Query Details
Device Summarize LDA Pand LDAP Straffic
Query
//Create a summary of the devices with inbound LDAP and LDAPS connections, sorted by the devices with the most inbound LDAP
//Data connector required for this query - M365 Defender - Device* tables or Advanced Hunting license
//Query works in both Microsoft Sentinel and Advanced Hunting
DeviceNetworkEvents
| where ActionType == "InboundConnectionAccepted"
| where LocalPort in ("389", "636", "3269")
| summarize
['Count of Inbound LDAP Connections']=countif(LocalPort == 389),
['Count of Distinct Inbound LDAP Connections']=dcountif(RemoteIP, LocalPort == 389),
['List of Inbound LDAP Connections']=make_set_if(RemoteIP, LocalPort == 389),
['Count of Inbound LDAPS Connections']=countif(LocalPort in ("636", "3269")),
['Count of Distinct Inbound LDAPS Connections']=dcountif(RemoteIP, LocalPort in ("636", "3269")),
['List of Inbound LDAPS Connections']=make_set_if(RemoteIP, LocalPort in ("636", "3269"))
by DeviceName
| sort by ['Count of Distinct Inbound LDAP Connections'] desc Explanation
This query summarizes the devices that have inbound LDAP and LDAPS connections. It counts the number of inbound LDAP and LDAPS connections for each device, as well as the distinct number of connections. It also provides a list of the specific IP addresses associated with each type of connection. The devices are sorted in descending order based on the distinct number of inbound LDAP connections.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,ActionType,LocalPort,389,636,3269,CountofInboundLDAPConnections,CountofDistinctInboundLDAPConnections,ListofInboundLDAPConnections,CountofInboundLDAPSConnections,CountofDistinctInboundLDAPSConnections,ListofInboundLDAPSConnections,DeviceName
Operators
where|==insummarizecountifdcountifmake_set_ifbysort bydesc