Event ID 30 —

Provider: Microsoft-Windows-LDAP-Client
Channel: Debug

Fields #

Name	Description
`ScopeOfSearch` UInt32	—
`SearchFilter` UnicodeString	—
`DistinguishedName` UnicodeString	—
`AttributeList` UnicodeString	—
`ProcessId` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-LDAP-Client",
    "guid": "{099614a5-5dd7-4788-8bc9-e29f43db28fc}",
    "event_source_name": "",
    "event_id": "30",
    "version": "0",
    "level": "0",
    "task": "0",
    "opcode": "0",
    "keywords": 9223372036854775809,
    "time_created": "2026-03-15T23:27:04.871669900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "3912",
      "thread_id": "13412"
    },
    "channel": "Microsoft-Windows-LDAP-Client/Debug",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ScopeOfSearch": "       0",
    "SearchFilter": "(objectclass=*)",
    "DistinguishedName": "",
    "AttributeList": "supportedCapabilities",
    "ProcessId": "0xF48"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Potential Active Directory Reconnaissance/Enumeration Via LDAP source medium: Detects potential Active Directory enumeration via LDAP