[New Rule] Account Password Reset Remotely

## Description

Detect remote password reset by correlating remote logon success 4624 followed by password reset eventid 4723 : 

```
sequence by host.id with maxspan=5m
  [authentication where event.action=="logged-in" and
    /* event 4624 need to be logged */
    winlog.logon.type:"Network" and event.outcome == "success" and source.ip != null and
    source.ip != "127.0.0.1" and source.ip != "::1"] by winlog.event_data.TargetLogonId
   /* event 4724 need to be logged */
  [iam where event.action == "reset-password"] by winlog.event_data.SubjectLogonId
```

![image](https://user-images.githubusercontent.com/64742097/137640719-2eabf510-b70b-4803-8125-cab454c8d37b.png)


## Required Info

### Target indexes


### Additional requirements


### Target Operating Systems


### Platforms


### Tested ECS Version
x.x.x


## Optional Info

### Query

### New fields required in ECS/data sources for this rule?

### Related issues or PRs

### References



## Example Data

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[New Rule] Account Password Reset Remotely #1570

Description

Required Info

Target indexes

Additional requirements

Target Operating Systems

Platforms

Tested ECS Version

Optional Info

Query

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

Example Data

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[New Rule] Account Password Reset Remotely #1570

Description

Description

Required Info

Target indexes

Additional requirements

Target Operating Systems

Platforms

Tested ECS Version

Optional Info

Query

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

Example Data

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions