Feb 21 2023 12:37 AM
Hi
Can someone please help me, how to write KQL query to get list of all service accounts which are set to password never expires.
Thank you for your time.
Feb 21 2023 02:13 AM
It depends what Tables you have, here are two examples, but you'll have to add the Service Account filter - which will be to look for them starting with "svc-" (best practise):
Azure-Sentinel/password_never_expires.yaml at c6dce9c3aa4d4b4d02423ac4eb5a6b677a39e432 · Azure/Azure...
or
Sentinel-Queries/IdentityDirectoryEvents-PasswordSettoNeverExpire.kql at be2948cc572879e77dc1d251444...
Jun 19 2024 07:42 PM - edited Jun 19 2024 07:44 PM
As long as 'UserAccountControl' is being parsed from IdentityInfo,
use this:
IdentityInfo
| where OnPremisesDistinguishedName contains "Service" and OnPremisesDistinguishedName contains "account"
| where UserAccountControl has "PasswordNeverExpires"
| summarize arg_max(TimeGenerated, *) by AccountName
| project AccountName, AccountCreationTime, AccountDomain, AccountUPN, OnPremisesDistinguishedName, UserAccountControl
Set the time range to go as far back as you can.