KQL Search

Query Details

HomeAI ToolsDevice Query

Identities Set To Password Never Expires With Blast Radius Value Or Tagged As Sensitive

Query

# Identities set to “Password Never Expires” with Blast Radius value or tagged as Sensitive

# Description

The following query will take advantage of the recently introduced IdentityInfo table and will identify enabled accounts that are set with no password expiration that either have a Blast Radius value or are ragged as Sensitive. Results might return accounts that should be further investigated whether the pose a risk or not.

### Defender XDR
```
let IdBlastRadiusLow =
IdentityInfo
| where IsAccountEnabled == "1"
| where parse_json(UserAccountControl)[1] == 'PasswordNeverExpires'
| where BlastRadius == "Low"
| extend BlastRadius = "🟨 Low"
| project AccountDisplayName, AccountName, EmailAddress, BlastRadius;
let IdBlastRadiusMedium =
IdentityInfo
| where IsAccountEnabled == "1"
| where parse_json(UserAccountControl)[1] == 'PasswordNeverExpires'
| where BlastRadius == "Medium"
| extend BlastRadius = "🟧 Medium"
| project AccountDisplayName, AccountName, EmailAddress, BlastRadius;
let IdBlastRadiusHigh =
IdentityInfo
| where IsAccountEnabled == "1"
| where parse_json(UserAccountControl)[1] == 'PasswordNeverExpires'
| where BlastRadius == "High"
| extend BlastRadius = "🟥 High"
| project AccountDisplayName, AccountName, EmailAddress, BlastRadius;
let SensitiveAccount =
IdentityInfo
| where IsAccountEnabled == "1"
| where parse_json(UserAccountControl)[1] == 'PasswordNeverExpires'
| where Tags != "[]"
| extend Tags = "⚠️ Sensitive Account"
| project AccountDisplayName, AccountName, EmailAddress, Tags;
union isfuzzy=true IdBlastRadiusLow,IdBlastRadiusMedium, IdBlastRadiusHigh, SensitiveAccount
| summarize by AccountDisplayName, AccountName, EmailAddress, BlastRadius, Tags
| sort by AccountDisplayName asc 
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 16/05/2025    | Initial publish                        |

Explanation

This query is designed to identify user accounts that are enabled, have the "Password Never Expires" setting, and are either associated with a "Blast Radius" value or tagged as "Sensitive." Here's a simple breakdown of what the query does:

  1. Data Source: It uses the IdentityInfo table, which contains information about user accounts.

  2. Enabled Accounts: It filters for accounts that are currently enabled.

  3. Password Never Expires: It specifically looks for accounts where the password is set to never expire.

  4. Blast Radius:

    • It categorizes accounts based on their "Blast Radius," which indicates the potential impact or risk level if the account is compromised.
    • It identifies accounts with "Low," "Medium," and "High" blast radius values and labels them with corresponding symbols (🟨 for Low, 🟧 for Medium, 🟥 for High).

  5. Sensitive Accounts:

    • It also identifies accounts that are tagged as "Sensitive" and labels them with a warning symbol (⚠️).

  6. Combining Results:

    • It combines the results from the different categories (Low, Medium, High blast radius, and Sensitive accounts) into a single list.
    • The results are summarized to avoid duplicates and sorted alphabetically by the account display name.

The purpose of this query is to help identify accounts that may require further investigation due to their potential risk, either because they have a significant blast radius or are marked as sensitive.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: May 16, 2025

Tables

IdentityInfo

Keywords

IdentityInfo

Operators

let|whereparse_json()==extendprojectunionisfuzzy=truesummarize bysort byasc

Actions