Adversaries may use multiple LDAP queries to enumerate Active Directory users or groups in a short time window, indicating potential reconnaissance or credential stuffing attempts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage reconnaissance efforts that could lead to credential compromise or lateral movement.
KQL Query
let Thershold = 10;
let BinTime = 1m;
IdentityQueryEvents
| where ActionType == "LDAP query"
| parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter
| summarize NumberOfLdapQueries = count(), NumberOfDistinctLdapQueries = dcount(SearchFilter) by DeviceName, bin(Timestamp, BinTime)
| where NumberOfDistinctLdapQueries > Thershold
id: 13476066-24d0-4b19-8fd5-28fe42ab35f6
name: MultipleLdaps
description: |
Detect multiple Active Directory LDAP queries made in bin time
Replace 10 on line 1 with your desired thershold
Replace 1m on line 2 with your desired bin time
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- IdentityQueryEvents
query: |
let Thershold = 10;
let BinTime = 1m;
IdentityQueryEvents
| where ActionType == "LDAP query"
| parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter
| summarize NumberOfLdapQueries = count(), NumberOfDistinctLdapQueries = dcount(SearchFilter) by DeviceName, bin(Timestamp, BinTime)
| where NumberOfDistinctLdapQueries > Thershold
| Sentinel Table | Notes |
|---|---|
IdentityQueryEvents | Ensure this data connector is enabled |
Scenario: Scheduled LDAP Queries for User Synchronization
Description: A scheduled job using PowerShell or DSync tool is performing regular LDAP queries to synchronize user data between directories.
Filter/Exclusion: Exclude processes initiated by PowerShell scripts with known synchronization job names, or filter by process name like powershell.exe with a specific command-line argument.
Scenario: LDAP Queries for Reporting Purposes
Description: A Power BI or SQL Server Reporting Services (SSRS) report is querying LDAP to pull user data for analytics.
Filter/Exclusion: Exclude queries originating from Power BI or SSRS services, or filter by source IP or user account associated with reporting tools.
Scenario: LDAP Queries for Identity Management Tasks
Description: An Identity Manager (IdM) tool like Microsoft Identity Manager (MIM) or SailPoint is performing LDAP queries during user provisioning or deprovisioning.
Filter/Exclusion: Exclude queries from known identity management tools by process name or user account (e.g., mim.exe, sailpoint.exe, or service accounts used by IdM).
Scenario: LDAP Queries for Security Auditing
Description: A SIEM tool like Splunk or QRadar is querying LDAP to collect user activity data for audit purposes.
Filter/Exclusion: Exclude queries from SIEM tools by process name or source IP associated with the SIEM system.
Scenario: LDAP Queries for Group Policy Processing
Description: Group Policy Object (GPO) processing or Group Policy Management Console (GPMC) tasks may trigger LDAP queries during domain controller communication.
*Filter/Ex