KQL Search

Query Details

HomeAI ToolsDevice Query

Audit Detect SSPR From Unknown IP

Query

//Detect a successful self service password reset or account unlock from an IP address that user hasn't successfully signed into from in the last 30 days

//Data connector required for this query - Azure Active Directory - Audit Logs
//Data connector required for this query - Azure Active Directory - Signin Logs

//Find successful password reset and account unlocks in the last day
AuditLogs
| where TimeGenerated > ago (1d)
| where OperationName == "Unlock user account (self-service)" and ResultDescription == "Success" or OperationName == "Reset password (self-service)" and ResultDescription == "Successfully completed reset."
| extend UserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| project
    ['Reset Unlock or Time']=TimeGenerated,
    OperationName,
    UserPrincipalName,
    IPAddress
//Take the UserPrincipalName of the event and the IP address, join back to sign on logs to find events where the IP address has not been seen from that user
| join kind=leftanti 
    (
    SigninLogs
    | where TimeGenerated > ago(30d)
    | where ResultType == 0
    )
    on UserPrincipalName, IPAddress

Explanation

This query is looking for successful self-service password resets or account unlocks from an IP address that the user hasn't successfully signed into in the last 30 days. It uses the Azure Active Directory - Audit Logs and Azure Active Directory - Signin Logs data connectors.

First, it filters the Audit Logs to find successful password resets and account unlocks in the last day. It then extracts the UserPrincipalName and IPAddress from the InitiatedBy.user field. The results are projected to include the reset/unlock time, operation name, user principal name, and IP address.

Next, it joins these results with the Signin Logs using the UserPrincipalName and IPAddress fields. The join is a left anti-join, which means it only includes events where the IP address has not been seen from that user in the last 30 days.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 18, 2022

Tables

AuditLogsSigninLogs

Keywords

AuditLogs,SigninLogs

Operators

where>ago==andorextendtostringparse_jsonprojectjoinkind=leftantion

Actions