Azure ATP: Clear text credentials using LDAP simple bind

Copper Contributor

is there a possibility to get all the Computers where a "Authentication with clear text credentials using LDAP simple bind from %Computername%" was made?
I only can see it if i check the user, but i like to see all the Computer who accepted the LDAP simple bind.



6 Replies

Hi @philipperismann,


Have you seen our security assessment for exposing credentials in clear text?


You can get this list after you have integrated AATP with MCAS.


If you don't have a subscription for Cloud App Security, you will still be able to use the Cloud App Security portal to investigate Azure ATP alerts and deep dive on users and their on-premise managed activities, but you won't receive related insights from your cloud applications.



Hi @BrandonLawson 


thanks, this already helps a lot, but i only can see the top 20 credential-exposing entities.

is it possible to get a full list?


regards Phil


You can now utilize MTP's Advanced hunting feature to query against Azure ATP data (using the IdentityLogonEvents table)


// Finds Devices using LDAP cleartext
| where Timestamp > ago(30d)
| where LogonType == "LDAP cleartext"
| distinct DeviceName

Hi @Or Tsemah 

thanks for your help.

i can turn on "Microsoft Threat Protection" in but I don't see it under incidents or action center.



@philipperismann that feature is under the "Advanced hunting" feature, you can access it from this link


@Or Tsemah  thanks a lot, this works fine.