Event details

We are very excited to announce our Microsoft Defender for Identity AMA!   An AMA is a live text-based online event similar to a “YamJam” on Yammer or an “Ask Me Anything” on Reddit. This AMA giv...
Trevor_Rusher
Updated Jun 29, 2022
microsoft defender for identity
Eric JENOUVRIER's avatar
Eric JENOUVRIER
Iron Contributor
Jun 14, 2022
Microsoft Defender for Identity is capturing IdentityLogonEvent for Kerberos, Ntlm, ... and Bind Ldap (clear text password), but what about LDAPS ? bind ldap (over TLS/ldaps) are not capture within Hunting Database. Is there some plan to have some eventId within Active Directory and/or evolution on MDI probe to capture bind ldap over LDAPS ?
Umm_Kulth101's avatar
Umm_Kulth101
Copper Contributor
Jun 28, 2022
interested
  • Daniel Naim's avatar
    Daniel Naim
    Former Employee
    Jun 29, 2022

    Defender for Identity collects and stores information from your configured servers. Information collected includes network traffic to and from domain controllers (such as Kerberos authentication, NTLM authentication, DNS queries), security logs (such as Windows security events), Active Directory information (structure, subnets, sites), and entity information (such as names, email addresses, and phone numbers). Defender for Identity now does not have visibility to queries of LDAPS connections. We recently added the ability to gather the LDAP queries done via Active Directory Web Services. We are also looking at a method to see the encrypted traffic from pure LDAPS. https://docs.microsoft.com/en-us/defender-for-identity/whats-new#defender-for-identity-release-2180