Skip to content

[Rule Tuning] Suspicious Access to LDAP Attributes - Ignored Fields #4698

New issue
New issue
Open
Open
[Rule Tuning] Suspicious Access to LDAP Attributes - Ignored Fields#4698
Assignees
w0rk3r
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEbacklog
@w0rk3r

Description

@w0rk3r
w0rk3r
opened on May 5, 2025

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/discovery_high_number_ad_properties.toml

Rule Tuning Type

False Negatives - Enhancing detection of true threats that were previously missed.

Description

We need to investigate the behavior of this rule when winlog.event_data.Properties is marked as ignored due to the length of the field. When a field is marked as ignored, you cannot query it using either KQL or EQL, but we should validate the behavior on ES|QL.

Example Data

No response

Metadata

Metadata

Assignees

Labels

Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEbacklog

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions