Query Details

Password Reset On High Privileged User

Query

let HighPrivRoles = dynamic(["Global Administrator", "Company Administrator", "Privileged Authentication Administrator", "Privileged Role Administrator"]);
AuditLogs
| where OperationName == "Reset user password"
| mv-expand TargetResources
| extend TargetUsername = tostring(TargetResources.userPrincipalName)
| join kind=innerunique (
    IdentityInfo 
    | where TimeGenerated > ago(14d)
    )
    on $left.TargetUsername == $right.AccountUPN
| mv-expand AssignedRoles
| extend AssignedRoles = tostring(AssignedRoles)
| where AssignedRoles in (HighPrivRoles)
| summarize by TimeGenerated, TargetUsername, AssignedRoles, OperationName, AADUserId=AccountObjectId

Explanation

This query is used to identify instances where the password of a user in a high privileged role has been reset. It checks the audit logs for the operation "Reset user password" and joins it with the IdentityInfo table to get additional information about the user. It then filters the results to only include users in high privileged roles and summarizes the data by various attributes. If an incident is created, it will not be grouped with other incidents and will have a lookback duration of 5 hours. The query runs every 3 hours and has a severity level of Medium.

Details

Fabian Bader profile picture

Fabian Bader

Released: July 25, 2023

Tables

AuditLogsIdentityInfo

Keywords

PasswordResetHigh Privileged UserMemberRoleActionIntendedAudit LogsOperation NameUser PasswordTarget ResourcesTarget UsernameIdentity InfoTime GeneratedAssigned RolesAAD User IdAccount UPNAccount Object IdIncident ConfigurationGrouping ConfigurationLookback DurationMatching MethodGroup By EntitiesGroup By Alert DetailsGroup By Custom DetailsEvent Grouping SettingsAggregation KindCustom DetailsAssigned RoleEntity MappingsAccountField MappingsIdentifierColumn NameSuppression Duration

Operators

|:=|-dynamicwheremv-expandextendjoinonsummarizeinagosuppressionEnabledcreateIncidentenabledreopenClosedIncidentlookbackDurationmatchingMethodgroupByEntitiesgroupByAlertDetailsgroupByCustomDetailsaggregationKindentityTypefieldMappingsidentifiercolumnNamesuppressionDuration

Severity

Medium

Tactics

PrivilegeEscalation

Frequency: 3h

Period: 3h

Actions

GitHub