SOLVED

Passwords from AAD - not visible?

%3CLINGO-SUB%20id%3D%22lingo-sub-709662%22%20slang%3D%22en-US%22%3EPasswords%20from%20AAD%20-%20not%20visible%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-709662%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20to%20drill%20in%20Password%20information%20in%20Sentinel%20and%20when%20searching%20the%20Schema%20it%20comes%20up%20with%20a%20list%20focused%20on%20AADDomainServices...%26nbsp%3B%20and%20yet%20we%20can%20see%20that%20both%20Azure%20Active%20Directory%20%26amp%3B%20the%20Azure%20Activity%20connecters%20are%20connected%20and%20providing%20data%20-%20is%20there%20something%20we%20are%20missing%20here%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20253px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119864iE4048C18081B77C6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Sentinel_Schema.JPG%22%20title%3D%22Sentinel_Schema.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-715301%22%20slang%3D%22en-US%22%3ERe%3A%20Passwords%20from%20AAD%20-%20not%20visible%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-715301%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fazure-monitor%2Flog-query%2Flogs-structure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fazure-monitor%2Flog-query%2Flogs-structure%3C%2FA%3E%20The%20data%20is%20from%20two%20sources%2C%20one%20AAD%20one%20from%20Azure%20Security%20Center%20(SecurityInsights)%2C%20the%20column%20names%20happen%20to%20be%20the%20same.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-716181%22%20slang%3D%22en-US%22%3ERe%3A%20Passwords%20from%20AAD%20-%20not%20visible%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-716181%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20already%20have%20AAD%20connected%20then%20how%20come%20I%20can't%20find%20it%20returning%20any%20details%20at%20all%3F%20%3B-(%3C%2FP%3E%3CP%3EI'd%20like%20to%20be%20able%20to%20do%20a%20quick%20check%20on%20%22PasswordLastSet%22%20and%20in%20the%20end%20I've%20had%20to%20resort%20to%20Powershell%20instead%20of%20Sentinel%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

I am trying to drill in Password information in Sentinel and when searching the Schema it comes up with a list focused on AADDomainServices...  and yet we can see that both Azure Active Directory & the Azure Activity connecters are connected and providing data - is there something we are missing here?

 

Sentinel_Schema.JPG

2 Replies
Highlighted
Best Response confirmed by David Caddick (Frequent Contributor)
Solution
https://docs.microsoft.com/en-gb/azure/azure-monitor/log-query/logs-structure The data is from two sources, one AAD one from Azure Security Center (SecurityInsights), the column names happen to be the same.
Highlighted

Thanks @Clive Watson,

 

If I already have AAD connected then how come I can't find it returning any details at all? ;-(

I'd like to be able to do a quick check on "PasswordLastSet" and in the end I've had to resort to Powershell instead of Sentinel