Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AD user enabled and password not set within 48 hours

AD user enabled and password not set within 48 hours

Back
Id62085097-d113-459f-9ea7-30216f2ee6af
RulenameAD user enabled and password not set within 48 hours
DescriptionIdentifies when an account is enabled with a default password and the password is not set by the user within 48 hours.

Effectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which

indicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur

after 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.

It is recommended that this time period is adjusted per your internal company policy.
SeverityLow
TacticsPersistence
TechniquesT1098
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period3d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/password_not_set.yaml
Version1.0.3
Arm template62085097-d113-459f-9ea7-30216f2ee6af.json
Deploy To Azure
let starttime = 3d;
let SecEvents = materialize ( SecurityEvent | where TimeGenerated >= ago(starttime)
| where EventID in (4722,4723) | where TargetUserName !endswith "$"
| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);
let userEnable = SecEvents
| extend EventID4722Time = TimeGenerated
// 4722: User Account Enabled
| where EventID == 4722
| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;
let userPwdSet = SecEvents
// 4723: Attempt made by user to set password
| where EventID == 4723
| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;
userEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid
| extend PasswordSetAttemptDelta_Min = datetime_diff('minute', Time_Event4723, Time_Event4722)
| where PasswordSetAttemptDelta_Min > 2880 or isempty(PasswordSetAttemptDelta_Min)
| project-away TargetAccount1, TargetSid1
| extend Reason = @"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours"
| order by Time_Event4722 asc
| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid
| extend HostName = tostring(split(Computer_4722, ".")[0]), DomainIndex = toint(indexof(Computer_4722, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer_4722, DomainIndex + 1), Computer_4722)
| extend AccountName = tostring(split(TargetAccount, "\\")[1]), AccountNTDomain = tostring(split(TargetAccount, "\\")[0])
| project-away DomainIndex

triggerOperator: gt
queryFrequency: 1d
description: |
  'Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.
  Effectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which
  indicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur
  after 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.
  It is recommended that this time period is adjusted per your internal company policy.'  
status: Available
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
version: 1.0.3
queryPeriod: 3d
name: AD user enabled and password not set within 48 hours
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/password_not_set.yaml
id: 62085097-d113-459f-9ea7-30216f2ee6af
tactics:
- Persistence
relevantTechniques:
- T1098
severity: Low
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: Account
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountNTDomain
  entityType: Account
- fieldMappings:
  - identifier: Sid
    columnName: TargetSid
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: HostNameDomain
  entityType: Host
query: |
  let starttime = 3d;
  let SecEvents = materialize ( SecurityEvent | where TimeGenerated >= ago(starttime)
  | where EventID in (4722,4723) | where TargetUserName !endswith "$"
  | project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);
  let userEnable = SecEvents
  | extend EventID4722Time = TimeGenerated
  // 4722: User Account Enabled
  | where EventID == 4722
  | project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;
  let userPwdSet = SecEvents
  // 4723: Attempt made by user to set password
  | where EventID == 4723
  | project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;
  userEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid
  | extend PasswordSetAttemptDelta_Min = datetime_diff('minute', Time_Event4723, Time_Event4722)
  | where PasswordSetAttemptDelta_Min > 2880 or isempty(PasswordSetAttemptDelta_Min)
  | project-away TargetAccount1, TargetSid1
  | extend Reason = @"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours"
  | order by Time_Event4722 asc
  | project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid
  | extend HostName = tostring(split(Computer_4722, ".")[0]), DomainIndex = toint(indexof(Computer_4722, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer_4722, DomainIndex + 1), Computer_4722)
  | extend AccountName = tostring(split(TargetAccount, "\\")[1]), AccountNTDomain = tostring(split(TargetAccount, "\\")[0])
  | project-away DomainIndex  

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/62085097-d113-459f-9ea7-30216f2ee6af')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/62085097-d113-459f-9ea7-30216f2ee6af')]",
      "properties": {
        "alertRuleTemplateName": "62085097-d113-459f-9ea7-30216f2ee6af",
        "customDetails": null,
        "description": "'Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\nIt is recommended that this time period is adjusted per your internal company policy.'\n",
        "displayName": "AD user enabled and password not set within 48 hours",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Account",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountNTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetSid",
                "identifier": "Sid"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/password_not_set.yaml",
        "query": "let starttime = 3d;\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated >= ago(starttime)\n| where EventID in (4722,4723) | where TargetUserName !endswith \"$\"\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\nlet userEnable = SecEvents\n| extend EventID4722Time = TimeGenerated\n// 4722: User Account Enabled\n| where EventID == 4722\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\nlet userPwdSet = SecEvents\n// 4723: Attempt made by user to set password\n| where EventID == 4723\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\n| extend PasswordSetAttemptDelta_Min = datetime_diff('minute', Time_Event4723, Time_Event4722)\n| where PasswordSetAttemptDelta_Min > 2880 or isempty(PasswordSetAttemptDelta_Min)\n| project-away TargetAccount1, TargetSid1\n| extend Reason = @\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\"\n| order by Time_Event4722 asc\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\n| extend HostName = tostring(split(Computer_4722, \".\")[0]), DomainIndex = toint(indexof(Computer_4722, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer_4722, DomainIndex + 1), Computer_4722)\n| extend AccountName = tostring(split(TargetAccount, \"\\\\\")[1]), AccountNTDomain = tostring(split(TargetAccount, \"\\\\\")[0])\n| project-away DomainIndex\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P3D",
        "severity": "Low",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}