From 91e69ac322aab7d057034f3376df1fff4ed8c816 Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Thu, 18 Apr 2024 12:49:32 -0400
Subject: [PATCH] [Rule Tuning] Tuning `Account Password Reset Remotely`
 (#3478)

* tuning 'Account Password Reset Remotely'

* adjusted note

* fixing description

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* updated note about performance; toml lint

* bumping min-stack to resolve version lock

* reverting query to main

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
---
 rules/windows/persistence_remote_password_reset.toml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml
index 05c216a88..7754a0e5a 100644
--- a/rules/windows/persistence_remote_password_reset.toml
+++ b/rules/windows/persistence_remote_password_reset.toml
@@ -2,9 +2,9 @@
 creation_date = "2021/10/18"
 integration = ["system", "windows"]
 maturity = "production"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup"
-min_stack_version = "8.3.0"
-updated_date = "2023/12/14"
+min_stack_comments = "Forking rule to resolve double bump version issue."
+min_stack_version = "8.13.0"
+updated_date = "2024/04/18"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,11 @@ index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Account Password Reset Remotely"
-note = "This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity."
+note = """
+
+## Performance
+This rule may cause medium to high performance impact due to scoping all remote Windows logon activity within the first sequence. This rule by default will be noisy if not scoped to custom privileged accounts. If noisy, duplicate the rule and replace the `TargetUserName` or `TargetSid` filters with your own naming convention and accounts of interest.
+"""
 references = [
     "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724",
     "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/",