Forum Discussion

Copper Contributor

Apr 24, 2020

Azure ATP: Clear text credentials using LDAP simple bind

Hi, is there a possibility to get all the Computers where a "Authentication with clear text credentials using LDAP simple bind from %Computername%" was made? I only can see it if i check the user, ...

BrandonLawson

Former Employee

Apr 24, 2020

Hi philipperismann,

Have you seen our security assessment for exposing credentials in clear text?

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-cas-isp-clear-text

You can get this list after you have integrated AATP with MCAS.

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-mcas-integration

If you don't have a subscription for Cloud App Security, you will still be able to use the Cloud App Security portal to investigate Azure ATP alerts and deep dive on users and their on-premise managed activities, but you won't receive related insights from your cloud applications.

philipperismann
Copper Contributor
Apr 24, 2020
Hi BrandonLawson

thanks, this already helps a lot, but i only can see the top 20 credential-exposing entities.
is it possible to get a full list?

regards Phil
- Or Tsemah
  Former Employee
  Apr 26, 2020
  philipperismann
  
  You can now utilize MTP's Advanced hunting feature to query against Azure ATP data (using the IdentityLogonEvents table)
  
  https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-identitylogonevents-table?view=o365-worldwide
  
  // Finds Devices using LDAP cleartext
  
  IdentityLogonEvents
  
  | where Timestamp > ago(30d)
  
  | where LogonType == "LDAP cleartext"
  
  | distinct DeviceName
  - philipperismann
    Copper Contributor
    Apr 28, 2020
    Hi Or Tsemah
    thanks for your help.
    i can turn on "Microsoft Threat Protection" in security.microsoft.com but I don't see it under incidents or action center.
    regards
    Phil