[New Rule] ADExplorer collecting Active Directory information

### Description

This rule will be used to detect hackers using ADExplorer to create AD snapshots, which can then be imported in bloodhound using: https://github.com/c3c/ADExplorerSnapshot.py

Some info regarding the way to detect this using LDAP query telemetry, can be found on the following page:
https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c

### Target Ruleset

None

### Target Rule Type

None

### Tested ECS Version

_No response_

### Query

_No response_

### New fields required in ECS/data sources for this rule?

_No response_

### Related issues or PRs

_No response_

### References

https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
https://github.com/c3c/ADExplorerSnapshot.py

### Redacted Example Data

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[New Rule] ADExplorer collecting Active Directory information #4697

Description

Target Ruleset

Target Rule Type

Tested ECS Version

Query

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

Redacted Example Data

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[New Rule] ADExplorer collecting Active Directory information #4697

Description

Description

Target Ruleset

Target Rule Type

Tested ECS Version

Query

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

Redacted Example Data

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions