From d027d55796b2a2c159e411a5ebc057e9a3975e4a Mon Sep 17 00:00:00 2001
From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com>
Date: Fri, 18 Oct 2024 06:49:28 -0400
Subject: [PATCH] add missing summariesonly macro. We will still need to
 determine if we want to add the missing COUNT after it as well, but this will
 take a hands on test of the rule

---
 detections/network/detect_outbound_ldap_traffic.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detections/network/detect_outbound_ldap_traffic.yml b/detections/network/detect_outbound_ldap_traffic.yml
index 9d93a364d5..233e54dbaf 100644
--- a/detections/network/detect_outbound_ldap_traffic.yml
+++ b/detections/network/detect_outbound_ldap_traffic.yml
@@ -14,7 +14,7 @@ description: The following analytic identifies outbound LDAP traffic to external
   network compromise.
 data_source:
 - Bro
-search: '| tstats earliest(_time) as earliest_time latest(_time) as latest_time values(All_Traffic.dest_ip)
+search: '| tstats `security_content_summariesonly` earliest(_time) as earliest_time latest(_time) as latest_time values(All_Traffic.dest_ip)
   as dest_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port
   = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip = 10.0.0.0/8 OR
   All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12) by All_Traffic.src_ip