← Library
splApache-2.0from splunk/security_content

Crowdstrike User with Duplicate Password

The following analytic detects CrowdStrike alerts for non-admin accounts with duplicate password risk, identifying instances where multiple non-admin users share the same password. This practice weakens security and increases the potential for unauthorized access. Addressing these alerts is essential to ensure each user account has a unique, strong password, thereby enhancing overall security and protecting sensitive information.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/crowdstrike_user_with_duplicate_password.yml
`crowdstrike_identities` primaryDisplayName != "*admin*"
  | rename riskFactors{}.severity as severity, riskFactors{}.type as risk_type, roles{}.type as role_type, accounts{}.domain as domain, accounts{}.dn as dn, accounts{}.samAccountName as user
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY domain dn primaryDisplayName
       risk_type severity riskScore
       riskScoreSeverity user role_type
  | where risk_type = "DUPLICATE_PASSWORD"
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `crowdstrike_user_with_duplicate_password_filter`