Name:Crowdstrike User with Duplicate Password id:386dd914-16e5-400b-9bf6-25572cc4415a version:3 date:2024-11-13 author:Teoderick Contreras, Splunk status:production type:Anomaly Description:The following analytic detects CrowdStrike alerts for non-admin accounts with duplicate password risk, identifying instances where multiple non-admin users share the same password. This practice weakens security and increases the potential for unauthorized access. Addressing these alerts is essential to ensure each user account has a unique, strong password, thereby enhancing overall security and protecting sensitive information. Data_source:
search:`crowdstrike_identities` primaryDisplayName != "*admin*" | rename riskFactors{}.severity as severity, riskFactors{}.type as risk_type, roles{}.type as role_type, accounts{}.domain as domain, accounts{}.dn as dn, accounts{}.samAccountName as user | stats count min(_time) as firstTime max(_time) as lastTime by domain dn primaryDisplayName risk_type severity riskScore riskScoreSeverity user role_type | where risk_type = "DUPLICATE_PASSWORD" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `crowdstrike_user_with_duplicate_password_filter`
how_to_implement:To implement crowdstrike:identities logs, use the Falcon Streaming API. Set up an API client, authenticate with your CrowdStrike credentials, and subscribe to the "crowdstrike:identities" event stream. Process and store the logs as needed, integrating them into your logging or SIEM system for monitoring and analysis. known_false_positives:unknown References: -https://www.crowdstrike.com/wp-content/uploads/2022/12/CrowdStrike-Falcon-Event-Streams-Add-on-Guide-v3.pdf drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Compromised Windows Host' asset_type:Endpoint mitre_attack_id: - 'T1110' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
