Azure AD Password Protection¶
About¶
Microsoft Entra Password Protection detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to your organization.
Product Details¶
Vendor URL: Azure AD Password Protection
Product Type: IAM
Product Tier: Tier III
Integration Method: Syslog
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: AZURE_AD_PASSWORD_PROTECTION
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| AccountName | principal.user.userid |
| AccountType | principal.user.attribute.roles |
| ActivityID | security_result.detection_fields |
| Domain | principal.user.group_identifiers |
| EventID | metadata.product_event_type |
| ExecutionProcessID | principal.process.pid |
| ExecutionThreadID | principal.process.parent_process.pid |
| FullName | target.user.user_display_name |
| Hostname | principal.hostname |
| Message | metadata.description |
| ProviderGuid | metadata.product_log_id |
| RecordNumber | observer.asset.product_object_id |
| Severity | security_result.severity_details |
| SourceModuleName | principal.resource.name |
| SourceModuleType | principal.resource.resource_subtype |
| SourceName | observer.application |
| UserID | principal.user.windows_sid |
| UserName | target.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| All | USER_CHANGE_PASSWORD |
| Generic | GENERIC_EVENT |
Log Sample¶
{"EventTime":"2024-10-07T16:00:27.845108-04:00","Hostname":"EXAMPLE.company.local","Keywords":"0x8000000000000000","LevelValue":4,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":10014,"SourceName":"Microsoft-AzureADPasswordProtection-DCAgent","ProviderGuid":"{ABC123A0-ABCD-123A-123B-1234ABC5678}","Version":0,"TaskValue":0,"OpcodeValue":0,"RecordNumber":3981,"ActivityID":"{53B068F0-E37E-4ABE-B70F-123456789910}","ExecutionProcessID":852,"ExecutionThreadID":11628,"Channel":"Microsoft-AzureADPasswordProtection-DCAgent/Admin","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"The changed password for the specified user was validated as compliant with the current Azure password policy.\r\n \r\n UserName: janedoe\r\n FullName: Jane Doe\r\n","Opcode":"Info","Level":"Information","Data1":"janedoe","Data2":"Jane Doe","EventReceivedTime":"2024-10-07T16:00:29.389369-04:00","SourceModuleName":"azure_ad_pass_protection","SourceModuleType":"im_msvistalog","TimeZone":"Eastern Daylight Time","TimeZoneOffset":"-0400"}
Sample Parsing¶
metadata.description = "The changed password for the specified user was validated as compliant with the current Azure password policy.\r\n \r\n UserName: janedoe\r\n FullName: Jane Doe\r\n"
metadata.event_type = "USER_CHANGE_PASSWORD"
metadata.log_type = "AZURE_AD_PASSWORD_PROTECTION"
metadata.product_event_type = "10014"
metadata.product_log_id = "{ABC123A0-ABCD-123A-123B-1234ABC5678}"
metadata.product_name = "Azure AD Password Protection"
metadata.vendor_name = "Microsoft"
observer.application = "Microsoft-AzureADPasswordProtection-DCAgent"
observer.asset.product_object_id = "3981"
principal.hostname = "EXAMPLE.company.local"
principal.process.parent_process.pid = "11628"
principal.process.pid = "852"
principal.resource.name = "azure_ad_pass_protection"
principal.resource.resource_subtype = "im_msvistalog"
principal.user.attribute.roles.name = "User"
principal.user.group_identifiers = "NT AUTHORITY"
principal.user.userid = "SYSTEM"
principal.user.windows_sid = "S-1-5-18"
security_result.detection_fields.value = "{53B068F0-E37E-4ABE-B70F-123456789910}"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "INFO"
target.user.user_display_name = "Jane Doe"
target.user.userid = "janedoe"