Managed Sentinel – Alert 073
|Alert Name||Multiple Password Resets by a user across multiple datasources|
|Description||This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.'|
|Threat Indicator||Credential Access|
|MITRE ATT&CK Tactics||Persistence |
|Log sources||Windows Security Event Logs|
|False Positive||IT Operation service accounts (e.g. monitoring tools accounts)|
Administrator making global changes post incident remediation
|Recommendations||1. Identify if the change is a legitimate change in your network infrastructure (approved change request)|
2. If malicious (not approve) change(s) is identified then immediately disable the in affected user account
3. Perform a Sentinel investigation to understand if any lateral movements of this account into your network.
4. Isolate host from where the changes were initiated.
5. Collect evidence and logs for future investigations