
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/detections/application/windows_ad_gpo_disabled.yml b/detections/application/windows_ad_gpo_disabled.yml
@@ -10,7 +10,7 @@ data_source:
 description: This detection identifies when an Active Directory Group Policy is disabled using the Group Policy Management Console. 
 search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=flags OperationType="%%14674" AttributeValue!=0
   | eval AttributeValueExp=case(AttributeValue==0,"Enabled",AttributeValue==1,"User configuration settings disabled",AttributeValue==2,"Computer configuration settings disabled",AttributeValue==3,"Disabled"), ObjectDN=upper(ObjectDN)
-  | join ObjectDN type=outer [| search `admon` objectCategory="CN=Group-Policy-Container*" admonEventType=Update | eval ObjectDN=upper(distinguishedName) | stats latest(displayName) as displayName by ObjectDN ]
+  | join ObjectDN type=inner [| search `admon` objectCategory="CN=Group-Policy-Container*" admonEventType=Update | eval ObjectDN=upper(distinguishedName) | stats latest(displayName) as displayName by ObjectDN ]
   | stats min(_time) as _time values(AttributeValue) as AttributeValue values(AttributeValueExp) as AttributeValueExp values(OpCorrelationID) as OpCorrelationID values(displayName) as policyName values(src_user) as src_user by ObjectDN SubjectLogonId
   | `windows_ad_gpo_disabled_filter`'
 how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically event 5136, admon data is also used to display