-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add LDAP firewall application rules #4528
base: master
Are you sure you want to change the base?
Conversation
Hi @dekelpaz and thanks for this contribution :) Can you please provide logs of your testing to make the review process easier. Thanks in advance and welcome to the Sigma community. |
@nasbench is this the type of log you're looking for? |
Yes, thank you. If you have more events related to the rules you submitted that would be great. |
LDAPFW_sAMAccountName_spoofing.evtx.zip Here is a log for the sAMAccountName spoofing rule |
hey @nasbench, any updates on this review? do you need anything else from me? |
Last time i checked this I figured that i would need to perform a little bit more testing to confirm the findings and I just didn't yet get around to it. Overall the rules looked fine but I would still need to update their metadata (title, description, level) as well as update some of the detection logic as those fields aren't parsed and are part of the data element of the event log. I'll try to get this merged before next release. |
Summary of the Pull Request
Added new Sigma application rules for LDAP Firewall
Changelog
new: ldap_firewall_bloodhound.yml
new: ldap_firewall_laps.yml
new: ldap_firewall_name_impersonation.yml
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions