SOLVED

Passwords from AAD - not visible?

Frequent Contributor

I am trying to drill in Password information in Sentinel and when searching the Schema it comes up with a list focused on AADDomainServices...  and yet we can see that both Azure Active Directory & the Azure Activity connecters are connected and providing data - is there something we are missing here?

 

Sentinel_Schema.JPG

2 Replies
best response confirmed by David Caddick (Frequent Contributor)
Solution
https://docs.microsoft.com/en-gb/azure/azure-monitor/log-query/logs-structure The data is from two sources, one AAD one from Azure Security Center (SecurityInsights), the column names happen to be the same.

Thanks @CliveWatson,

 

If I already have AAD connected then how come I can't find it returning any details at all? ;-(

I'd like to be able to do a quick check on "PasswordLastSet" and in the end I've had to resort to Powershell instead of Sentinel