The logic should not be difficult. You can use AND operator with its components in sequence. The first component being the signature id 43-263047230 and the second component being the same, but with a negation. You should change the time window of parent AND to 30 days. But as of now (as far as I am aware) the maximum time window supported in a correlation rule is of 168 hours i.e. 7 days. Hence, I am not sure on how to specify the time window as 30 days.
Thanks, yes the problem is in limited time windows
You can use the PwdLastSet attribute in Windows AD, but that requires a conversion from Microsoft time to current time. You run into significant memory issues when you set a correlation time parameter to the max, as it must keep that in memory.
You could create a watchlist based on the signature, keeping track of the user. I would try setting the expration on the watchlist to 30 days. If the password expiration is set to 30 days, and the user changes his password, the list should contain all users who regularly change their password within the time frame. A query showing users not in that list should give those who have not changed their password. I can't guarantee that; I haven't tried it.
Better question is: are you looking for accounts that have a password that doesn't expire? That is much easier to do.
Hi rgarett, can you expand on how you'd go about gathering a list of accounts with pswd that do not expire?
The query you want to run is: (&(objectCategory=User)(userAccountControl:1.2.840.1135188.8.131.523:=65536))
&( = you need this because you are looking for users AND specific values
objectCategory=User = we limit the query to only users
(userAccountControl:1.2.840.1135184.108.40.2063:=65536) = return only the user account control flag is on for 65536.
This will give you an AD list of all users with passwords that don't expire.
Create a dynamic watchlist, and use LDAP. Use the IP of the domain controller, and a user that can read the tree
Add the LDAP query, test and save