Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Pathlock TDnR - User Access Management Password Resets

Pathlock TDnR - User Access Management Password Resets

Back
Id2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c53
RulenamePathlock TDnR - User Access Management Password Resets
DescriptionDetects password reset events from the Pathlock User Access Management module in SAP, forwarded to Microsoft Sentinel. Unexpected or bulk password resets may indicate account takeover preparation, credential stuffing followup, or unauthorized use of administrative password reset capabilities.
SeverityMedium
TacticsCredentialAccess
Persistence
TechniquesT1098
T1078
Required data connectorsPathlock_TDnR
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SAST_UAM_PWR.yaml
Version1.0.0
Arm template2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c53.json
Deploy To Azure
Pathlock_TDnR_CL
| where DataSource == "SAST_UAM_PWR"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
          Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
          MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs

suppressionDuration: 5h
description: Detects password reset events from the Pathlock User Access Management module in SAP, forwarded to Microsoft Sentinel. Unexpected or bulk password resets may indicate account takeover preparation, credential stuffing followup, or unauthorized use of administrative password reset capabilities.
kind: Scheduled
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    groupByCustomDetails: []
    groupByEntities: []
    lookbackDuration: 5h
    groupByAlertDetails: []
    reopenClosedIncident: false
    matchingMethod: AnyAlert
query: |
  Pathlock_TDnR_CL
  | where DataSource == "SAST_UAM_PWR"
  | project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
            Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
            MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs  
requiredDataConnectors:
- connectorId: Pathlock_TDnR
  dataTypes:
  - Pathlock_TDnR_CL
version: 1.0.0
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: Bname
  entityType: Account
- fieldMappings:
  - identifier: HostName
    columnName: Hostname
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: SrcIp
  entityType: IP
triggerOperator: gt
id: 2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c53
triggerThreshold: 0
tactics:
- CredentialAccess
- Persistence
name: Pathlock TDnR - User Access Management Password Resets
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SAST_UAM_PWR.yaml
status: Available
queryFrequency: 1h
queryPeriod: 1h
suppressionEnabled: false
relevantTechniques:
- T1098
- T1078
eventGroupingSettings:
  aggregationKind: SingleAlert
severity: Medium