KQL Search

This KQL (Kusto Query Language) query is designed to analyze audit logs and identify successful password reset or change operations that occurred within the last 90 days. Here's a simplified breakdown of what the query does:

1. Data Source: It starts by accessing the AuditLogs table.

2. Time Filter: It filters the logs to include only those generated in the last 90 days.

3. Operation Filter: It further narrows down the logs to include only those where the operation was either a "Reset password (self-service)" or "Change user password".

4. Result Filter: It ensures that only successful operations are considered by checking if the Result is "success".

5. Extract Target Information:

   • It extracts the user principal name (email or username) of the target user whose password was reset or changed and stores it in a new column called Target.
   • It also extracts the ID of the target user and stores it in TargetId.
   • It duplicates the user principal name into another column called DisplayName.

6. Extract Initiator Information:

   • It determines who initiated the operation. If the operation was initiated by a user, it extracts the user's principal name. If initiated by an application, it extracts the application's display name. This information is stored in a column called initiator.

7. Extract IP Address: It extracts the IP address from which the operation was initiated and stores it in a column called IPAddress.

In summary, this query retrieves and organizes information about successful password reset or change operations from the audit logs, including details about the target user, the initiator, and the IP address involved.