Hello Michael,
You will find entries describing DHAP events in the mail_logs of the Cisco IronPort Email Security Appliance(ESA).
Here is an example of an entry in the mail_logs, where "DHAP" occurred.
"Tue Oct 18 00:25:35 2005 Warning: LDAP: Dropping connection due to
potential Directory Harvest Attack from host=(192.168.10.1', None),
dhap_limit=4, sender_group=SUSPECTLIST"
The following query can be used from the ESA's CLI, to look for DHAP events in the mail_logs:
grep "dhap_limit=" mail_logs
Regards,
-Jerry Orona