SOLVED
Home

Passwords from AAD - not visible?

%3CLINGO-SUB%20id%3D%22lingo-sub-709662%22%20slang%3D%22en-US%22%3EPasswords%20from%20AAD%20-%20not%20visible%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-709662%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20to%20drill%20in%20Password%20information%20in%20Sentinel%20and%20when%20searching%20the%20Schema%20it%20comes%20up%20with%20a%20list%20focused%20on%20AADDomainServices...%26nbsp%3B%20and%20yet%20we%20can%20see%20that%20both%20Azure%20Active%20Directory%20%26amp%3B%20the%20Azure%20Activity%20connecters%20are%20connected%20and%20providing%20data%20-%20is%20there%20something%20we%20are%20missing%20here%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20253px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119864iE4048C18081B77C6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Sentinel_Schema.JPG%22%20title%3D%22Sentinel_Schema.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-715301%22%20slang%3D%22en-US%22%3ERe%3A%20Passwords%20from%20AAD%20-%20not%20visible%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-715301%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fazure-monitor%2Flog-query%2Flogs-structure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fazure-monitor%2Flog-query%2Flogs-structure%3C%2FA%3E%20The%20data%20is%20from%20two%20sources%2C%20one%20AAD%20one%20from%20Azure%20Security%20Center%20(SecurityInsights)%2C%20the%20column%20names%20happen%20to%20be%20the%20same.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-716181%22%20slang%3D%22en-US%22%3ERe%3A%20Passwords%20from%20AAD%20-%20not%20visible%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-716181%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20already%20have%20AAD%20connected%20then%20how%20come%20I%20can't%20find%20it%20returning%20any%20details%20at%20all%3F%20%3B-(%3C%2FP%3E%3CP%3EI'd%20like%20to%20be%20able%20to%20do%20a%20quick%20check%20on%20%22PasswordLastSet%22%20and%20in%20the%20end%20I've%20had%20to%20resort%20to%20Powershell%20instead%20of%20Sentinel%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

I am trying to drill in Password information in Sentinel and when searching the Schema it comes up with a list focused on AADDomainServices...  and yet we can see that both Azure Active Directory & the Azure Activity connecters are connected and providing data - is there something we are missing here?

 

Sentinel_Schema.JPG

2 Replies
Solution
https://docs.microsoft.com/en-gb/azure/azure-monitor/log-query/logs-structure The data is from two sources, one AAD one from Azure Security Center (SecurityInsights), the column names happen to be the same.

Thanks @Clive Watson,

 

If I already have AAD connected then how come I can't find it returning any details at all? ;-(

I'd like to be able to do a quick check on "PasswordLastSet" and in the end I've had to resort to Powershell instead of Sentinel 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies