Forum Discussion
KQL for list of service account with password never expires.
Hi
Can someone please help me, how to write KQL query to get list of all service accounts which are set to password never expires.
Thank you for your time.
2 Replies
As long as 'UserAccountControl' is being parsed from IdentityInfo,
use this:
IdentityInfo
| where OnPremisesDistinguishedName contains "Service" and OnPremisesDistinguishedName contains "account"
| where UserAccountControl has "PasswordNeverExpires"
| summarize arg_max(TimeGenerated, *) by AccountName
| project AccountName, AccountCreationTime, AccountDomain, AccountUPN, OnPremisesDistinguishedName, UserAccountControl
Set the time range to go as far back as you can.It depends what Tables you have, here are two examples, but you'll have to add the Service Account filter - which will be to look for them starting with "svc-" (best practise):
Azure-Sentinel/password_never_expires.yaml at c6dce9c3aa4d4b4d02423ac4eb5a6b677a39e432 · Azure/Azure-Sentinel (github.com)
or
Sentinel-Queries/IdentityDirectoryEvents-PasswordSettoNeverExpire.kql at be2948cc572879e77dc1d2514447c24da4322bc2 · reprise99/Sentinel-Queries (github.com)
