KQL Search

Query Details

HomeAI ToolsDevice Query

Blocking SSPR Attempts

Query

id: d52eda99-4510-49a5-b6ad-cb30edaba950
name: Blocked attempts of self-service password reset (SSPR) by user
description: |
  'Identifies when Azure AD SSPR blocks or throttle user attempts to reset password of a user.
  This may indicate a malicious attempt at guessing answers of security questions based on social engineering or stolen personal information.'
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
  - CredentialAccess
relevantTechniques:
  - T1078
  - T1110
query: |
  // Get events of SSPR blocked activities within the number of days (timeframe)
  let timeRange = 1d;
  AuditLogs
  | where TimeGenerated >= ago(timeRange)
  | where LoggedByService == "Self-service Password Management" 
  | where OperationName contains "Blocked"
  | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName), SourceIPAddress = tostring(InitiatedBy.user.ipAddress)
  | project timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, OperationName, ResultReason
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
version: 1.0.0

Explanation

This query identifies when Azure AD blocks or limits user attempts to reset their password using self-service password reset (SSPR). It helps detect potential malicious activities such as guessing security question answers through social engineering or using stolen personal information. The query looks for SSPR blocked activities in the past day and retrieves information such as the user's email address, IP address, operation name, and result reason. The query is triggered when there is at least one blocked activity. It is relevant to the Initial Access and Credential Access tactics and maps to techniques T1078 and T1110.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AuditLogs

Keywords

Keywords:Blocked,Self-servicePasswordReset,AzureAD,SSPR,AuditLogs,TimeGenerated,LoggedByService,OperationName,Blocked,UserPrincipalName,SourceIPAddress,ResultReason,AccountCustomEntity,IPCustomEntity,FullName,Address.

Operators

whereextendprojectcontainstostringago

Actions