Tracking Password Changes

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This script identifies password changes or resets across multiple host and cloud sources. Account manipulation, including password changes and resets, may help adversaries maintain access to credentials and permission levels.

Attribute	Value
Type	Hunting Query
Solution	Standalone Content
ID	bac44fe4-c0bc-4e90-aa48-2e346fda803f
Tactics	InitialAccess, CredentialAccess
Techniques	T1078, T1110
Required Connectors	AzureActiveDirectory, SecurityEvents, Syslog, Office365, AzureActiveDirectory, WindowsSecurityEvents, WindowsForwardedEvents
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
AuditLogs	✓	✗	?
OfficeActivity	✓	✗	?
SecurityEvent	✓	✓	?
SigninLogs	✓	✗	?
Syslog	✓	✓	?
WindowsEvent	✓	✓	?

Associated Connectors

The following connectors provide data for this content item:

Connector	Solution
AzureActiveDirectory	Microsoft Entra ID
CiscoMeraki(usingRESTAPI)	CiscoMeraki
CiscoMerakiNativePoller	CiscoMeraki
CiscoSDWAN	Cisco SD-WAN
ESI-Opt34DomainControllersSecurityEventLogs	Microsoft Exchange Security - Exchange On-Premises
Forescout	Forescout (Legacy)
SecurityEvents	Windows Security Events
WindowsForwardedEvents	Windows Forwarded Events
WindowsSecurityEvents	Windows Security Events

Solutions: Cisco SD-WAN, CiscoMeraki, Forescout (Legacy), Microsoft Entra ID, Microsoft Exchange Security - Exchange On-Premises, Windows Forwarded Events, Windows Security Events

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Hunting Queries