security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/cloud/azure/azure_user_password_change.yml
T
Mark Morowczynski b24e6d197b Update tags for MITRE ATT&CK 
Update tags for MITRE ATT&CK
2023-01-29 11:29:12 -08:00

28 lines
838 B
YAML
Raw Blame History

title: Password Reset By User Account
id: 340ee172-4b67-4fb4-832f-f961bdc1f3aa
status: experimental
description: Detect when a user has reset their password in Azure AD
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
author: YochanaHenderson, '@Yochana-H'
date: 2022/08/03
tags:
- attack.persistence
- attack.credential_access
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: 'UserManagement'
Status: 'Success'
Initiatedby: 'UPN'
filter:
Target|contains: 'UPN'
ActivityType|contains: 'Password reset'
condition: selection and filter
falsepositives:
- If this was approved by System Administrator or confirmed user action.
level: medium
Reference in New Issue View Git Blame Copy Permalink