Query Details
Password Reset On High Privileged User
Query
id: c6c052b7-29a8-41d6-89f0-ed1e8ddebb53
name: "Password reset on high privileged user "
version: 1.0.0
kind: Scheduled
description: |-
The password of a user that is member of a high privileged role was reset.
Make sure that this action was intended
severity: Medium
queryFrequency: 3h
queryPeriod: 3h
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
query: |-
let HighPrivRoles = dynamic(["Global Administrator", "Company Administrator", "Privileged Authentication Administrator", "Privileged Role Administrator"]);
AuditLogs
| where OperationName == "Reset user password"
| mv-expand TargetResources
| extend TargetUsername = tostring(TargetResources.userPrincipalName)
| join kind=innerunique (
IdentityInfo
| where TimeGenerated > ago(14d)
)
on $left.TargetUsername == $right.AccountUPN
| mv-expand AssignedRoles
| extend AssignedRoles = tostring(AssignedRoles)
| where AssignedRoles in (HighPrivRoles)
| summarize by TimeGenerated, TargetUsername, AssignedRoles, OperationName, AADUserId=AccountObjectId
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: AlertPerResult
customDetails:
AssignedRole: AssignedRoles
entityMappings:
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: AADUserId
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetUsername
suppressionDuration: 5h
Explanation
This query is used to identify instances where the password of a user in a high privileged role has been reset. It checks the audit logs for the operation "Reset user password" and joins it with the IdentityInfo table to get additional information about the user. It then filters the results to only include users in high privileged roles and summarizes the data by various attributes. If an incident is created, it will not be grouped with other incidents and will have a lookback duration of 5 hours. The query runs every 3 hours and has a severity level of Medium.
Details
Fabian Bader
Released: July 25, 2023
Tables
AuditLogsIdentityInfo
Keywords
Password,Reset,HighPrivilegedUser,Member,Role,Action,Intended,AuditLogs,OperationName,UserPassword,TargetResources,TargetUsername,IdentityInfo,TimeGenerated,AssignedRoles,AADUserId,AccountUPN,AccountObjectId,IncidentConfiguration,GroupingConfiguration,LookbackDuration,MatchingMethod,GroupByEntities,GroupByAlertDetails,GroupByCustomDetails,EventGroupingSettings,AggregationKind,CustomDetails,AssignedRole,EntityMappings,Account,FieldMappings,Identifier,ColumnName,SuppressionDuration
Operators
|:=|-dynamicwheremv-expandextendjoinonsummarizeinagosuppressionEnabledcreateIncidentenabledreopenClosedIncidentlookbackDurationmatchingMethodgroupByEntitiesgroupByAlertDetailsgroupByCustomDetailsaggregationKindentityTypefieldMappingsidentifiercolumnNamesuppressionDuration