Apr 24 2020 06:24 AM - last edited on Nov 30 2021 02:00 PM by Allen
Apr 24 2020 06:24 AM - last edited on Nov 30 2021 02:00 PM by Allen
Hi,
is there a possibility to get all the Computers where a "Authentication with clear text credentials using LDAP simple bind from %Computername%" was made?
I only can see it if i check the user, but i like to see all the Computer who accepted the LDAP simple bind.
regards
Phil
Apr 24 2020 07:16 AM
Hi @philipperismann,
Have you seen our security assessment for exposing credentials in clear text?
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-cas-isp-clear-text
You can get this list after you have integrated AATP with MCAS.
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-mcas-integration
If you don't have a subscription for Cloud App Security, you will still be able to use the Cloud App Security portal to investigate Azure ATP alerts and deep dive on users and their on-premise managed activities, but you won't receive related insights from your cloud applications.
Apr 24 2020 07:58 AM
thanks, this already helps a lot, but i only can see the top 20 credential-exposing entities.
is it possible to get a full list?
regards Phil
Apr 26 2020 01:35 AM - edited Apr 26 2020 01:36 AM
You can now utilize MTP's Advanced hunting feature to query against Azure ATP data (using the IdentityLogonEvents table)
Apr 28 2020 12:10 AM
Hi @Or Tsemah
thanks for your help.
i can turn on "Microsoft Threat Protection" in security.microsoft.com but I don't see it under incidents or action center.
regards
Phil
Apr 28 2020 07:31 AM
@philipperismann that feature is under the "Advanced hunting" feature, you can access it from this link
https://security.microsoft.com/advanced-hunting
May 18 2020 02:31 AM
@Or Tsemah thanks a lot, this works fine.