Cisco Duo - Admin password reset

Back


Id	413e49a5-b107-4698-8428-46b89308bd22
Rulename	Cisco Duo - Admin password reset
Description	Detects when admin’s password was reset.
Severity	High
Tactics	Persistence
Techniques	T1078
Required data connectors	CiscoDuoSecurity
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminPasswordReset.yaml
Version	1.0.0
Arm template	413e49a5-b107-4698-8428-46b89308bd22.json

KQL

CiscoDuo
| where DvcAction =~ "admin_reset_password"
| extend AccountCustomEntity = DstUserName

YAML

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
tactics:
- Persistence
requiredDataConnectors:
- dataTypes:
  - CiscoDuo
  connectorId: CiscoDuoSecurity
id: 413e49a5-b107-4698-8428-46b89308bd22
severity: High
status: Available
query: |
  CiscoDuo
  | where DvcAction =~ "admin_reset_password"
  | extend AccountCustomEntity = DstUserName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminPasswordReset.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.0
name: Cisco Duo - Admin password reset
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1078
description: |
    'Detects when admin's password was reset.'
triggerOperator: gt

ARM