Multiple Password Reset by user

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.

Attribute Value
Type Analytic Rule
Solution Standalone Content
ID 0b9ae89d-8cad-461c-808f-0494f70ad5c4
Severity Low
Kind Scheduled
Tactics InitialAccess, CredentialAccess
Techniques T1078, T1110
Required Connectors AzureActiveDirectory, SecurityEvents, Syslog, Office365, WindowsSecurityEvents, WindowsForwardedEvents
Source View on GitHub

Tables Used

This content item queries data from the following tables:

Table Selection Criteria Transformations Ingestion API Lake-Only
AuditLogs ?
OfficeActivity OfficeWorkload == "AzureActiveDirectory" ?
SecurityEvent ?
Syslog Facility in "auth,authpriv"
SyslogMessage matchesregex ".*password changed for.*"		 ?
WindowsEvent EventID in "4723,4724" ?

Associated Connectors

The following connectors provide data for this content item:

Connector Solution
AzureActiveDirectory Microsoft Entra ID
CiscoMeraki(usingRESTAPI) CiscoMeraki
CiscoMerakiNativePoller CiscoMeraki
CiscoSDWAN Cisco SD-WAN
ESI-Opt34DomainControllersSecurityEventLogs Microsoft Exchange Security - Exchange On-Premises
Forescout Forescout (Legacy)
SecurityEvents Windows Security Events
WindowsForwardedEvents Windows Forwarded Events
WindowsSecurityEvents Windows Security Events

Solutions: Cisco SD-WAN, CiscoMeraki, Forescout (Legacy), Microsoft Entra ID, Microsoft Exchange Security - Exchange On-Premises, Windows Forwarded Events, Windows Security Events

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Analytic Rules