Multiple Password Resets by a user across multiple datasources
This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.'
MITRE ATT&CK Tactics
Windows Security Event Logs
IT Operation service accounts (e.g. monitoring tools accounts)
Administrator making global changes post incident remediation
1. Identify if the change is a legitimate change in your network infrastructure (approved change request)
2. If malicious (not approve) change(s) is identified then immediately disable the in affected user account
3. Perform a Sentinel investigation to understand if any lateral movements of this account into your network.
4. Isolate host from where the changes were initiated.
5. Collect evidence and logs for future investigations