[BUG] Logic Problem in Detect Computer Changed with Anonymous Account

[thegreatmhn]

the detection rule original logic is as follow:
wineventlog_security EventCode=4624 OR EventCode=4742 TargetUserName="ANONYMOUS LOGON" LogonType=3
| stats count min(_time) as firstTime max(_time) as lastTime
BY action app authentication_method
dest dvc process
process_id process_name process_path
signature signature_id src
src_port status subject
user user_group vendor_product
| security_content_ctime(firstTime)
| security_content_ctime(lastTime)
| detect_computer_changed_with_anonymous_account_filter

there are two problem with this logic.
first problem is filtering EventCode=4742 does not effect in the query beacuse of the LogonType=3 field this field is not available in Event Code 4742 telemetry, so the Event Code 4742 doesnt work.

second problem is that the event 4624 filter is extra and not needed.

[nasbench]

Thanks for reporting this. I have fixed the issue and gathered some datasets to make it testable.
Just FYI. Since this is hunting and targeting an "old" issue of "zerologon" mainly. I opted to go for simply detecting EID 4742 with "Anonymous Logon". But in reality this is not needed and 4624 with anonymous logon is enough and could mean a trigger of this vuln. But since often public exploitation was seen changing the pass. I made that decision.

This will be pushed as part of the next release.