https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-help-ad/m-p/1235782#M8642 <P>&nbsp;</P> <P data-start="886" data-end="1078">Hi everyone,<BR /><BR />Anyone know how to query what types of AD queries users run?<BR />I want to (1) find users/computers doing AD enumeration and (2) see what kind of enumeration they ran.</P> <P data-start="1080" data-end="1125">&nbsp;</P> <P>&nbsp;</P> Mon, 11 Aug 2025 13:48:30 GMT tlmarques 2025-08-11T13:48:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-help-ad/m-p/1235782#M8642 <P>&nbsp;</P> <P data-start="886" data-end="1078">Hi everyone,<BR /><BR />Anyone know how to query what types of AD queries users run?<BR />I want to (1) find users/computers doing AD enumeration and (2) see what kind of enumeration they ran.</P> <P data-start="1080" data-end="1125">&nbsp;</P> <P>&nbsp;</P> Mon, 11 Aug 2025 13:48:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-help-ad/m-p/1235782#M8642 tlmarques 2025-08-11T13:48:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-help-ad/m-p/1235792#M8643 <P>Hi Tlmarques,&nbsp;</P> <P>First you should enable the security auditing logs:</P> <P>&nbsp;</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Enable-security-auditing-event-IDs-with-GPO" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Enable-security-auditing-event-IDs-with-GPO</A></P> <P>&nbsp;</P> <P>You can search on the security events that show that AD enumeration has been done.&nbsp;</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.</P> <P>&nbsp;</P> <P>KR,</P> <P>Luis</P> Mon, 11 Aug 2025 15:05:23 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-help-ad/m-p/1235792#M8643 eluis 2025-08-11T15:05:23Z