LoFP / if this was approved by system administrator or confirmed user action.

Techniques

Sample rules

Password Reset By User Account

source: sigma
technicques:
- t1078
- t1078.004

Description

Detect when a user has reset their password in Azure AD

Detection logic

condition: selection and filter
filter:
  ActivityType|contains: Password reset
  Target|contains: UPN
selection:
  Category: UserManagement
  Initiatedby: UPN
  Status: Success