Password Reset By User Account

calendar Oct 23, 2025 · attack.privilege-escalation attack.initial-access attack.defense-evasion attack.persistence attack.credential-access attack.t1078.004  ·
Share on: linkedin copy

Detect when a user has reset their password in Azure AD

Sigma rule (View on GitHub)

 1title: Password Reset By User Account
 2id: 340ee172-4b67-4fb4-832f-f961bdc1f3aa
 3status: test
 4description: Detect when a user has reset their password in Azure AD
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
 7author: YochanaHenderson, '@Yochana-H'
 8date: 2022-08-03
 9tags:
10    - attack.privilege-escalation
11    - attack.initial-access
12    - attack.defense-evasion
13    - attack.persistence
14    - attack.credential-access
15    - attack.t1078.004
16logsource:
17    product: azure
18    service: auditlogs
19detection:
20    selection:
21        Category: 'UserManagement'
22        Status: 'Success'
23        Initiatedby: 'UPN'
24    filter:
25        Target|contains: 'UPN'
26        ActivityType|contains: 'Password reset'
27    condition: selection and filter
28falsepositives:
29    - If this was approved by System Administrator or confirmed user action.
30level: medium

References

Related rules

to-top