remove dynamic risk score

Author: patel-bhavin

detections/endpoint/windows_ad_privileged_object_access_activity.yml

@@ -33,9 +33,9 @@ search: '`wineventlog_security` EventCode=4662 ObjectName IN (
 "CN=Organization Management,*")
 | rex field=ObjectName "CN\=(?<object_name>[^,]+)" 
 | stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName
+| rename SubjectUserName as user
 | `security_content_ctime(firstTime)` 
 | `security_content_ctime(lastTime)`
-| eval user = SubjectUserName, risk_score = case(object_count=1,40,object_count>1,object_count*30,true(),40)
 | `windows_ad_privileged_object_access_activity_filter`'
 how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA.
 known_false_positives: Service accounts or applications that routinely query Active Directory for information.