Inspected LDAP / Kerberos / DCE/RCP Traffic
Shows inspected traffic requests over time on the selected domain controller
Identitymonitoring
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read
Query
#repo=base_sensor #event_simpleName=/^ActiveDirectory(?:(?!Audit|Account).)*$/i
| aid=?SelectedAid
| case {
ActiveDirectoryDataProtocol=0 | Protocol:="LDAP";
ActiveDirectoryDataProtocol=1 | Protocol:="DCE/RPC";
ActiveDirectoryDataProtocol=2 | Protocol:="SMB";
ActiveDirectoryAuthenticationMethod=/[1,2,5]/F | Protocol:="NTLM";
ActiveDirectoryAuthenticationMethod=0 | Protocol:="Kerberos";
}
| timeChart(span=15m, series=Protocol, function=sum("AggregationActivityCount"))Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.