Cisco Duo - Admin password reset

Back


Id	413e49a5-b107-4698-8428-46b89308bd22
Rulename	Cisco Duo - Admin password reset
Description	Detects when admin’s password was reset.
Severity	High
Tactics	Persistence
Techniques	T1078
Required data connectors	CiscoDuoSecurity
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminPasswordReset.yaml
Version	1.0.0
Arm template	413e49a5-b107-4698-8428-46b89308bd22.json

KQL

CiscoDuo
| where DvcAction =~ "admin_reset_password"
| extend AccountCustomEntity = DstUserName

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminPasswordReset.yaml
queryPeriod: 1h
description: |
    'Detects when admin's password was reset.'
triggerThreshold: 0
name: Cisco Duo - Admin password reset
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
kind: Scheduled
requiredDataConnectors:
- connectorId: CiscoDuoSecurity
  dataTypes:
  - CiscoDuo
queryFrequency: 1h
tactics:
- Persistence
id: 413e49a5-b107-4698-8428-46b89308bd22
status: Available
version: 1.0.0
query: |
  CiscoDuo
  | where DvcAction =~ "admin_reset_password"
  | extend AccountCustomEntity = DstUserName  
severity: High
relevantTechniques:
- T1078

ARM