sequence by winlog.computer_name with maxspan=1m
[authentication where event.action == "logged-in" and
/* event 4624 need to be logged */
winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and
source.ip != "127.0.0.1" and source.ip != "::1" and
not winlog.event_data.TargetUserName : ("svc*", "PIM_*", "_*_", "*-*-*", "*$")] by winlog.event_data.TargetLogonId
/* event 4724 need to be logged */
[iam where event.action == "reset-password" and
(
/*
This rule is very noisy if not scoped to privileged accounts, duplicate the
rule and add your own naming convention and accounts of interest here.
*/
winlog.event_data.TargetUserName: ("*Admin*", "*super*", "*SVC*", "*DC0*", "*service*", "*DMZ*", "*ADM*") or
winlog.event_data.TargetSid : ("S-1-5-21-*-500", "S-1-12-1-*-500")
)
] by winlog.event_data.SubjectLogonId
Install detection rules in Elastic Security
Detect Account Password Reset Remotely in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).