Need to know who is changing password for users using KQL

Techno89 61 Reputation points
2021-10-06T06:59:47.703+00:00

My team has been asked to submit a report of users who are changing password for other users in Azure AD. We recently onboarded with sentinel and were trying to do this via Sentinel KQL so that we can use the Automation to block those users directly.
But we are not able to project the userprincipal name of users who change the password.
In query we do see the output containing the upn but projecting them does not give any UPN.
Any idea why ?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
959 questions
{count} votes

Accepted answer
  1. VipulSparsh-MSFT 16,216 Reputation points Microsoft Employee
    2021-10-06T10:21:53.79+00:00

    @Techno89 Thanks for sharing the screenshot, it now makes sense. The reason you are not able to use userPriniciaplname is because it is not a direct attribute in result but under another entity. See the screenshot below to understand :

    138142-image.png

    So in order to fetch that you have to go via InitiatedBy then user and then the userprincipalname.

    Here is the modified query from my lab which will give you who performed the password change, you can modify it according to your need.

    AuditLogs   
    | where OperationName == "Change user password"  
    | extend Actor= InitiatedBy.user.userPrincipalName  
    | project Actor, TimeGenerated  
    

    138162-image.png

    -----------------------------------------------------------------------------------------------------------------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful