Managed Sentinel – Alert 073

Alert IDMS-A073
Alert NameMultiple Password Resets by a user across multiple datasources
DescriptionThis query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.'
Severity LevelLow
Threat IndicatorCredential Access
MITRE ATT&CK TacticsPersistence
Credential Access
Log sourcesWindows Security Event Logs
False PositiveIT Operation service accounts (e.g. monitoring tools accounts)
Administrator making global changes post incident remediation
Recommendations1. Identify if the change is a legitimate change in your network infrastructure (approved change request)
2. If malicious (not approve) change(s) is identified then immediately disable the in affected user account
3. Perform a Sentinel investigation to understand if any lateral movements of this account into your network.
4. Isolate host from where the changes were initiated.
5. Collect evidence and logs for future investigations