Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

Visualize Devices That Initiate The Most Cleartext LDAP Authentications

Wayne Andes 4 min read

Description

This KQL query visualises the top 100 Devices that initiate the most clear text LDAP authentications. You preferably want to use an encrypted form of LDAP instead of cleartext.

Query

Microsoft Defender For Endpoint
Kusto
IdentityLogonEvents
| where LogonType == 'LDAP cleartext'
| where ActionType == 'LogonSuccess'
| distinct DeviceName, AccountUpn
| summarize TotalUniqueClearTextLDAPAuthentications = count() by DeviceName
| top 100 by TotalUniqueClearTextLDAPAuthentications
| render columnchart with (title="Top 100 Devices with the most Clear Text LDAP sign ins")

Microsoft Sentinel
Kusto
IdentityLogonEvents
| where LogonType == 'LDAP cleartext'
| where ActionType == 'LogonSuccess'
| distinct DeviceName, AccountUpn
| summarize TotalUniqueClearTextLDAPAuthentications = count() by DeviceName
| top 100 by TotalUniqueClearTextLDAPAuthentications
| render columnchart with (title="Top 100 Devices with the most Clear Text LDAP sign ins")

You May Also Like

Visualize Top 100 Users That Have The Most Interactive Sign-ins

Wayne Andes

List Data Connector Failures In The Last Three Days

Wayne Andes

List Conditional Access Policy That Have Been Deleted

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *