Password Reset On High Privileged User
Query
let HighPrivRoles = dynamic(["Global Administrator", "Company Administrator", "Privileged Authentication Administrator", "Privileged Role Administrator"]);
AuditLogs
| where OperationName == "Reset user password"
| mv-expand TargetResources
| extend TargetUsername = tostring(TargetResources.userPrincipalName)
| join kind=innerunique (
IdentityInfo
| where TimeGenerated > ago(14d)
)
on $left.TargetUsername == $right.AccountUPN
| mv-expand AssignedRoles
| extend AssignedRoles = tostring(AssignedRoles)
| where AssignedRoles in (HighPrivRoles)
| summarize by TimeGenerated, TargetUsername, AssignedRoles, OperationName, AADUserId=AccountObjectIdExplanation
This query is used to identify instances where the password of a user in a high privileged role has been reset. It checks the audit logs for the operation "Reset user password" and joins it with the IdentityInfo table to get additional information about the user. It then filters the results to only include users in high privileged roles and summarizes the data by various attributes. If an incident is created, it will not be grouped with other incidents and will have a lookback duration of 5 hours. The query runs every 3 hours and has a severity level of Medium.
Details

Fabian Bader
Released: July 25, 2023
Tables
AuditLogsIdentityInfo
Keywords
PasswordResetHigh Privileged UserMemberRoleActionIntendedAudit LogsOperation NameUser PasswordTarget ResourcesTarget UsernameIdentity InfoTime GeneratedAssigned RolesAAD User IdAccount UPNAccount Object IdIncident ConfigurationGrouping ConfigurationLookback DurationMatching MethodGroup By EntitiesGroup By Alert DetailsGroup By Custom DetailsEvent Grouping SettingsAggregation KindCustom DetailsAssigned RoleEntity MappingsAccountField MappingsIdentifierColumn NameSuppression Duration
Operators
|:=|-dynamicwheremv-expandextendjoinonsummarizeinagosuppressionEnabledcreateIncidentenabledreopenClosedIncidentlookbackDurationmatchingMethodgroupByEntitiesgroupByAlertDetailsgroupByCustomDetailsaggregationKindentityTypefieldMappingsidentifiercolumnNamesuppressionDuration
Severity
MediumTactics
PrivilegeEscalation
Frequency: 3h
Period: 3h