Query Details
Audit Detect SSPR After Hours
Query
//Alert on successful self service password resets at suspicious times //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs // extend LocalTime to your time zone | extend LocalTime=TimeGenerated + 5h | where LocalTime > ago(7d) | where OperationName == "Reset password (self-service)" | where ResultDescription == "Successfully completed reset." // Change hours of the day to suit your company, i.e this would find self service password reset events between 11pm and 4am | where hourofday(LocalTime) !between (4 .. 23) | extend User = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend ['IP Address of User'] = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) | project LocalTime, OperationName, ResultDescription, User, ['IP Address of User']
Explanation
This query is used to create an alert for successful self-service password resets that occur at suspicious times. It uses the Azure Active Directory - Audit Logs data connector. The query filters the audit logs to only include password reset events that were successfully completed. It also filters the events to only include those that occurred outside of a specified time range (in this case, between 4am and 11pm). The query then extracts and displays the local time, operation name, result description, user, and IP address of the user involved in the password reset.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
Devices,Intune,User
Operators
extendwhereago====!betweenextendextendtostringparse_jsontostringparse_jsontostringproject