Network Connection to New External LDAP Server

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This query detects outbound network connections using the LDAP protocol to external IP addresses that have not had an LDAP network connection in the past 14 days. This could indicate exploitation of CVE-2021-44228 vulnerability.

Attribute	Value
Type	Hunting Query
Solution	Apache Log4j Vulnerability Detection
ID	`bf094505-fd2e-484f-b72a-acd79ee00ce8`
Tactics	InitialAccess
Techniques	T1190
Required Connectors	CheckPoint, CiscoASA, CiscoAsaAma, PaloAltoNetworks
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
`CommonSecurityLog`	`ApplicationProtocol == "ldap"` `DeviceAction has_any "allow"`	✓	✓	✓

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Hunting Queries · Back to Apache Log4j Vulnerability Detection