cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Create SEM Connector for Azure AD Password Protection Logs

Create SEM Connector for Azure AD Password Protection Logs

Microsoft has released Azure AD Password Protection as a way to enforce enhanced Password Policy. Currently we are utilizing this to check password against known compromised passwords (provided by Microsoft) and a custom banned password list. Microsoft has provided an agent that is run on every DC for this to work and collects logs regarding successful for failed attempts. I would like SEM to have these logs available to make it easier for the Security Team to find the logs instead of digging into each DC. Also, this would be helpful, because we could alert on passwords being changed to Known Compromised passwords.

I opened a case with Support: Case # - 00321136

Azure AD Password Protection stores the logs here: \Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin
These events are the most helpful:

Password change

Password set

Pass

10014

10015

Fail (due to customer password policy)

10016, 30002

10017, 30003

Fail (due to Microsoft password policy)

10016, 30004

10017, 30005

Fail (due to combined Microsoft and customer password policies)

10016, 30026

10017, 30027

Audit-only Pass (would have failed customer password policy)

10024, 30008

10025, 30007

Audit-only Pass (would have failed Microsoft password policy)

10024, 30010

10025, 30009

Audit-only Pass (would have failed combined Microsoft and customer password policies)

10024, 30028

10025, 30029


Log Location is: C:\Windows\System32\winevt\Logs\Microsoft-AzureADPasswordProtection-DCAgent%4Admin.evtx

Example of XML Export:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

<Provider Name="Microsoft-AzureADPasswordProtection-DCAgent" Guid="{FCE041B2-EACD-48A2-8E09-4D5D43C0FF69}" />

<EventID>10015</EventID>

<Version>0</Version>

<Level>4</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x8000000000000000</Keywords>

<TimeCreated SystemTime="2019-05-29T13:36:24.434526600Z" />

<EventRecordID>2339</EventRecordID>

<Correlation ActivityID="{5EBC11EF-B8AF-47D2-A732-637B174A9AFA}" />

<Execution ProcessID="576" ThreadID="4720" />

<Channel>Microsoft-AzureADPasswordProtection-DCAgent/Admin</Channel>

<Computer>DC</Computer>

<Security UserID="S-1-5-18" />

</System>

- <EventData>

<Data Name="Data1">samaccountname</Data>

<Data Name="Data2">display name</Data>

</EventData>

</Event>

3 Comments
Product Manager
Product Manager

These logs are now covered by the Microsoft Azure aD Password Protection connector.

Level 8

I am still getting RAW not normalized logs in SEM. I applied the registry key mentioned in the article but how do I fix this?

pastedImage_0.png

Product Manager
Product Manager

InternalNewToolData generally indicates the connector needs a minor update as events are being received that we aren't familiar with. Best path is to raise a support ticket and supply a sample of the unmatched events.  If you can upgrade to SEM 2019.4, there's a 'New Unmatched Connector Data' filter which you can export to a csv and provide the csv as a sample.