LDAPFW
10 events across 1 channel
| Event ID | Title | Channel |
|---|---|---|
| 257 | LDAP Firewall protection installed. | LDAPFW |
| 258 | LDAP Firewall protection removed. | LDAPFW |
| 259 | An LDAP Add operation was called. | LDAPFW |
| 260 | An LDAP Delete operation was called. | LDAPFW |
| 261 | An LDAP Modify operation was called. | LDAPFW |
| 262 | An LDAP Modify DN operation was called. | LDAPFW |
| 263 | An LDAP Search operation was called. | LDAPFW |
| 264 | An LDAP Compare operation was called. | LDAPFW |
| 265 | An LDAP Extended operation was called. | LDAPFW |
| 266 | LDAP Firewall configuration updated. | LDAPFW |
Event ID 257 — LDAP Firewall protection installed.
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "LDAPFW",
"guid": "",
"event_source_name": "",
"event_id": 257,
"version": 0,
"level": 0,
"task": 1,
"opcode": 0,
"keywords": 45035996273704960,
"time_created": "2026-03-06T19:18:50.224434+00:00",
"event_record_id": 76,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "LDAPFW",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "",
"Binary": ""
},
"message": ""
}
Event ID 258 — LDAP Firewall protection removed.
Event ID 259 — An LDAP Add operation was called.
Fields #
| Name | Description |
|---|---|
Data_0 | Security identity of the LDAP caller |
Data_1 | Firewall action taken: Allowed or Blocked |
Data_2 | Distinguished Name of the LDAP entry being added |
Data_3 | Comma-separated list of attribute:value pairs being added |
Data_4 | Source IP address of the LDAP client |
Data_5 | Source TCP port of the LDAP client |
Binary | — |
Example Event #
{
"system": {
"provider": "LDAPFW",
"guid": "",
"event_source_name": "",
"event_id": 259,
"version": 0,
"level": 0,
"task": 2,
"opcode": 0,
"keywords": 45035996273704960,
"time_created": "2026-03-06T19:19:20.073368+00:00",
"event_record_id": 78,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "LDAPFW",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "ludus\\LAB-DC01$",
"Data_1": "Allowed",
"Data_2": "cn=MicrosoftDNS,cn=System,DC=ludus,DC=domain",
"Data_3": "objectClass:container, cn:MicrosoftDNS",
"Data_4": "127.0.0.1",
"Data_5": "63395",
"Binary": ""
},
"message": ""
}
Event ID 260 — An LDAP Delete operation was called.
Fields #
| Name | Description |
|---|---|
Data_0 | Security identity of the LDAP caller |
Data_1 | Firewall action taken: Allowed or Blocked |
Data_2 | Distinguished Name of the LDAP entry being deleted |
Data_3 | Source IP address of the LDAP client |
Data_4 | Source TCP port of the LDAP client |
Binary | — |
Example Event #
{
"system": {
"provider": "LDAPFW",
"guid": "",
"event_source_name": "",
"event_id": 260,
"version": 0,
"level": 0,
"task": 3,
"opcode": 0,
"keywords": 45035996273704960,
"time_created": "2026-03-13T20:16:10.794736+00:00",
"event_record_id": 163,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "LDAPFW",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "ludus\\domainadmin",
"Data_1": "Allowed",
"Data_2": "CN=EVTGEN-PC02,OU=EventGenTest,DC=ludus,DC=domain",
"Data_3": "127.0.0.1",
"Data_4": "54871",
"Binary": ""
},
"message": ""
}
Event ID 261 — An LDAP Modify operation was called.
Fields #
| Name | Description |
|---|---|
Data_0 | Security identity of the LDAP caller |
Data_1 | Firewall action taken: Allowed or Blocked |
Data_2 | Distinguished Name of the LDAP entry being modified |
Data_3 | Comma-separated list of attribute:value pairs being modified |
Data_4 | Source IP address of the LDAP client |
Data_5 | Source TCP port of the LDAP client |
Binary | — |
Example Event #
{
"system": {
"provider": "LDAPFW",
"guid": "",
"event_source_name": "",
"event_id": 261,
"version": 0,
"level": 0,
"task": 4,
"opcode": 0,
"keywords": 45035996273704960,
"time_created": "2026-02-27T18:24:16.579063+00:00",
"event_record_id": 66,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "LDAPFW",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "ludus\\localuser",
"Data_1": "Allowed",
"Data_2": "CN=domainuser,CN=Users,DC=ludus,DC=domain",
"Data_3": "unicodePwd:\"",
"Data_4": "127.0.0.1",
"Data_5": "64875",
"Binary": ""
},
"message": ""
}
Event ID 262 — An LDAP Modify DN operation was called.
