From d027d55796b2a2c159e411a5ebc057e9a3975e4a Mon Sep 17 00:00:00 2001 From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Date: Fri, 18 Oct 2024 06:49:28 -0400 Subject: [PATCH 1/2] add missing summariesonly macro. We will still need to determine if we want to add the missing COUNT after it as well, but this will take a hands on test of the rule --- detections/network/detect_outbound_ldap_traffic.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/network/detect_outbound_ldap_traffic.yml b/detections/network/detect_outbound_ldap_traffic.yml index 9d93a364d5..233e54dbaf 100644 --- a/detections/network/detect_outbound_ldap_traffic.yml +++ b/detections/network/detect_outbound_ldap_traffic.yml @@ -14,7 +14,7 @@ description: The following analytic identifies outbound LDAP traffic to external network compromise. data_source: - Bro -search: '| tstats earliest(_time) as earliest_time latest(_time) as latest_time values(All_Traffic.dest_ip) +search: '| tstats `security_content_summariesonly` earliest(_time) as earliest_time latest(_time) as latest_time values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip = 10.0.0.0/8 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12) by All_Traffic.src_ip From 6e3366457d1f93d09f3452261aedf4570f5ed9ae Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Tue, 22 Oct 2024 11:54:20 -0700 Subject: [PATCH 2/2] fix names for time fields and add count --- detections/network/detect_outbound_ldap_traffic.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/network/detect_outbound_ldap_traffic.yml b/detections/network/detect_outbound_ldap_traffic.yml index 233e54dbaf..d0303e9b5d 100644 --- a/detections/network/detect_outbound_ldap_traffic.yml +++ b/detections/network/detect_outbound_ldap_traffic.yml @@ -14,12 +14,12 @@ description: The following analytic identifies outbound LDAP traffic to external network compromise. data_source: - Bro -search: '| tstats `security_content_summariesonly` earliest(_time) as earliest_time latest(_time) as latest_time values(All_Traffic.dest_ip) +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip = 10.0.0.0/8 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12) by All_Traffic.src_ip All_Traffic.dest_ip |`drop_dm_object_name("All_Traffic")` | where src_ip != dest_ip - | `security_content_ctime(latest_time)` | `security_content_ctime(earliest_time)` + | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`detect_outbound_ldap_traffic_filter`' how_to_implement: In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. The search requires the Network_Traffic data model to be populated. known_false_positives: Unknown at this moment. Outbound LDAP traffic should not be