Skip to content

Commit

Permalink
add missing summariesonly macro.
Browse files Browse the repository at this point in the history 
We will still need to determine if we
want to add the missing COUNT after
it as well, but this will take a hands 
on test of the rule
  • Loading branch information
@pyth0n1c
pyth0n1c authored Oct 18, 2024
1 parent f5cf688 commit d027d55
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion detections/network/detect_outbound_ldap_traffic.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ description: The following analytic identifies outbound LDAP traffic to external
network compromise.
data_source:
- Bro
search: '| tstats earliest(_time) as earliest_time latest(_time) as latest_time values(All_Traffic.dest_ip)
search: '| tstats `security_content_summariesonly` earliest(_time) as earliest_time latest(_time) as latest_time values(All_Traffic.dest_ip)
as dest_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port
= 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip = 10.0.0.0/8 OR
All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12) by All_Traffic.src_ip
Expand Down

0 comments on commit d027d55

Please sign in to comment.