This rule identifies outbound LDAP traffic directed to external IP addresses, focusing particularly on connections using ports 389 (LDAP) and 636 (LDAPS). It utilizes the Network_Traffic data model to track these connections and excludes traffic aimed at private IP ranges as defined in RFC1918. The detection is critical since unauthorized or unusual outbound LDAP requests could signify attempts at data exfiltration or unauthorized access to directory services. Such behavior may lead to severe security incidents involving data breaches and network compromises. By monitoring for these signatures, organizations can proactively mitigate potential risks associated with LDAP traffic to external entities.