Rules Contributing to Password Reset By User Account Alert

The following rules are used to identify events when a password is reset by a user account. Any one or more of these will trigger the Password Reset By User Account Alert Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Password Reset by User Account

Detect when a user has reset their password in Microsoft Entra ID

More details

Rule ID

azure_34

Query

{'selection': {'Category': 'UserManagement', 'Result': 'Success', 'ActivityDisplayName|contains': 'Password reset'}, 'self_service_activity': {'ActivityDisplayName|contains': 'flow activity progress'}, 'self_service_reason': {'ResultReason': 'User successfully reset password'}, 'filter': {'initiatedBy_user_userPrincipalName': ''}, 'condition': 'selection and not filter and (not self_service_activity or self_service_reason)'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,340ee172-4b67-4fb4-832f-f961bdc1f3aa

Author: YochanaHenderson, '@Yochana-H'

Tactics, Techniques, and Procedures

TA0003, T1078.004

References

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts

Severity

Suppression Logic Based On

azure_ad.initiatedBy.user.id
azure_ad.initiatedBy.app.servicePrincipalId
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/08/03	medium	If this was approved by System Administrator or confirmed user action.