Query Details
Security Event Account Set Password Not Required
Query
//Alert when an Active Directory account is set to password not required
//Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent
SecurityEvent
| project TimeGenerated, EventID, TargetAccount, SubjectAccount, UserAccountControl
| where EventID == "4738"
| where UserAccountControl has ("2082")
| extend Activity = strcat("Account set to password not required")
| project TimeGenerated, Target=TargetAccount, Actor=SubjectAccount, Activity
Explanation
This query looks for security events in the Windows Security Events data source where an Active Directory account has been set to not require a password. It retrieves the time the event occurred, the event ID, the target account (the account that had its password requirement changed), the actor account (the account that made the change), and the user account control settings. It filters the events to only include those with event ID 4738 and user account control settings that include the value 2082. It then adds a new column called "Activity" that indicates that the account was set to not require a password. Finally, it selects and renames the relevant columns for the final output.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators