Greg Vedders
  • About
  • Tags
  • Posts

Leaked Credentials Search in Microsoft Sentinel

How to search Microsoft Sentinel for leaked credentials

posts
December 30, 2020 • 1 min read • 111 words

Microsoft Sentinel is a great way to get a handle on your security infrastructure. One of the items that Microsoft Security does an excellent job of is scouring the web for evidence of reused credentials being leaked through a third-party service. While you can manually go through all of the alerts located in the portal.cloudappsecurity.com, an easier way to bring this data forward is with the search below:

SecurityAlert\
| summarize arg_max(TimeGenerated, \*) by SystemAlertId\
| where AlertType == "LeakedCredentials"\
| project TimeGenerated, AlertType, Compromised Entity

The results can be tweaked by time and date. You can also build on this search to automate playbook actions within the Microsoft Sentinel environment.

Share this post
← Older How to Post to Twitter From PHP Newer → Phish vs Spam vs Total O365 Email in Microsoft Sentinel

About

Greg Vedders writes about information security, troubleshooting, photography, and the occasional unexpected fix.

Recent Posts

  • Automating CatPosters.us With a Gemini and WordPress Bot
  • Teaching Git: What I Covered in Class
  • Introducing Signage Suite — Self-Hosted Wall Displays in PHP
  • Rebuilding gregvedders.com Without a Hugo Theme
  • Hardening a Public Honeypot Server

Tags

Security Microsoft Sentinel Microsoft

Related Posts

  • Logon and Logoff Times for Windows Users (Splunk)
© Greg Vedders 2026