False Positives in "Detect Outbound LDAP Traffic" detection
ccl0utier opened this issue · comments
Running the Detect Outbound LDAP Traffic detection yields multiple false positives.
We might want to add logic to the current rule to check the source of the traffic is from an RFC1918 network address?
For example, in my environment, I'll get a lot of events returned from people scanning my border firewall (24.230.x.x in the picture below) for an open port on TCP/389 or TCP/636:
This detection is a hunting analytic. It is not intended to create notables. It is the intention that Hunting analytics are used by analysts as jumping-off-points looking for behavior that is not normal for their environment, which is why the majority of them are broad and do not filter out as many things as possible that could be false positives in any one environment.
Sensor placement is incredibly important for these analytics and cannot be prescribed in SPL. Dependent on sensor placement, I would suggest utilizing All_Traffic.direction
to match the intended purpose of the search, or putting values in the detect_outbound_ldap_traffic_filter
filter macro to remove results that are known-benign.
@ljstella Thanks, that makes perfect sense. I missed the fact that it was a hunting analytic.