cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

KQL for list of service account with password never expires.

ninjaa
Copper Contributor

‎Feb 21 2023 12:37 AM

‎Feb 21 2023 12:37 AM

KQL for list of service account with password never expires.

Hi 
Can someone please help me, how to write KQL query to get list of all service accounts which are set to password never expires.   

Thank you for your time.

Labels:
2,720 Views
0 Likes
2 Replies
Reply
2 Replies
Clive_Watson

‎Feb 21 2023 02:13 AM

‎Feb 21 2023 02:13 AM

Re: KQL for list of service account with password never expires.

@ninjaa 

 

It depends what Tables you have, here are two examples, but you'll have to add the Service Account filter - which will be to look for them starting with "svc-" (best practise):

Azure-Sentinel/password_never_expires.yaml at c6dce9c3aa4d4b4d02423ac4eb5a6b677a39e432 · Azure/Azure...

or 

Sentinel-Queries/IdentityDirectoryEvents-PasswordSettoNeverExpire.kql at be2948cc572879e77dc1d251444...

1 Like
Reply
malvarezz

‎Jun 19 2024 07:42 PM - edited ‎Jun 19 2024 07:44 PM

‎Jun 19 2024 07:42 PM - edited ‎Jun 19 2024 07:44 PM

Re: KQL for list of service account with password never expires.

As long as 'UserAccountControl' is being parsed from IdentityInfo,
use this:
IdentityInfo
| where OnPremisesDistinguishedName contains "Service" and OnPremisesDistinguishedName contains "account"
| where UserAccountControl has "PasswordNeverExpires"
| summarize arg_max(TimeGenerated, *) by AccountName
| project AccountName, AccountCreationTime, AccountDomain, AccountUPN, OnPremisesDistinguishedName, UserAccountControl

Set the time range to go as far back as you can.

0 Likes
Reply