← Library
splApache-2.0from splunk/security_content

Crowdstrike Admin Weak Password Policy

The following analytic detects CrowdStrike alerts for admin weak password policy violations, identifying instances where administrative passwords do not meet security standards. These alerts highlight significant vulnerabilities that could be exploited by attackers to gain unauthorized access. Promptly addressing these alerts is crucial for maintaining robust security and protecting critical systems and data from potential threats.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/crowdstrike_admin_weak_password_policy.yml
`crowdstrike_identities` primaryDisplayName = "*admin*"
  | rename riskFactors{}.severity as severity, riskFactors{}.type as risk_type, roles{}.type as role_type, accounts{}.domain as domain, accounts{}.dn as dn, accounts{}.samAccountName as user
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY domain dn primaryDisplayName
       risk_type severity riskScore
       riskScoreSeverity user role_type
  | where risk_type = "WEAK_PASSWORD_POLICY"
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `crowdstrike_admin_weak_password_policy_filter`