We’re thrilled to share that you can now hunt for threats using events on your domain controller with advanced hunting in Microsoft Threat Protection.
The new IdentityDirectoryEvents table—available in public preview—incorporates data from the Azure Advanced Threat Protection (Azure ATP) sensor, including various identity-related activities, such as account password changes or remote creation of scheduled tasks on the domain controller.
In general, the table captures three categories of events on your domain controller:
Remote code execution
Changes to attributes of Active Directory objects, including groups, users, and devices
Other activities performed against the directory, such as replication or SMB session enumeration
You can get the full list of supported events or action types in the in-portal reference.
//Find the latest password change event for a specific account let userAccount = '<insert your user account>'; let deviceAccount = '<insert your device account>'; IdentityDirectoryEvents | where ActionType == "Account Password changed" | where TargetAccountDisplayName == userAccount //If you are looking for last password change of a device account comment the above row and remove comment from the below row //| where TargetDeviceName == deviceAccount | summarize LastPasswordChangeTime = max(Timestamp) by TargetAccountDisplayName // or change to TargetDeviceName for device account