Query Details
Security Event Detect Privileged AAD Admin Password Change
Query
//Detects when a user with a privileged Azure AD role has had their on premises Active Directory password changed by someone other than themselves.
//Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent
//Data connector required for this query - Microsoft Sentinel UEBA
let timeframe=7d;
//First find any users that hold privileged Azure AD roles
IdentityInfo
| where TimeGenerated > ago(21d)
| where isnotempty(AssignedRoles)
| where AssignedRoles != "[]"
| summarize arg_max(TimeGenerated, *) by AccountUPN
| project AccountUPN, AccountName, AccountSID
//Join those users based on AccountSID to on premises Active Directory password reset events
| join kind=inner (
SecurityEvent
| where TimeGenerated > ago(timeframe)
| where EventID == "4724"
| project
TimeGenerated,
Activity,
SubjectAccount,
TargetAccount,
TargetSid,
SubjectUserSid
)
on $left.AccountSID == $right.TargetSid
| where SubjectUserSid != TargetSid
//Summarize event data to make it easy to read
| project ['Time of Password Reset']=TimeGenerated, Activity, Actor=SubjectAccount, ['Target UserPrincipalName']=AccountUPN,['Target AccountName']=TargetAccountExplanation
This query detects when a user with a privileged Azure AD role has had their on-premises Active Directory password changed by someone other than themselves. It first identifies users with privileged Azure AD roles and then joins them with on-premises Active Directory password reset events. The query summarizes the event data to make it easier to read.
Details
Matt Zorich
Released: June 17, 2022
Tables
IdentityInfoSecurityEvent
Keywords
Devices,Intune,User
Operators
whereisnotempty!=summarizearg_maxbyprojectjoinkind=innerwhere==on$left.$right.where!=project