Anomalous Amount of LDAP traffic
Anomalous LDAP Traffic
Query
// Variables to define the anomalous behaviour
let starttime = 30d;
let endtime = 1d;
// Timeframe in which the amount of LDAP queries are counted
let timeframe = 1h;
let TotalEventsThreshold = 1;
// Collect workstation devicenames
let Workstations = DeviceInfo
| where Timestamp > ago(30d)
| where DeviceType == "Workstation"
| distinct DeviceName;
// Collect LDAP statistics for each device
let TimeSeriesData = IdentityQueryEvents
| where ActionType == "LDAP query"
// If you want to have all devices included remove line below.
| where DeviceName in~ (Workstations)
| make-series PerHourCount=count() on Timestamp from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceName;
// Generate LDAP baseline for each device
let TimeSeriesAlerts=TimeSeriesData
| extend (anomalies, score, baseline) = series_decompose_anomalies(PerHourCount, 1.5, -1, 'linefit')
| mv-expand
PerHourCount to typeof(double),
Timestamp to typeof(datetime),
anomalies to typeof(double),
score to typeof(double),
baseline to typeof(long);
TimeSeriesAlerts
| where anomalies > 0
// Baseline is the most important result, that is the avarage amount of LDAP queries executed by a device, the PerHourCount shows the deviation from this amount.
| project DeviceName, Timestamp, PerHourCount, baseline, anomalies, score
| where PerHourCount > TotalEventsThresholdAbout this query
Explanation
This query is designed to detect unusual amounts of LDAP (Lightweight Directory Access Protocol) traffic originating from devices within a network. LDAP is often used by adversaries to gather information about the network environment, which is a technique known as Account Discovery.
Here's a simple breakdown of what the query does:
-
Define Time Periods: The query sets a start and end time to define the period over which it will analyze LDAP traffic. It also sets a timeframe (e.g., hourly) to count the number of LDAP queries.
-
Threshold for Inclusion: It specifies a threshold to include only those devices that have performed at least one LDAP query.
-
Focus on Workstations: By default, the query focuses on workstations (not servers), but this can be adjusted if needed.
-
Collect Data: It gathers data on LDAP queries from devices, specifically counting how many queries each device makes within the specified timeframe.
-
Identify Anomalies: The query establishes a baseline of normal LDAP query activity for each device and identifies any anomalies—instances where the number of queries significantly deviates from the baseline.
-
Output: The results highlight devices with anomalous LDAP activity, showing the device name, time of the anomaly, the number of queries, the baseline (average) number of queries, and the anomaly score.
The purpose of this query is to help identify devices that may have been compromised and are being used to perform reconnaissance activities within the network. If a device shows unusual LDAP activity, it may warrant further investigation to determine if it has been compromised.
