Forum Discussion

Copper Contributor

Apr 24, 2020

Azure ATP: Clear text credentials using LDAP simple bind

Hi, is there a possibility to get all the Computers where a "Authentication with clear text credentials using LDAP simple bind from %Computername%" was made? I only can see it if i check the user, ...

philipperismann

Copper Contributor

Apr 24, 2020

Hi BrandonLawson

thanks, this already helps a lot, but i only can see the top 20 credential-exposing entities.

is it possible to get a full list?

regards Phil

Or Tsemah

Iron Contributor

Apr 26, 2020

philipperismann

You can now utilize MTP's Advanced hunting feature to query against Azure ATP data (using the IdentityLogonEvents table)

https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-identitylogonevents-table?view=o365-worldwide

// Finds Devices using LDAP cleartext

IdentityLogonEvents

| where Timestamp > ago(30d)

| where LogonType == "LDAP cleartext"

| distinct DeviceName

philipperismann
Copper Contributor
Apr 28, 2020
Hi Or Tsemah
thanks for your help.
i can turn on "Microsoft Threat Protection" in security.microsoft.com but I don't see it under incidents or action center.
regards
Phil
- Or Tsemah
  Iron Contributor
  Apr 28, 2020
  philipperismann that feature is under the "Advanced hunting" feature, you can access it from this link
  
  https://security.microsoft.com/advanced-hunting
  - philipperismann
    Copper Contributor
    May 18, 2020
    Or Tsemah thanks a lot, this works fine.