KQL Search

Query Details

Identity Logon Events Summarize Clear Text LDAP

Query

//Summarize the accounts in your environment using cleartext LDAP connections

//Data connector required for this query - M365 Defender - Identity* tables

//Microsoft Sentinel query
IdentityLogonEvents
| where TimeGenerated > ago (30d)
| where LogonType == "LDAP cleartext"
| summarize
    ['Total connection count']=count(),
    ['Distinct destination device count']=dcount(DestinationDeviceName),
    ['List of destination devices']=make_set(DestinationDeviceName)
    by AccountUpn
| sort by ['Distinct destination device count'] desc 

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting license

IdentityLogonEvents
| where Timestamp > ago (30d)
| where LogonType == "LDAP cleartext"
| summarize
    ['Total connection count']=count(),
    ['Distinct destination device count']=dcount(DestinationDeviceName),
    ['List of destination devices']=make_set(DestinationDeviceName)
    by AccountUpn
| sort by ['Distinct destination device count'] desc

Explanation

This query summarizes the accounts in your environment that are using cleartext LDAP connections. It counts the total number of connections, the number of distinct destination devices, and provides a list of the destination devices for each account. The results are sorted by the number of distinct destination devices in descending order.

Details

Matt Zorich

Released: June 17, 2022

Tables

IdentityLogonEvents

Keywords

Devices,Intune,User

Operators

whereago==summarizecount()dcount()make_set()bysort bydesc

KQL Search

Identity Logon Events Summarize Clear Text LDAP

Query

Explanation

Details

Actions