splApache-2.0from splunk/security_content
Crowdstrike Admin With Duplicate Password
The following analytic detects CrowdStrike alerts for admin accounts with duplicate password risk, identifying instances where administrative users share the same password. This practice significantly increases the risk of unauthorized access and potential breaches. Addressing these alerts promptly is crucial for maintaining strong security protocols, ensuring each admin account uses a unique, secure password to protect critical systems and data.
Quality
59
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/crowdstrike_admin_with_duplicate_password.yml
`crowdstrike_identities` primaryDisplayName = "*admin*"
| rename riskFactors{}.severity as severity, riskFactors{}.type as risk_type, roles{}.type as role_type, accounts{}.domain as domain, accounts{}.dn as dn, accounts{}.samAccountName as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY domain dn primaryDisplayName
risk_type severity riskScore
riskScoreSeverity user role_type
| where risk_type = "DUPLICATE_PASSWORD"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `crowdstrike_admin_with_duplicate_password_filter`