# ldap\_scanning\_internal **Explanation** This NDM was written by the Netography Threat Research team to detect unauthorized LDAP scanning activity within a customer's network. **What to Look For** When examining the results of the ldap\_scanning\_internal event, it is important to look for any activity that is indicative of LDAP scanning. LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory information services, such as Active Directory. LDAP scanning involves searching for and querying specific LDAP attributes and can be used to gather information about users and system configurations. If LDAP scanning activity is detected, it may be the result of an attacker attempting to gather information for a future attack or to exploit vulnerabilities in the LDAP system. Customers should ensure that authorized LDAP scanners, such as network monitors, are added to the "Discard" function in this NDM to avoid triggering false positives. It's important to remediate any unauthorized LDAP scanning activity as it could be an indication of a potential attack or data breach. **Related MITRE ATT\&CK Categories** [Discovery: Network Service Discovery, Technique T1046 - Enterprise](https://attack.mitre.org/techniques/T1046) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ldap_scanning_internal.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.