← Library
splApache-2.0from splunk/security_content

Crowdstrike User Weak Password Policy

The following analytic detects CrowdStrike alerts for weak password policy violations, identifying instances where passwords do not meet the required security standards. These alerts highlight potential vulnerabilities that could be exploited by attackers, emphasizing the need for stronger password practices. Addressing these alerts promptly helps to enhance overall security and protect sensitive information from unauthorized access.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/crowdstrike_user_weak_password_policy.yml
`crowdstrike_identities`  primaryDisplayName != "*admin*"
  | rename riskFactors{}.severity as severity, riskFactors{}.type as risk_type, roles{}.type as role_type, accounts{}.domain as domain, accounts{}.dn as dn, accounts{}.samAccountName as user
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY domain dn primaryDisplayName
       risk_type severity riskScore
       riskScoreSeverity user role_type
  | where risk_type = "WEAK_PASSWORD_POLICY"
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `crowdstrike_user_weak_password_policy_filter`