KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Directory Events Password Setto Never Expire

Query

//Alert when Defender for Identity detects an account being set to 'password never expires'

//Data connector required for this query - M365 Defender - Identity* tables

//Microsoft Sentinel query
IdentityDirectoryEvents
| where ActionType == "Account Password Never Expires changed"
| extend ['Password never expires previous setting'] = tostring(AdditionalFields.["FROM Account Password Never Expires"])
| extend ['Password never expires current setting'] = tostring(AdditionalFields.["TO Account Password Never Expires"])
| project
    TimeGenerated,
    TargetAccountUpn,
    ['Password never expires current setting'],
    ['Password never expires previous setting']

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting license

IdentityDirectoryEvents
| where ActionType == "Account Password Never Expires changed"
| extend ['Password never expires previous setting'] = tostring(AdditionalFields.["FROM Account Password Never Expires"])
| extend ['Password never expires current setting'] = tostring(AdditionalFields.["TO Account Password Never Expires"])
| project
    Timestamp,
    TargetAccountUpn,
    ['Password never expires current setting'],
    ['Password never expires previous setting']

Explanation

This query is used to detect when an account's password is set to 'password never expires' in Microsoft Defender for Identity. It retrieves information from the IdentityDirectoryEvents table and filters for events where the ActionType is "Account Password Never Expires changed". It then extends the query to include the previous and current settings for the 'password never expires' attribute. The resulting data includes the timestamp, target account UPN, current setting, and previous setting for the 'password never expires' attribute.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

IdentityDirectoryEvents

Keywords

IdentityDirectoryEvents,ActionType,AccountPasswordNeverExpires,AdditionalFields,FROMAccountPasswordNeverExpires,TOAccountPasswordNeverExpires,TimeGenerated,TargetAccountUpn,Passwordneverexpirescurrentsetting,Passwordneverexpiresprevioussetting,Timestamp

Operators

whereextendtostringproject

Actions