Fields #
| Name | Description |
|---|---|
Data_0 | Security identity of the LDAP caller |
Data_1 | Firewall action taken: Allowed or Blocked |
Data_2 | Original Distinguished Name before the rename or move |
Data_3 | New Distinguished Name (the new RDN or new superior) |
Data_4 | Whether to delete the old RDN entry: True or False |
Data_5 | Source IP address of the LDAP client |
Data_6 | Source TCP port of the LDAP client |
Binary | — |
Example Event #
{
"system": {
"provider": "LDAPFW",
"guid": "",
"event_source_name": "",
"event_id": 262,
"version": 0,
"level": 0,
"task": 5,
"opcode": 0,
"keywords": 45035996273704960,
"time_created": "2026-03-13T20:16:10.514037+00:00",
"event_record_id": 155,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "LDAPFW",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "ludus\\domainadmin",
"Data_1": "Allowed",
"Data_2": "CN=evtgen_user5,OU=EventGenTest,DC=ludus,DC=domain",
"Data_3": "CN=evtgen_user5",
"Data_4": "True",
"Data_5": "127.0.0.1",
"Data_6": "54871",
"Binary": ""
},
"message": ""
}
Event ID 263 — An LDAP Search operation was called.
Fields #
| Name | Description |
|---|---|
Data_0 | Security identity of the LDAP caller |
Data_1 | Firewall action taken: Allowed or Blocked |
Data_2 | Base Distinguished Name (search root) |
Data_3 | LDAP search filter expression |
Data_4 | Search scope: Base, One Level, or Subtree |
Data_5 | Semicolon-separated list of requested attributes |
Data_6 | Source IP address of the LDAP client |
Data_7 | Source TCP port of the LDAP client |
Binary | — |
Example Event #
{
"system": {
"provider": "LDAPFW",
"guid": "",
"event_source_name": "",
"event_id": 263,
"version": 0,
"level": 0,
"task": 6,
"opcode": 0,
"keywords": 45035996273704960,
"time_created": "2026-03-13T18:46:46.082627+00:00",
"event_record_id": 97,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "LDAPFW",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "ludus\\domainadmin",
"Data_1": "Allowed",
"Data_2": "DC=ludus,DC=domain",
"Data_3": "(&(objectClass=*)(objectClass=user)(objectCategory=person))",
"Data_4": "Subtree",
"Data_5": "name;objectClass;objectGUID;accountExpires;userAccountControl;msDS-User-Account-Control-Computed;AdminCount;c;nTSecurityDescriptor;canonicalName;company;department;description;givenName;homeDirectory;Info;lastLogonTimestamp;lockoutTime;userWorkstations;mail;manager;middleName;mobile;msDS-AllowedToDelegateTo;msDS-SupportedEncryptionTypes;pwdLastSet;primaryGroupID;profilePath;sAMAccountName;scriptPath;objectSid;sIDHistory;sn;title;whenChanged;whenCreated;userPrincipalName",
"Data_6": "127.0.0.1",
"Data_7": "51405",
"Binary": ""
},
"message": ""
}
Event ID 264 — An LDAP Compare operation was called.
Fields #
| Name | Description |
|---|---|
Data_0 | Security identity of the LDAP caller |
Data_1 | Firewall action taken: Allowed or Blocked |
Data_2 | Distinguished Name of the LDAP entry being compared |
Data_3 | Name of the attribute to compare |
Data_4 | Value to compare against |
Data_5 | Source IP address of the LDAP client |
Data_6 | Source TCP port of the LDAP client |
Binary | — |
Example Event #
{
"system": {
"provider": "LDAPFW",
"guid": "",
"event_source_name": "",
"event_id": 264,
"version": 0,
"level": 0,
"task": 7,
"opcode": 0,
"keywords": 45035996273704960,
"time_created": "2026-03-06T19:19:20.073368+00:00",
"event_record_id": 77,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "LDAPFW",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "ludus\\LAB-DC01$",
"Data_1": "Allowed",
"Data_2": "CN=LAB-DC01,OU=Domain Controllers,DC=ludus,DC=domain",
"Data_3": "servicePrincipalName",
"Data_4": "DNS/LAB-DC01.ludus.domain",
"Data_5": "127.0.0.1",
"Data_6": "63395",
"Binary": ""
},
"message": ""
}