Query Details

Bulk Password Profile Updates Across Multiple Users

AR 006 Bulk Password Profile Updates

Query

// --- Configurable ---
let UpdateThreshold = 5;
// --------------------
AuditLogs
| where TimeGenerated > ago(2h)
| where ActivityDisplayName in (
    "Update PasswordProfile",
    "Update StsRefreshTokenValidFrom Timestamp",
    "Reset user password",
    "Change user password")
| where Result == "success"
| extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend Actor          = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
| extend TargetUser     = tostring(TargetResources[0].displayName)
| extend TargetUserUPN  = tostring(TargetResources[0].userPrincipalName)
| summarize
    UpdateCount       = count(),
    DistinctTargets   = dcount(TargetUserUPN),
    TargetUsers       = make_set(TargetUserUPN, 20),
    Operations        = make_set(ActivityDisplayName),
    FirstEvent        = min(TimeGenerated),
    LastEvent         = max(TimeGenerated),
    CorrelationIds    = make_set(CorrelationId, 5)
    by Actor, InitiatedByUPN, bin(TimeGenerated, 1h)
| where UpdateCount >= UpdateThreshold and DistinctTargets >= 3
| extend DurationMinutes = datetime_diff('minute', LastEvent, FirstEvent)

Explanation

This query is designed to detect suspicious activity related to bulk password or token updates in an Azure Active Directory environment. Here's a simple breakdown of what it does:

  1. Purpose: The query identifies instances where a single user or application (referred to as "actor") successfully updates the password profile or token validity timestamp for five or more different user accounts within a one-hour period. This behavior can indicate potential security threats, such as exploitation of Azure AD Connect or unauthorized password resets by an attacker.

  2. Severity: The alert generated by this query is considered high severity because such actions can be indicative of malicious activity aimed at maintaining persistence or impacting the system.

  3. Data Source: It uses audit logs from Azure Active Directory to track these events.

  4. Detection Logic:

    • It looks for specific activities: "Update PasswordProfile", "Update StsRefreshTokenValidFrom Timestamp", "Reset user password", and "Change user password".
    • It filters for successful operations only.
    • It groups the data by the actor and counts the number of distinct user accounts affected.
    • If an actor updates five or more different accounts within an hour, it triggers an alert.
  5. Alert Details: The alert provides information about the number of operations, the distinct accounts affected, and the actor responsible. It also includes the time duration over which these updates occurred.

  6. Use Case: This query is useful for security teams to identify and respond to potential unauthorized access or manipulation of user accounts in a timely manner.

  7. Additional Information: The query references tools and techniques related to account manipulation, such as AADInternals and MITRE ATT&CK techniques T1098 (Account Manipulation), T1531, and T1070. Overall, this query helps in monitoring and detecting unusual patterns of account updates that could signify a security breach or misuse of administrative privileges.

Details

David Alonso profile picture

David Alonso

Released: April 6, 2026

Tables

AuditLogs

Keywords

AuditLogsAzureActiveDirectoryAccountUserActorTargetUserTargetUserUPNOperationsCorrelationIdsTimeGeneratedDurationMinutes

Operators

letagoiniffisnotemptytostringsummarizecountdcountmake_setminmaxbindatetime_diff

Severity

High

Tactics

PersistenceImpact

MITRE Techniques

Frequency: 1h

Period: 2h

Actions

GitHub