Query Details
Cleartext LDAP
Query
IdentityLogonEvents | where Timestamp > ago(7d) | where LogonType == "LDAP cleartext" and isnotempty(AccountName) | summarize Count = count() by DeviceName, AccountName, Application, LogonType
Explanation
This query is looking at the IdentityLogonEvents data and filtering it based on certain conditions. It only considers events that occurred within the last 7 days and have a LogonType of "LDAP cleartext" and a non-empty AccountName. The query then groups the results by DeviceName, AccountName, Application, and LogonType, and provides a count of how many events match each combination of these properties.
Details
C.J. May
Released: January 3, 2022
Tables
IdentityLogonEvents
Keywords
IdentityLogonEvents,Timestamp,LogonType,AccountName,DeviceName,Application
Operators
|where>ago==andisnotemptysummarizecount()by