Forum Discussion

Tali Ash's avatar
Tali Ash
Former Employee
Feb 26, 2019

New preview detection: Security principal reconnaissance (LDAP)

We are proud to introduce a new alert in preview mode that addresses Security principal reconnaissance (LDAP).  This type of reconnaissance is typically used by attackers to gain critical information...
echavez370's avatar
echavez370
Copper Contributor
Mar 23, 2021

Are there any plans to update this alert to include what actor performed the query? It's very unhelpful to say "an actor on server sent a suspicious LDAP query" without specifying the actor. Tali Ash 

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Mar 24, 2021
    We don't have the actor as this is happening using the machine account.
    If you have MDE on the machine you might have more data to cross with to find the actor.
    • mboisvert's avatar
      mboisvert
      Copper Contributor
      May 24, 2023

      EliOfekSource? That would be useful if it was in the documentation of Msft and we don't need to ask on techcommunity. Do you have any suggestions to correlate this alert with factual events on the machine? That would be useful too. Thanks.

      • EliOfek's avatar
        EliOfek
        Icon for Microsoft rankMicrosoft
        May 24, 2023

        mboisvert If you look closely at the alert details, even export it excel you will be able to see that the entity involved in this case is the machine account.

        Note that this could happen to other alerts as well if the attacker used the machine account.

        If you have specific recommendation of what specific statement you are missing from the docs and where, I am adding  Deleted  to help with that.

Resources