Techniques
Sample rules
Azure AD User Enabled And Password Reset
- source: splunk
- technicques:
- T1098
Description
The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant.
Detection logic
`azure_monitor_aad` (operationName="Enable account" OR operationName="Reset password (by admin)" OR operationName="Update user")
| transaction user startsWith=(operationName="Enable account") endsWith=(operationName="Reset password (by admin)") maxspan=2m
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| stats count min(_time) as firstTime max(_time) as lastTime values(operationName) as operationName values(initiatedBy) as initiatedBy by user, result
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_user_enabled_and_password_reset_filter`