Password Reset By User Account
Detect when a user has reset their password in Azure AD
Sigma rule (View on GitHub)
1title: Password Reset By User Account
2id: 340ee172-4b67-4fb4-832f-f961bdc1f3aa
3status: test
4description: Detect when a user has reset their password in Azure AD
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
7author: YochanaHenderson, '@Yochana-H'
8date: 2022-08-03
9tags:
10 - attack.persistence
11 - attack.credential-access
12 - attack.t1078.004
13logsource:
14 product: azure
15 service: auditlogs
16detection:
17 selection:
18 Category: 'UserManagement'
19 Status: 'Success'
20 Initiatedby: 'UPN'
21 filter:
22 Target|contains: 'UPN'
23 ActivityType|contains: 'Password reset'
24 condition: selection and filter
25falsepositives:
26 - If this was approved by System Administrator or confirmed user action.
27level: medium
References
-
Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.
Read More
Related rules
- Application AppID Uri Configuration Changes
- Application URI Configuration Changes
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation