From 3a217534995d0ed3b9e4efb98fd8915432c6818e Mon Sep 17 00:00:00 2001
From: Dekel Paz <dekel@zeronetworks.com>
Date: Thu, 2 Nov 2023 10:03:46 +0200
Subject: [PATCH] fix(rules): fix rule for ldapfw name impersonation

---
 .../ldap_firewall/ldap_firewall_name_impersonation.yml        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/application/ldap_firewall/ldap_firewall_name_impersonation.yml b/rules/application/ldap_firewall/ldap_firewall_name_impersonation.yml
index ffdfa9d7f39..74c2586c2af 100644
--- a/rules/application/ldap_firewall/ldap_firewall_name_impersonation.yml
+++ b/rules/application/ldap_firewall/ldap_firewall_name_impersonation.yml
@@ -21,8 +21,8 @@ logsource:
 detection:
     selection:
         EventLog: LDAPFW
-        EventID: 259
-        DN|re: 'sAMAccountName:\w+[,][\s]'
+        EventID: 261
+        EntryList|re: 'sAMAccountName:[^,$]*([,]{1}|$)'
     condition: selection
 falsepositives:
     - Unknown