Query Details
Visualization Clear Text LDAP Sign Ins
Query
# Devices that initiate the most clear text LDAP authentications ## Query Information #### Description This query visualises the top 100 Devices that initiate the most clear text LDAP authentications. You preferably want to use an encrypted form of LDAP instead of cleartext. ## Defender For Endpoint ``` IdentityLogonEvents | where LogonType == 'LDAP cleartext' | where ActionType == 'LogonSuccess' | distinct DeviceName, AccountUpn | summarize TotalUniqueClearTextLDAPAuthentications = count() by DeviceName | top 100 by TotalUniqueClearTextLDAPAuthentications | render columnchart with (title="Top 100 Devices with the most Clear Text LDAP sign ins") ``` ## Sentinel ``` IdentityLogonEvents | where LogonType == 'LDAP cleartext' | where ActionType == 'LogonSuccess' | distinct DeviceName, AccountUpn | summarize TotalUniqueClearTextLDAPAuthentications = count() by DeviceName | top 100 by TotalUniqueClearTextLDAPAuthentications | render columnchart with (title="Top 100 Devices with the most Clear Text LDAP sign ins") ```
Explanation
This query identifies the top 100 devices that initiate the most clear text LDAP authentications. It is recommended to use an encrypted form of LDAP instead of cleartext for security purposes. The query retrieves the device names and user account UPNs involved in successful clear text LDAP logons, calculates the total number of unique clear text LDAP authentications for each device, and then displays the top 100 devices in a column chart visualization.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
IdentityLogonEvents
Keywords
Devices,LogonType,ActionType,DeviceName,AccountUpn,TotalUniqueClearTextLDAPAuthentications
Operators
wheredistinctsummarizetoprender