Query Details
Identity MFA Registrationfollowedby SSPR
Query
//Detects when a user registers MFA details on their account and then completes self service password reset with a short timeframe
//Data connector required for this query - Azure Active Directory - Signin Logs
//Data connector required for this query - Azure Active Directory - Audit Logs
let timeframe=4h;
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName in~ ("User changed default security info", "User registered all required security info", "User registered security info","Admin registered security info")
| extend User = tostring(TargetResources[0].userPrincipalName)
| project SecurityInfoTime=TimeGenerated, User, OperationName
| join kind=inner (
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName in ("Reset password (self-service)", "Change password (self-service)")
| where Result == "success"
| extend User = tostring(TargetResources[0].userPrincipalName)
| project PasswordResetTime=TimeGenerated, OperationName, User)
on User
| where (PasswordResetTime - SecurityInfoTime) between (0min .. timeframe)Explanation
This query detects when a user adds multi-factor authentication (MFA) details to their account and then completes a self-service password reset within a short timeframe. It uses two data connectors: Azure Active Directory - Signin Logs and Azure Active Directory - Audit Logs. The query looks for specific operations related to changing or registering security info and password resets. It joins the two sets of logs based on the user and filters for successful password resets that occur within a specified timeframe after the security info registration.
Details
Matt Zorich
Released: July 20, 2023
Tables
AuditLogs
Keywords
User,MFA,Account,PasswordReset,Timeframe
Operators
| where| in~| extend| project| join| kind=inner| on| where| ==| between