Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure ATP: Clear text credentials using LDAP simple bind

Copper Contributor

Hi,
is there a possibility to get all the Computers where a "Authentication with clear text credentials using LDAP simple bind from %Computername%" was made?
I only can see it if i check the user, but i like to see all the Computer who accepted the LDAP simple bind.

philipperismann_1-1587734630798.png

regards
Phil

6 Replies

Hi @philipperismann,

 

Have you seen our security assessment for exposing credentials in clear text?

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-cas-isp-clear-text

 

You can get this list after you have integrated AATP with MCAS.

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-mcas-integration

 

If you don't have a subscription for Cloud App Security, you will still be able to use the Cloud App Security portal to investigate Azure ATP alerts and deep dive on users and their on-premise managed activities, but you won't receive related insights from your cloud applications.

 

 

Hi @BrandonLawson 

 

thanks, this already helps a lot, but i only can see the top 20 credential-exposing entities.

is it possible to get a full list?

 

regards Phil

@philipperismann 

You can now utilize MTP's Advanced hunting feature to query against Azure ATP data (using the IdentityLogonEvents table)

https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-identitylogonevents-tab...

 

// Finds Devices using LDAP cleartext
IdentityLogonEvents
| where Timestamp > ago(30d)
| where LogonType == "LDAP cleartext"
| distinct DeviceName

Hi @Or Tsemah 

thanks for your help.

i can turn on "Microsoft Threat Protection" in security.microsoft.com but I don't see it under incidents or action center.

regards

Phil

@philipperismann that feature is under the "Advanced hunting" feature, you can access it from this link

https://security.microsoft.com/advanced-hunting

 

@Or Tsemah  thanks a lot, this works fine.