Admin started SSPR [RULE-1159/RULE-1160]
These rules (RULE-1159 and RULE-1160) detect when an administrator with high privileges (tier0) starts a self-service password reset (SSPR) operation. RULE-1159 monitors permanent administrators, while RULE-1160 also monitors users who can activate administrator privileges via Privileged Identity Management (PIM).
Rationale
Self-service password reset is a legitimate feature that allows users to reset their own password without helpdesk assistance. It is normal that administrators also use this feature when they have forgotten their password or need to reset their password for other reasons. However, for administrators with high privileges (tier0), extra attention is warranted because a compromised tier0 account can lead to complete compromise of the organization.
Fix
A fix will be offered to disable the administrator account, after you have validated that this is malicious behavior. For further investigation you can contact us, Attic can support via our IR service.
Difference between RULE-1159 and RULE-1160
This detection consists of two rules due to different admin configurations:
- RULE-1159: Monitors permanent administrators - users who have been permanently assigned administrator roles (CHK1105_admins list)
- RULE-1160: Monitors PIM-eligible administrators - users who can activate administrator roles via Privileged Identity Management when needed (CHK1106_pimadmins list). This rule requires Azure AD Premium P1 or P2.
The reason for two rules is that organizations can have different admin models. Some have permanent admins, others use only PIM, and still others have a mix. By monitoring both, full coverage is achieved regardless of the chosen model.