Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
976 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Mark Summers Thank you for reaching out to us, As I understand you are looking for KQL to achieve this - when an Entra ID user account has been enabled and after that, the password has been reset on that account Worked with my colleague, here is the KQL query which can help you to achieve your ask
let EnableEvents = AuditLogs
| where OperationName == "Enable account"
| mv-expand TargetResources
| extend a = tostring(TargetResources.userPrincipalName)
| project TimeGenerated, a;
let ResetEvents = AuditLogs
| where OperationName in ("Change user password", "Change password (self-service)")
| extend b = tostring(InitiatedBy.user.userPrincipalName )
| project TimeGenerated, b;
EnableEvents
| where TimeGenerated > ago(7d)
| join kind=inner ResetEvents on $left.a == $right.b
| extend EnableTime = todatetime(TimeGenerated) , ResetTime = todatetime(TimeGenerated1)
| where TimeGenerated < TimeGenerated1
| project EnableTime, ResetTime,a
I have tested the same in my tenant and is working as expected. Let me know if you have any further questions feel free to post back. Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.