Query Details
AAD Password Protection All Events
Query
//If you add "Microsoft-AzureADPasswordProtection-DCAgent/Admin" as a log source to Sentinel/Log Analytics you can query Azure AD Password Protection events
Event
| where Source == "Microsoft-AzureADPasswordProtection-DCAgent"
| where EventID in ("10014", "10015", "10016", "30002", "30004", "30026", "10024", "30008", "30010", "30028", "30024", "30003", "30005", "30027", "30022", "30007", "10025", "30009", "30029", "30023")Explanation
This query retrieves Azure AD Password Protection events from the log source "Microsoft-AzureADPasswordProtection-DCAgent" in Sentinel/Log Analytics. It filters the events based on specific EventIDs.
Details
Matt Zorich
Released: April 18, 2022
Tables
Event
Keywords
Event,Source,EventID
Operators
where==in