Your on-premises network contains an Active Directory Domain Services (AD DS) forest.
You have a Microsoft Entra tenant that uses Microsoft Defender for Identity. The AD DS forest syncs with the tenant.
You need to create a hunting query that will identify LDAP simple binds to the AD DS domain controllers.
Which table should you query?
Here is a sample query from Microsoft Learn documentation: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/queries/identitylogonevents
Agreed.
IdentityLogonEvents
, the correct table to query for identifying LDAP simple binds to the AD DS domain controllers is AADDomainServicesAccountLogon.\
No, this is for Entra ID Domain Services
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/enhancing-microsoft-defender-for-identity-data-using-microsoft/ba-p/2178286