Microsoft-Windows-LDAP-Client

31 events across 1 channel

Event ID	Title	Channel
1		Debug
2		Debug
3		Debug
4		Debug
5		Debug
6		Debug
7		Debug
8		Debug
9		Debug
10		Debug
11		Debug
12		Debug
13		Debug
14		Debug
15		Debug
16		Debug
17		Debug
18		Debug
19		Debug
20		Debug
21		Debug
22		Debug
23		Debug
24		Debug
25		Debug
26		Debug
27		Debug
28		Debug
29		Debug
30		Debug
31		Debug

Event ID 1 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 2 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 3 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 4 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 5 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 6 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 7 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 8 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 9 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 10 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 11 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 12 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 13 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 14 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 15 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 16 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 17 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 18 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 19 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 20 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 21 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 22 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 23 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 24 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 25 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 26 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 27 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 28 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 29 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—

Event ID 30 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`ScopeOfSearch` UInt32	—
`SearchFilter` UnicodeString	—
`DistinguishedName` UnicodeString	—
`AttributeList` UnicodeString	—
`ProcessId` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-LDAP-Client",
    "guid": "{099614a5-5dd7-4788-8bc9-e29f43db28fc}",
    "event_source_name": "",
    "event_id": "30",
    "version": "0",
    "level": "0",
    "task": "0",
    "opcode": "0",
    "keywords": 9223372036854775809,
    "time_created": "2026-03-15T23:27:04.871669900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "3912",
      "thread_id": "13412"
    },
    "channel": "Microsoft-Windows-LDAP-Client/Debug",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ScopeOfSearch": "       0",
    "SearchFilter": "(objectclass=*)",
    "DistinguishedName": "",
    "AttributeList": "supportedCapabilities",
    "ProcessId": "0xF48"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Potential Active Directory Reconnaissance/Enumeration Via LDAP source medium: Detects potential Active Directory enumeration via LDAP

Event ID 31 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`Message` AnsiString	—