KQL Search

Query Details

HomeAI ToolsDevice Query

Last Password Change

Query

# Last Password Change User

## Query Information

#### Description
This query lists the last PasswordChangeTime based on Active Directory logs. In case you asked a user to perform a password reset, you can confirm using this query if it was actually performed.

## Defender XDR
```KQL
let UPN = "[email protected]";
IdentityDirectoryEvents
| where ActionType == "Account Password changed"
| where AccountUpn =~ UPN
| summarize arg_max(Timestamp, *) by AccountUpn
| project PasswordChangeTime = Timestamp, Application, AccountDomain, AccountSid, AccountUpn
```

## Sentinel
```KQL
let UPN = "[email protected]";
IdentityDirectoryEvents
| where ActionType == "Account Password changed"
| where AccountUpn =~ UPN
| summarize arg_max(TimeGenerated, *) by AccountUpn
| project PasswordChangeTime = TimeGenerated, Application, AccountDomain, AccountSid, AccountUpn
```

Explanation

This query is designed to help you verify the last time a specific user changed their password in Active Directory. It does this by checking the logs for any "Account Password changed" actions associated with the user's account. You can use this query to confirm whether a user has reset their password as requested.

Here's a breakdown of the query:

  1. User Identification: The query focuses on a specific user, identified by their User Principal Name (UPN), which is set to "[email protected]" in this example.

  2. Log Filtering: It searches through the IdentityDirectoryEvents logs for entries where the action type is "Account Password changed" and matches the specified UPN.

  3. Latest Event Selection: It uses the arg_max function to find the most recent password change event for that user.

  4. Data Projection: Finally, it selects and displays relevant details about the password change event, including the time it occurred (PasswordChangeTime), the application involved, the account domain, the account SID, and the account UPN.

This query is useful for administrators who need to confirm that a password change has been executed for a particular user.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: April 9, 2025

Tables

IdentityDirectoryEvents

Keywords

IdentityDirectoryEventsAccountPasswordApplicationAccountDomainAccountSidAccountUpn

Operators

let===~summarizearg_maxbyproject

Actions