Query Details
Defender XDR LDAP Enumeration Detection
Query
// DefenderXDR LDAP Enumeration Detection let ADAdministrator = dynamic(["[email protected]"]); IdentityQueryEvents | where ActionType == "LDAP query" | where QueryType == "AllObjects" | extend LDAPQueryCount = toint(parse_json(AdditionalFields)["Count"]) | where LDAPQueryCount > 500 | where not (TargetAccountUpn has_any(ADAdministrator))
Explanation
This query is designed to detect potential LDAP enumeration activities within a network using DefenderXDR. Here's a simple breakdown of what it does:
-
Define Administrators: It starts by defining a list of administrator accounts, in this case, just one: "[email protected]".
-
Filter Events: It looks at events related to identity queries, specifically those where the action type is "LDAP query" and the query type is "AllObjects". This means it's focusing on LDAP queries that request information about all objects in the directory.
-
Count LDAP Queries: It extracts the count of LDAP queries from the additional fields of the event data and converts it to an integer.
-
Threshold Check: It filters for events where the number of LDAP queries is greater than 500, indicating a high volume of queries which could be suspicious.
-
Exclude Administrators: Finally, it excludes any queries made by the specified administrator account(s) from the results. This means it focuses on detecting unusual activity from non-administrator accounts.
In summary, this query identifies non-administrator accounts making a large number of LDAP queries, which could indicate an attempt to enumerate directory information.
Details
Steven Lim
Released: March 11, 2025
Tables
Keywords
Operators