From fab2d3957e8136d09ef30464ec0a16e16d5f4e20 Mon Sep 17 00:00:00 2001
From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com>
Date: Wed, 13 Nov 2024 17:00:16 +0900
Subject: [PATCH] make the levels consistent

---
 .../Logon/Sec_4625_Med_LogonFail_UserGuessing_Correlation.yml   | 2 +-
 .../Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Correlation.yml  | 2 +-
 .../Logon/Sec_4648_Med_ExplicitLogon_PW-Spray_Correlation.yml   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_UserGuessing_Correlation.yml b/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_UserGuessing_Correlation.yml
index ee47426a5..591cd13db 100644
--- a/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_UserGuessing_Correlation.yml
+++ b/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_UserGuessing_Correlation.yml
@@ -60,7 +60,7 @@ detection:
         IpAddress: "-"
     condition: selection and not filter
 falsepositives:
-level: informational
+level: medium
 ruletype: Hayabusa
 
 sample-evtx: |
diff --git a/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Correlation.yml b/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Correlation.yml
index f42d78267..1e0bd05c1 100644
--- a/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Correlation.yml
+++ b/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Correlation.yml
@@ -59,7 +59,7 @@ detection:
        - TargetUserName|endswith: "$"
     condition: selection and not filter
 falsepositives:
-level: informational
+level: medium
 ruletype: Hayabusa
 
 sample-evtx: |
diff --git a/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4648_Med_ExplicitLogon_PW-Spray_Correlation.yml b/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4648_Med_ExplicitLogon_PW-Spray_Correlation.yml
index bf64f3915..4c8e9ee91 100644
--- a/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4648_Med_ExplicitLogon_PW-Spray_Correlation.yml
+++ b/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4648_Med_ExplicitLogon_PW-Spray_Correlation.yml
@@ -53,5 +53,5 @@ detection:
        - IpAddress: "-"
     condition: selection and not filter
 falsepositives:
-level: informational
+level: medium
 ruletype: Hayabusa