← Back to Explore
kqlHunting
Audit User tries to change password to a non-complying password
use to tune threshold
Detection Query
AuditLogs
| where OperationName == "Change password (self-service)"
| where ResultDescription == "PasswordDoesnotComplyFuzzyPolicy"
| extend User = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| summarize count() by User
| where count_ > 1 //use to tune thresholdData Sources
AuditLogs
Platforms
azure-ad
Tags
entra
Raw Content
AuditLogs
| where OperationName == "Change password (self-service)"
| where ResultDescription == "PasswordDoesnotComplyFuzzyPolicy"
| extend User = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| summarize count() by User
| where count_ > 1 //use to tune threshold