🔥 3-day streak
Microsoft Security Operations Analyst98 / 190
Question 98 of 190

During a threat hunt in Microsoft Defender XDR, you suspect an attacker has compromised a domain-joined workstation and is performing Active Directory reconnaissance by enumerating users, groups, and computer objects via LDAP queries against a domain controller monitored by Microsoft Defender for Identity. You need an Advanced Hunting table that captures these directory enumeration and query activities so you can identify abnormal LDAP query patterns originating from the workstation. Which table should you query?

Reviewed for accuracy · Report an issueNext question