question

Techno89 avatar image
0 Votes"
Techno89 asked vipulsparsh-MSFT commented

Need to know who is changing password for users using KQL

My team has been asked to submit a report of users who are changing password for other users in Azure AD. We recently onboarded with sentinel and were trying to do this via Sentinel KQL so that we can use the Automation to block those users directly.
But we are not able to project the userprincipal name of users who change the password.
In query we do see the output containing the upn but projecting them does not give any UPN.
Any idea why ?

azure-sentinel
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Techno89 Thanks for reaching out. I need more information in order to help you with this, can you share the following :

1) Share the KQL query you are running.
2) Confirm your end goal is to know who performed the password change from Azure AD portal ?

0 Votes 0 ·
Techno89 avatar image Techno89 vipulsparsh-MSFT ·

138088-image1.png





0 Votes 0 ·
image1.png (12.5 KiB)

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered vipulsparsh-MSFT commented

@Techno89 Thanks for sharing the screenshot, it now makes sense. The reason you are not able to use userPriniciaplname is because it is not a direct attribute in result but under another entity. See the screenshot below to understand :


138142-image.png


So in order to fetch that you have to go via InitiatedBy then user and then the userprincipalname.

Here is the modified query from my lab which will give you who performed the password change, you can modify it according to your need.

 AuditLogs 
 | where OperationName == "Change user password"
 | extend Actor= InitiatedBy.user.userPrincipalName
 | project Actor, TimeGenerated


138162-image.png



Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.



image.png (53.0 KiB)
image.png (25.2 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@vipulsparsh-MSFT Thanks for the explanation, is there a way I can also get the user information for which the password was change, currently I am only getting who changed and time.

0 Votes 0 ·

@Techno89 this should help, this will display Actor as Who changed the password, target will show, whose password was changed.

 AuditLogs 
 | where OperationName == "Change user password"
 | extend Actor= InitiatedBy.user.userPrincipalName
 | extend target= TargetResources.[0].userPrincipalName
 | project Actor,target
0 Votes 0 ·