Forum Discussion
Share Your Hunting Challenges!
Would you be willing to look at this query and let me know why it's not working? It ran once but now it has an unexpected error. It's getting an error in the line:
"| summarize NumberofDisstinctLdapQueries = dcount(SearchFilter) by DeviceName, bin(Timestamp, BinTime)"
let Threshold = 12;
let BinTime = 1m;
let listDC=IdentityDirectoryEvents
| where Application =="Active Directory"
| where Application == "Directory Service replication"
| summarize by DestinationDeviceName ;
IdentityQueryEvents
| where Timestamp > ago(30d)
| where DeviceName !in ( "DC List")
| where ActionType == "LDAP query"
| parse Query with * "Search Scope: " SearchScope ", Base Object:"
BaseObject ", Search Filter: " SearchFilter
| summarize NumberofDisstinctLdapQueries = dcount(SearchFilter) by DeviceName, bin(Timestamp, BinTime)
|where NumberofDisstinctLdapQueries > Threshold
source: MS Defender Webinar Solorigate
- MichaelJMeloneJan 28, 2021Microsoft Citizen8675309 I tried this out in my lab environment and it ran without issue (I set Threshold to 0 for testing) - m00nfish1400May 03, 2023Copper ContributorHi Michael, I just started to learn KQL queries and watched your old webinars on Youtube. Those videos are great learning resources. When I saw this original post, I was wondering whether or not my observation is correct. I think why this query didn't work, is because this line of queries " | where DeviceName !in ( "DC List") " should be "| where DeviceName !in ( "listDC")" . "listDC" was defined in line 3. Thanks!