Skip to content

Commit

Permalink
Update Detect Outbound LDAP Traffic(ASIM Network Session schema).yaml
Browse files Browse the repository at this point in the history
  • Loading branch information
@praveenthepro
praveenthepro authored Mar 7, 2024
1 parent 3bd00c8 commit ff977e1
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion ...Essentials/Hunting Queries/Detect Outbound LDAP Traffic(ASIM Network Session schema).yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ relevantTechniques:
- T1059
query: |
_Im_NetworkSession(starttime=ago(1d))
| where EventResult='Failure" and ipv4_is_private(SrcIpAddr) and not(ipv4_is_private(DstIpAddr)) and SrcIpAddr != DstIpAddr
| where EventResult=='Failure" and ipv4_is_private(SrcIpAddr) and not(ipv4_is_private(DstIpAddr)) and SrcIpAddr != DstIpAddr
| where tostring(DstPortNumber) has_any ("389", "636")
| summarize Starttime= min(TimeGenerated),EndTime= max(TimeGenerated),Eventscount=sum(EventCount), EventVendors=make_set(EventVendor,10) by SrcIpAddr,DstIpAddr,DstPortNumber,NetworkProtocol,EventResult
| extend IP_0_Address = SrcIpAddr
Expand Down

0 comments on commit ff977e1

Please sign in to comment.