Forum Discussion
Azure ATP: Clear text credentials using LDAP simple bind
Hi,
is there a possibility to get all the Computers where a "Authentication with clear text credentials using LDAP simple bind from %Computername%" was made?
I only can see it if i check the user, but i like to see all the Computer who accepted the LDAP simple bind.
regards
Phil
6 Replies
Hi philipperismann,
Have you seen our security assessment for exposing credentials in clear text?
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-cas-isp-clear-text
You can get this list after you have integrated AATP with MCAS.
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-mcas-integration
If you don't have a subscription for Cloud App Security, you will still be able to use the Cloud App Security portal to investigate Azure ATP alerts and deep dive on users and their on-premise managed activities, but you won't receive related insights from your cloud applications.
You can now utilize MTP's Advanced hunting feature to query against Azure ATP data (using the IdentityLogonEvents table)
https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-identitylogonevents-table?view=o365-worldwide
// Finds Devices using LDAP cleartextIdentityLogonEvents| where Timestamp > ago(30d)| where LogonType == "LDAP cleartext"| distinct DeviceName
