Azure AD account unlock/password reset attempt

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-02-09
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • AzureAD Audit Log

Detection Modules

Identity Threat Module

Detector Tags

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Valid Accounts (T1078)

Severity

Informational

Response playbooks

Variations of this detector that create incidents have an OOTB response playbook included in the Cortex Response and Remediation Pack

Description

An identity attempted to unlock their account or reset their Azure AD password.

Attacker's Goals

  • An attacker may switch a valid account's password for persistence.

Investigative actions

  • Check if the password reset is authorized.
  • Check whether the user who reset the password is permitted to perform such actions.
  • Check if the account is in the password reset group or is acting out of scope.
  • Check whether the user has not completed the password reset, and cancelled before successfully passing authentication methods.
  • Follow further actions or suspicious logins from the account.

Variations

Azure AD account unlock/successful password reset

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Valid Accounts (T1078)

Severity

Low

Response playbooks

Azure AD account unlock or password reset

Description

An identity successfully reset or changed Azure AD password.

Attacker's Goals

  • An attacker may switch a valid account's password for persistence.

Investigative actions

  • Check if the password reset is authorized.
  • Check whether the user who reset the password is permitted to perform such actions.
  • Check if the account is in the password reset group or is acting out of scope.
  • Check whether the user has not completed the password reset, and cancelled before successfully passing authentication methods.
  • Follow further actions or suspicious logins from the account.