Anyone please help with setting up an alarm for password set to never expire on windows 2003 and before.
I know with windows 2008 you use the SID=43-263047380 and event_class (In) [Don't Expire Password - Enabled] but what about on windows server 2003 and before?
1- connect the SIEM with the AD (that is a separete artical )
2 - create a watchlist with the next configurations:
1 - set to dynamic, and Hourly at specefied minutes - 45 minutes
2 - in the Source tab configure the LDAP source type
3 - in the Query tab past in the Lookup Attribute - sAMAccountName
and in the Query Pate -
4 - in the Values tab set the type to - Source User
after testing the communication, saving etc.
create a correlation rule triggering when the Source user is in the Watchlist created abuve.