Update Detect Outbound LDAP Traffic(ASIM Network Session schema).yaml

Azure · Mar 7, 2024 · e812298 · e812298
1 parent 24dcb6d
commit e812298
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/...Essentials/Hunting Queries/Detect Outbound LDAP Traffic(ASIM Network Session schema).yaml b/...Essentials/Hunting Queries/Detect Outbound LDAP Traffic(ASIM Network Session schema).yaml
@@ -13,8 +13,8 @@ relevantTechniques:
   - T1071
   - T1059
 query: |
-  _Im_NetworkSession(starttime=ago(1d), eventresult='Failure")
-  | where ipv4_is_private(SrcIpAddr) and not(ipv4_is_private(DstIpAddr)) and SrcIpAddr != DstIpAddr
+  _Im_NetworkSession(starttime=ago(1d))
+  | where EventResult='Failure" and ipv4_is_private(SrcIpAddr) and not(ipv4_is_private(DstIpAddr)) and SrcIpAddr != DstIpAddr
   | where tostring(DstPortNumber) has_any ("389", "636")
   | summarize Starttime= min(TimeGenerated),EndTime= max(TimeGenerated),Eventscount=sum(EventCount), EventVendors=make_set(EventVendor,10) by SrcIpAddr,DstIpAddr,DstPortNumber,NetworkProtocol,EventResult
   | extend IP_0_Address = SrcIpAddr