Identity Query Events Suspicious LDAP Query From Unexpected Device
Query
let _ExpectedIPAddresses = toscalar(
union
(_GetWatchlist("Service-PrivateCorporateServices")
| where Notes has "[LDAPQuery]"
),
(_GetWatchlist("IP-PrivateAddressing")
| where Notes has "[LDAPQuery]"
)
| summarize make_list(IPAddress)
);
let _AnonymousExpectedIPAddresses = toscalar(
union
(_GetWatchlist("Service-PrivateCorporateServices")
| where Notes has "[AnonymousLDAPQuery]"
),
(_GetWatchlist("IP-PrivateAddressing")
| where Notes has "[AnonymousLDAPQuery]"
)
| summarize make_list(IPAddress)
);
let _ExpectedDomains = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "DomainJoinedLDAP"
| summarize make_list(strcat(".", Auxiliar))
);
let _PrivilegedObjects =
_GetWatchlist("SID-AuditADObjects")
| where Notes has "[LDAPQuery]"
| project SID, SAMAccountName
;
IdentityQueryEvents
| where Protocol == "Ldap"
| where not(DeviceName has_any (_ExpectedDomains))
| parse Query with "LDAP Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter
| where (QueryType has_any ("AllUsers", "AllGroups", "AllComputers", "AllTrustDomains", "AllDomains", "AllSecurityPrincipals", "AllObjects", "AllAccounts")
and SearchScope has "WholeSubtree")
or trim(@"\s", QueryTarget) in (toscalar(_PrivilegedObjects | summarize make_list(SAMAccountName)))
or Query has_any (toscalar(_PrivilegedObjects | summarize make_list(SID)))
| where not(isnotempty(parse_ipv4(IPAddress)) and ipv4_is_in_any_range(IPAddress, _ExpectedIPAddresses))
| where not(isnotempty(parse_ipv4(IPAddress)) and ipv4_is_in_any_range(IPAddress, _AnonymousExpectedIPAddresses) and IPAddress == DeviceName)
| extend AdditionalFieldsCount = toint(AdditionalFields["Count"])
| summarize
Count = sum(AdditionalFieldsCount),
QueryType = make_set_if(split(QueryType, ", "), isnotempty(QueryType) and SearchScope has "WholeSubtree"),
QueryTarget = make_set_if(QueryTarget, isnotempty(QueryTarget)),
DeviceNames = make_set_if(DeviceName, DeviceName != IPAddress),
arg_min(TimeGenerated, *)
by IPAddress
// | where not(array_length(QueryType) == 1 and QueryType[0] == "None" and array_length(QueryTarget) == 1 and QueryTarget[0] == "Admins. del dominio")
// | where not(array_length(QueryTarget) == 0 and array_length(QueryType) == 1 and QueryType[0] == "AllComputers")
// | where not(array_length(QueryTarget) == 0 and array_length(QueryType) == 1 and QueryType[0] == "AllAccounts" and isnotempty(parse_ipv4(IPAddress)) and not(ipv4_is_in_any_range(IPAddress, _AnonymousExpectedIPAddresses)))
| project
TimeGenerated,
DeviceName = tostring(DeviceNames[0]),
DeviceNames,
IPAddress,
AccountUsedToPerformQuery = AccountName,
ActionType,
Count,
Protocol,
QueryType,
QueryTarget,
TargetAccountUpn,
TargetAccountDisplayName,
SearchScope,
BaseObject,
SearchFilter,
Query,
Port,
DestinationDeviceName,
DestinationIPAddress,
DestinationPort,
AdditionalFieldsExplanation
This KQL query is designed to analyze LDAP (Lightweight Directory Access Protocol) search activities within a network, focusing on identifying potentially suspicious or unexpected queries. Here's a simplified breakdown of what the query does:
-
Define Expected IP Addresses:
- It creates two lists of expected IP addresses from watchlists: one for general LDAP queries and another for anonymous LDAP queries. These lists are used to identify which IP addresses are considered normal or expected when performing LDAP queries.
-
Define Expected Domains:
- It generates a list of expected domain names from a watchlist that records significant domain activities related to LDAP.
-
Identify Privileged Objects:
- It retrieves a list of privileged objects (like sensitive accounts or security identifiers) from a watchlist, focusing on those associated with LDAP queries.
-
Filter LDAP Query Events:
- The query then filters LDAP query events to find those that:
- Do not originate from expected domains.
- Involve certain query types (e.g., querying all users, groups, or computers) with a search scope of "WholeSubtree".
- Target privileged objects or contain specific identifiers.
- Originate from IP addresses not in the expected lists.
- The query then filters LDAP query events to find those that:
-
Summarize and Present Results:
- It summarizes the filtered events, counting occurrences and grouping by IP address.
- It collects various details about the queries, such as the types of queries, targets, devices involved, and additional fields.
- The results are then projected to display relevant information like the time of the event, device names, IP addresses, account details, and query specifics.
Overall, this query is used to monitor and detect unusual or unauthorized LDAP activities by comparing them against predefined expected behaviors and entities.
Details

Jose Sebastián Canós
Released: March 18, 2026
Tables
_GetWatchlistIdentityQueryEvents
Keywords
DevicesUsersAccountsDomainsObjectsComputersSecurityPrincipalsEventsProtocolQueryTargetActionTypePortFields
Operators
lettoscalarunionwherehassummarizemake_listprojecthas_anyparsewithtriminisnotemptyparse_ipv4ipv4_is_in_any_rangeextendtointAdditionalFieldssummake_set_ifsplitarg_minbytostring