# ldap\_scanning\_outside\_to\_inside

**Explanation**

The ldap\_scanning\_outside\_to\_inside NDM is designed to detect LDAP scanning attempts originating from outside the network targeting LDAP servers residing inside the network. LDAP scanning typically involves queries against LDAP servers to gather information about network resources and can be an early phase of an attack.

**What to Look For**

To detect and remediate the issue, customers should look for inbound LDAP scanning attempts from external IP addresses. LDAP, or Lightweight Directory Access Protocol, is a protocol used for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Customers should examine their network and endpoint logs to identify suspicious LDAP traffic. Once identified, customers should verify whether the LDAP scan was successful and if there was any unauthorized access to sensitive information. Immediate action should be taken to block the external IP and eliminate any security gaps that may have been exploited.

**Related MITRE ATT\&CK Categories**

[Reconnaissance: Active Scanning, Technique T1595 - Enterprise](https://attack.mitre.org/techniques/T1595)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ldap_scanning_outside_to_inside.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.