KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Query Events Suspicious LDAP Query From Unexpected Device

Query

let _ExpectedIPAddresses = toscalar(
    union
        (_GetWatchlist('Service-PrivateCorporateServices')
        | where Notes has "[LDAPQuery]"
        ),
        (_GetWatchlist('IP-PrivateAddressing')
        | where Notes has "[LDAPQuery]"
        )
    | summarize make_list(IPAddress)
);
let _ExpectedDomains = toscalar(
    _GetWatchlist('Activity-ExpectedSignificantActivity')
    | where Activity == "DomainJoinedLDAP"
    | summarize make_list(strcat(".", Auxiliar))
);
let _PrivilegedObjects =
    _GetWatchlist('SID-AuditADObjects')
    | where Notes has "[LDAPQuery]"
    | project SID, SAMAccountName
;
IdentityQueryEvents
| where Protocol == "Ldap"
| where not(DeviceName has_any (_ExpectedDomains))
| parse Query with "LDAP Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter
| where (QueryType has_any ("AllUsers", "AllGroups", "AllComputers", "AllTrustDomains", "AllDomains", "AllSecurityPrincipals", "AllObjects") and SearchScope == "WholeSubtree")
    or trim(@"\s", QueryTarget) in (toscalar(_PrivilegedObjects | summarize make_list(SAMAccountName)))
    or Query has_any (toscalar(_PrivilegedObjects | summarize make_list(SID)))
| where not(isnotempty(parse_ipv4(IPAddress)) and ipv4_is_in_any_range(IPAddress, _ExpectedIPAddresses))
| extend AdditionalFieldsCount = toint(AdditionalFields["Count"])
| summarize
    Count = sum(AdditionalFieldsCount),
    QueryType = make_set_if(split(QueryType, ", "), isnotempty(QueryType) and SearchScope == "WholeSubtree"),
    QueryTarget = make_set_if(QueryTarget, isnotempty(QueryTarget)),
    arg_min(TimeGenerated, *)
    by IPAddress
// | where not(array_length(QueryType) == 0 and array_length(QueryTarget) == 1 and QueryTarget[0] == "Admins. del dominio")
// | where not(array_length(QueryTarget) == 0  and array_length(QueryType) == 1 and QueryType[0] == "AllComputers")
| project
    TimeGenerated,
    DeviceName = iff(DeviceName != IPAddress, DeviceName, ""),
    IPAddress,
    ActionType,
    Count,
    Protocol,
    QueryType,
    QueryTarget,
    TargetAccountUpn,
    TargetAccountDisplayName,
    SearchScope,
    BaseObject,
    SearchFilter,
    Query,
    Port,
    DestinationDeviceName,
    DestinationIPAddress,
    DestinationPort,
    AdditionalFields

Explanation

The query is retrieving events related to LDAP queries and filtering out certain types of queries and IP addresses. It also includes some additional fields in the output.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: August 22, 2023

Tables

_ExpectedIPAddresses_ExpectedDomains_PrivilegedObjectsIdentityQueryEvents

Keywords

Keywords:let,toscalar,union,_GetWatchlist,where,has,summarize,make_list,strcat,project,IdentityQueryEvents,parse,with,"LDAPSearchScope:","BaseObject:","SearchFilter:",not,has_any,trim,in,extend,AdditionalFieldsCount,Count,QueryType,QueryTarget,arg_min,by,isnotempty,parse_ipv4,ipv4_is_in_any_range,iff,TimeGenerated,DeviceName,IPAddress,ActionType,Protocol,Query,Port,DestinationDeviceName,DestinationIPAddress,DestinationPort,AdditionalFields

Operators

uniontoscalarwherehassummarizemake_liststrcatprojectparsewithintrimtointextendisnotemptysplitmake_set_ifarg_minbyiffarray_length

Actions