Query Details
Identity Info Find Accounts Password Not Required
Query
//Find user accounts with the 'password not required' flag set in Active Directory //Data connector required for this query - Microsoft Sentinel UEBA IdentityInfo | where TimeGenerated > ago(30d) | summarize arg_max(TimeGenerated, *) by AccountUPN | extend UACFlags = tostring(UserAccountControl[0]) | where UACFlags == "PasswordNotRequired"
Explanation
This query is searching for user accounts in Active Directory that have the 'password not required' flag set. It uses the Microsoft Sentinel UEBA data connector to retrieve the necessary data. The query looks at the IdentityInfo table, filters for events that occurred within the last 30 days, and then groups the results by the user's account name. It also retrieves the UserAccountControl flags for each user and checks if the 'PasswordNotRequired' flag is set.
Details
Matt Zorich
Released: June 28, 2022
Tables
IdentityInfo
Keywords
IdentityInfo,TimeGenerated,AccountUPN,UserAccountControl,PasswordNotRequired
Operators
|wheresummarizearg_maxextendtostring==