Query Details

Bulk Password Profile Updates Across Multiple Users

AR 006 Bulk Password Profile Updates

Query

// --- Configurable ---
let UpdateThreshold = 5;
// --------------------
AuditLogs
| where TimeGenerated > ago(2h)
| where ActivityDisplayName in (
    "Update PasswordProfile",
    "Update StsRefreshTokenValidFrom Timestamp",
    "Reset user password",
    "Change user password")
| where Result == "success"
| extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend Actor          = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
| extend TargetUser     = tostring(TargetResources[0].displayName)
| extend TargetUserUPN  = tostring(TargetResources[0].userPrincipalName)
| summarize
    UpdateCount       = count(),
    DistinctTargets   = dcount(TargetUserUPN),
    TargetUsers       = make_set(TargetUserUPN, 20),
    Operations        = make_set(ActivityDisplayName),
    FirstEvent        = min(TimeGenerated),
    LastEvent         = max(TimeGenerated),
    CorrelationIds    = make_set(CorrelationId, 5)
    by Actor, InitiatedByUPN, bin(TimeGenerated, 1h)
| where UpdateCount >= UpdateThreshold and DistinctTargets >= 3
| extend DurationMinutes = datetime_diff('minute', LastEvent, FirstEvent)

Explanation

This query is designed to detect suspicious activity related to bulk password or token updates in Azure Active Directory. Here's a simple summary:

  • Purpose: The query identifies when a single user (or actor) successfully updates the password profile or token information for five or more different user accounts within a one-hour period. This behavior is unusual and could indicate malicious activity, such as an attacker trying to reset passwords or revoke tokens to disrupt security responses.

  • Context: Such bulk updates might occur during exploitation of Azure AD Connect sync or when an attacker is manipulating multiple accounts. It's considered suspicious unless performed by a known, privileged service account.

  • Severity: The alert is marked as high severity due to the potential security implications.

  • Data Source: It uses audit logs from Azure Active Directory to track these activities.

  • Frequency: The query runs every hour and looks back over the past two hours to identify any such activities.

  • Alert Details: If the conditions are met, an alert is generated, detailing the number of operations, the number of affected accounts, and the actor responsible.

  • Customization: The alert message and details are customizable to provide clear information about the incident.

Overall, this query helps in identifying potential security threats related to unauthorized bulk password or token updates in an organization's Azure environment.

Details

David Alonso profile picture

David Alonso

Released: April 6, 2026

Tables

AuditLogs

Keywords

AuditLogsAzureActiveDirectoryUserAccountActorTargetUserTargetUserUPNOperationsCorrelationIdsTimeGeneratedDurationMinutes

Operators

letagoiniffisnotemptytostringsummarizecountdcountmake_setminmaxbinwhereextenddatetime_diff

Severity

High

Tactics

PersistenceImpact

MITRE Techniques

Frequency: 1h

Period: 2h

Actions

GitHub