security_content icon indicating copy to clipboard operation
security_content copied to clipboard

Published 20 hours ago verified publisher icon splunk

[BUG] Detect Outbound LDAP Traffic, missing dm summary macro

Open DipsyTipsy opened this issue 1 year ago • 1 comments

Describe the bug

The search for "Detect Outbound LDAP Traffic" is missing the macro security_content_summariesonly causing the search to always run without using the dm summary.

https://github.com/splunk/security_content/blob/develop/detections/network/detect_outbound_ldap_traffic.yml

Expected behavior

The search should reference the macro to behave the same as other tstats searches in ESCU.

Maybe some check for tstats + security_content_summariesonly should be implemented?

DipsyTipsy avatar Oct 18 '24 07:10 DipsyTipsy

Thank you for opening this. Here is a PR with the pointed fix, but we will do a review to see if we have other content missing this macro as well and consider whether this should be a check in contentctl: https://github.com/splunk/security_content/pull/3168

Since this PR is not merged yet, I will leave this issue open until the issue is resolved.

pyth0n1c avatar Oct 18 '24 10:10 pyth0n1c

@DipsyTipsy : thank you for raising the issue. The fix has been merged and we will release this update in 4.43.0!

patel-bhavin avatar Nov 06 '24 19:11 patel-bhavin