KQL Search

Query Details

HomeAI ToolsDevice Query

SSPR Password Reset Initiatedvia MS Graph

Query

// Detects when a self service password reset has been initiated via MS Graph and is successful

//Data connector required for this query - Azure Active Directory - Audit Logs

AuditLogs
| where OperationName == "POST UserAuthMethod.ResetPasswordOnPasswordMethods"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project TimeGenerated, OperationName, Actor, CorrelationId
| join kind=inner
    (AuditLogs
    | where OperationName == "Reset password (by admin)"
    | extend Target = tostring(TargetResources[0].userPrincipalName)
    | where Result == "success"
    )
    on CorrelationId
| project GraphPostTime=TimeGenerated, PasswordResetTime=TimeGenerated1, Actor, Target

Explanation

This query detects when a self-service password reset is initiated through MS Graph and is successful. It uses the Azure Active Directory - Audit Logs data connector. The query retrieves audit logs where the operation name is "POST UserAuthMethod.ResetPasswordOnPasswordMethods". It then extends the "Actor" field to get the user who initiated the reset. The query also retrieves audit logs where the operation name is "Reset password (by admin)" and the result is "success". It joins these two sets of logs based on the correlation ID. The final result includes the time the password reset was initiated, the time it was reset, the actor (user who initiated the reset), and the target user.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

AuditLogs

Keywords

AuditLogs,OperationName,POSTUserAuthMethod.ResetPasswordOnPasswordMethods,Actor,TimeGenerated,CorrelationId,Resetpassword(byadmin),Target,Result,success,GraphPostTime,PasswordResetTime

Operators

| where==| extend=tostringparse_jsonprojectTimeGeneratedOperationNameActorCorrelationIdjoinkind=inneronextendTargetResult

Actions