Leaked Credentials Search in Microsoft Sentinel
By Greg Vedders
Microsoft Sentinel is a great way to get a handle on your security infrastructure. One of the items that Microsoft Security does an excellent job of is scouring the web for evidence of reused credentials being leaked through a third-party service. While you can manually go through all of the alerts located in the portal.cloudappsecurity.com, an easier way to bring this data forward is with the search below:
SecurityAlert\
| summarize arg_max(TimeGenerated, \*) by SystemAlertId\
| where AlertType == "LeakedCredentials"\
| project TimeGenerated, AlertType, Compromised Entity
The results can be tweaked by time and date. You can also build on this search to automate playbook actions within the Microsoft Sentinel environment.