Overview 💥
Partners and their customers may receive security alerts from Microsoft Sentinel (or similar SIEM platforms) flagging high-volume LDAP traffic originating from endpoints where the Liongard Agent is installed.
These alerts typically present as:
Sentinel Incident: "Honeytoken was queried via LDAP"
Event Classification: T1087.002 — Domain Account Enumeration (MITRE ATT&CK)
Source Process:
windows-workstation-inspector.exeorLiongardAgent.exeAlert Severity: Low to Medium
Trigger: During or shortly after a Liongard scheduled inspector check-in
✅ Confirmed Safe:
This activity is not malicious. The LDAP queries are generated by the Liongard Windows Workstation Inspector as part of its normal domain data collection process.
Screenshots show the Sentinel Incidents dashboard where alerts appear.
Microsoft Sentinel Overview showing incidents and alerts summary where honeytoken alerts may appear.
Why This Happens? 🤔
Domain Extraction Feature
The Windows Workstation Inspector supports a feature called Domain Extraction that collects domain identity information such as:
Domain Users
Security Groups
Organizational Units (OUs)
When enabled, the inspector performs a broad LDAP query against the Active Directory domain.
Example command:
windows-workstation-inspector.exe <INSPECTOR_ID> --enableDomainExtraction true
Because this query enumerates all domain objects, it may also query honeytoken accounts configured in the environment.
Security monitoring tools such as Microsoft Sentinel detect this activity and may flag it as: MITRE ATT&CK: T1087.002 – Domain Account Discovery
⚠️ Sentinel cannot distinguish between authorized IT management tools and malicious reconnaissance, which results in a false positive alert.
Liongard Agent Behavior 🧑🏫
Understanding the expected behavior of the Liongard Agent helps determine whether activity is legitimate.
What the Liongard Agent Does (and Does Not Do)
✅ The Liongard Agent DOES | ❌ The Liongard Agent Does NOT |
Perform scheduled LDAP queries to enumerate domain accounts and groups | Move laterally between hosts or authenticate to other machines |
Query all domain objects as part of domain extraction | Execute payloads, scripts, or commands outside its inspector bundle |
Report collected data outbound to | Access, modify, or exfiltrate user data, files, or emails |
Run as a scheduled service under the configured service account | Escalate privileges beyond what the service account holds |
Detect and report changes in installed software, users, and config | Communicate with any destination other than Liongard's cloud API |
Expected Network Behaviour 🧑💻
All Liongard Agent communication is outbound only, over HTTPS (port 443), to:
api.eu1.app.liongard.com— EU tenantsapi.app.liongard.com— US tenants
The agent sends periodic heartbeats (every 3 minutes) and inspector results. It does not open inbound ports, communicate peer-to-peer between agents, or make direct network connections to domain controllers. LDAP queries are made locally on the workstation using the Windows LDAP API.
Hybrid AD Joined Devices
LDAP activity is expected and more frequent on devices that are Microsoft Entra Hybrid Joined (previously Hybrid Azure AD Joined), as these devices have line-of-sight to both on-premises Active Directory and Azure AD. This is consistent behaviour and does not indicate misconfiguration.
Network Requirements
The Liongard Agent communicates outbound only over HTTPS.
Required endpoints:
api.app.liongard.com api.instanceprefix.app.liongard.com
Required port:
TCP 443 (HTTPS)
Agent behavior includes:
Heartbeat every 3 minutes
Scheduled inspector check-ins
No inbound ports required
No peer-to-peer communication
💡 LDAP queries occur locally via the Windows LDAP API, not through direct network communication initiated by the agent.
Steps to Resolve 👨🔧
Option 1 — Suppress the Alert in Microsoft Sentinel (Recommended)
The recommended resolution is to exclude Liongard processes from the Sentinel analytic rule.
Step 1 — Locate the Analytic Rule
In Microsoft Sentinel:
Navigate to Analytics
Select Active Rules
Locate the rule:
Honeytoken was queried via LDAP
Step 2 — Add Process Exclusion
Edit the rule and add the following filter:
| where InitiatingProcessName !in ("windows-workstation-inspector.exe","LiongardAgent.exe")If your query uses a different field:
| where ProcessName !contains "windows-workstation-inspector" | where ProcessName !contains "LiongardAgent"
KQL Query Editor in Sentinel
Step 3 — Optional: Exclude the Liongard Service Account
If a dedicated Liongard service account is used:
| where AccountName != "<liongard-service-account>"
⚠️ Important:
Only exclude the service account from this specific analytic rule.
Do not disable monitoring for the account across all Sentinel rules.
Step 4 — Validate the Resolution
Save the updated analytic rule
Wait for the next Liongard inspection cycle
Confirm the alert no longer triggers
Close the incident as False Positive
Option 2 — Disable Domain Extraction
If your SOC policy requires that honeytoken accounts must never be queried, Domain Extraction can be disabled.
⚠️ Note: Disabling this feature prevents Liongard from collecting domain user and group information.
✅ Steps
Log in to the Liongard platform
Navigate to: Admin → Inspectors → Windows Workstation
Locate the inspector configuration for affected endpoints
Disable Domain Extraction.
Save the configuration
Restoring Agents After Security Isolation 🌟
If machines were isolated after the alert, the Liongard Agent may appear Offline.
Common errors in agent logs:
dial tcp: lookup api.eu1.app.liongard.com: no such host context deadline exceeded dial tcp x.x.x.x:443: connectex: access permissions error
Resolution 🤩
Remove the machine from restricted network policies
Allow outbound HTTPS access to:
api.app.liongard.com api.eu1.app.liongard.com
3. Restart the Liongard Agent service:
Services → LiongardAgent → Restart
The agent should reconnect within 3 minutes.
Best Practices For Prevention 🚀
Recommendation | Benefit |
Add Liongard process exclusion in Sentinel | Prevent recurring false positive alerts |
Use a dedicated Liongard service account | Enables targeted SIEM exclusions |
Whitelist Liongard API endpoints | Prevents agent connectivity issues |
Document Liongard processes in SOC runbooks | Reduces investigation time |
Review Domain Extraction configuration | Ensures LDAP queries are expected |
Reference Information 🤓
Item | Value |
Inspector | Windows Workstation Inspector |
Inspector Process | windows-workstation-inspector.exe |
Agent Process | LiongardAgent.exe |
Agent Log Path | C:\Program Files (x86)\LiongardInc\LiongardAgent\Logs\ |
API Endpoint (US) | api.app.liongard.com |
API Endpoint (EU) | api.eu1.app.liongard.com |
Required Port | TCP 443 |
MITRE Technique | T1087.002 – Domain Account Discovery |
Sentinel Rule | Honeytoken was queried via LDAP |
Supported Devices | Windows 10 / Windows 11 |
Support Contact | support@liongard.com or via the Liongard Partner Portal. |