Find all the executed LDAP queries from a compromised device

Defender For Endpoint

let CompromisedDevice = "laptop1.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityQueryEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where Protocol == "Ldap"
| project
     Timestamp,
     QueryType,
     Query,
     Protocol,
     DeviceName,
     DestinationDeviceName,
     TargetAccountUpn

Sentinel

let CompromisedDevice = "laptop1.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityQueryEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where Protocol == "Ldap"
| project
     TimeGenerated,
     QueryType,
     Query,
     Protocol,
     DeviceName,
     DestinationDeviceName,
     TargetAccountUpn

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

MDI - LDAPQueriesByCompromisedDevice.md

MDI - LDAPQueriesByCompromisedDevice.md

Find all the executed LDAP queries from a compromised device

Defender For Endpoint

Sentinel

Files

MDI - LDAPQueriesByCompromisedDevice.md

Latest commit

History

MDI - LDAPQueriesByCompromisedDevice.md

File metadata and controls

Find all the executed LDAP queries from a compromised device

Defender For Endpoint

Sentinel