Query Details

Identities Set To Password Never Expires With Blast Radius Value Or Tagged As Sensitive

Query

let IdBlastRadiusLow =
IdentityInfo
| where IsAccountEnabled == "1"
| where parse_json(UserAccountControl)[1] == 'PasswordNeverExpires'
| where BlastRadius == "Low"
| extend BlastRadius = "🟨 Low"
| project AccountDisplayName, AccountName, EmailAddress, BlastRadius;
let IdBlastRadiusMedium =
IdentityInfo
| where IsAccountEnabled == "1"
| where parse_json(UserAccountControl)[1] == 'PasswordNeverExpires'
| where BlastRadius == "Medium"
| extend BlastRadius = "🟧 Medium"
| project AccountDisplayName, AccountName, EmailAddress, BlastRadius;
let IdBlastRadiusHigh =
IdentityInfo
| where IsAccountEnabled == "1"
| where parse_json(UserAccountControl)[1] == 'PasswordNeverExpires'
| where BlastRadius == "High"
| extend BlastRadius = "🟥 High"
| project AccountDisplayName, AccountName, EmailAddress, BlastRadius;
let SensitiveAccount =
IdentityInfo
| where IsAccountEnabled == "1"
| where parse_json(UserAccountControl)[1] == 'PasswordNeverExpires'
| where Tags != "[]"
| extend Tags = "⚠️ Sensitive Account"
| project AccountDisplayName, AccountName, EmailAddress, Tags;
union isfuzzy=true IdBlastRadiusLow,IdBlastRadiusMedium, IdBlastRadiusHigh, SensitiveAccount
| summarize by AccountDisplayName, AccountName, EmailAddress, BlastRadius, Tags
| sort by AccountDisplayName asc

About this query

Identities set to “Password Never Expires” with Blast Radius value or tagged as Sensitive

Description

The following query will take advantage of the recently introduced IdentityInfo table and will identify enabled accounts that are set with no password expiration that either have a Blast Radius value or are tagged as Sensitive. Results will return accounts that should be further investigated whether the pose a risk or not.

Defender XDR

Versioning

VersionDateComments
1.016/05/2025Initial publish

Explanation

This query is designed to identify user accounts that are enabled and have the "Password Never Expires" setting. It focuses on accounts that either have a specified "Blast Radius" value (indicating the potential impact of a security breach) or are tagged as "Sensitive." The query categorizes these accounts based on their blast radius level (Low, Medium, or High) and identifies sensitive accounts separately. The results include the account's display name, account name, email address, and either the blast radius or sensitivity tag. The final output is sorted by the account display name for easier review. This helps in identifying accounts that may pose a security risk and require further investigation.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: May 17, 2025

Tables

IdentityInfo

Keywords

IdentityInfo

Operators

letIdentityInfowhereparse_jsonextendprojectunionisfuzzysummarizebysortasc

Actions

GitHub