How would I convert this rule to Netwitness?
definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
- EventID: 4624
- EventID: 4625
AccountName: 'ANONYMOUS LOGON'
condition: selection and not filter
- Administrator activity
- Penetration tests
- Community Thread
- Forum Thread
- pth rule
- RSA NetWitness
- RSA NetWitness Platform
Should that include Event ID 4625?
reference.id = '528','540','4624','4625' && logon.type = '3' && process='ntlmssp' && user.dst != 'ANONYMOUS LOGON' && NOT(user.dst ends '$')