This analytic detection rule is designed to identify instances where a new Multi-Factor Authentication (MFA) device is provisioned shortly after a password reset. It leverages correlation between Windows Event Log entries (specifically EventIDs 4723 and 4724, which signify password change events) and PingID logs that indicate device pairing activities. The key aspect of this detection is its ability to flag potential social engineering attacks, where an attacker may impersonate a legitimate user to execute a password reset and subsequently pair a new MFA device. When this scenario is detected, it implies a risk of unauthorized access as the attacker could bypass standard security protocols, potentially leading to persistent access to the user account. The rule requires the integration of both Windows Event Logs and PingID records, ensuring a comprehensive monitoring approach against such incidents.