Tenable.ad LSASS Memory

Back


Id	6f7fa5f9-7d21-42c1-bc52-ac355b87c6cf
Rulename	Tenable.ad LSASS Memory
Description	Searches for OS Credentials dumping attacks.
Severity	High
Tactics	CredentialAccess
Techniques	T1003.001
Required data connectors	Tenable.ad
Kind	Scheduled
Query frequency	2h
Query period	2h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TenableAD/Analytic Rules/TenableAdLSASSMemory.yaml
Version	1.0.0
Arm template	6f7fa5f9-7d21-42c1-bc52-ac355b87c6cf.json

KQL

// For the query to work properly, make sure you have imported the afad_parser.kql parser into the workspace
// Retrieve the parser here: https://raw.githubusercontent.com/tenable/Azure-Sentinel/Tenable.ad-connector/Solutions/TenableAD/Parsers/afad_parser.kql
// Then, create the Kusto Function with alias afad_parser
afad_parser
  | where MessageType == 2 and Codename == "OS Credential Dumping: LSASS Memory"

YAML

name: Tenable.ad LSASS Memory
query: |
  // For the query to work properly, make sure you have imported the afad_parser.kql parser into the workspace
  // Retrieve the parser here: https://raw.githubusercontent.com/tenable/Azure-Sentinel/Tenable.ad-connector/Solutions/TenableAD/Parsers/afad_parser.kql
  // Then, create the Kusto Function with alias afad_parser
  afad_parser
    | where MessageType == 2 and Codename == "OS Credential Dumping: LSASS Memory"  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TenableAD/Analytic Rules/TenableAdLSASSMemory.yaml
queryFrequency: 2h
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - Tenable_ad_CL
  connectorId: Tenable.ad
version: 1.0.0
queryPeriod: 2h
id: 6f7fa5f9-7d21-42c1-bc52-ac355b87c6cf
triggerOperator: gt
entityMappings: 
relevantTechniques:
- T1003.001
severity: High
description: |
    'Searches for OS Credentials dumping attacks.'
kind: Scheduled
tactics:
- CredentialAccess

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6f7fa5f9-7d21-42c1-bc52-ac355b87c6cf')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6f7fa5f9-7d21-42c1-bc52-ac355b87c6cf')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Tenable.ad LSASS Memory",
        "description": "'Searches for OS Credentials dumping attacks.'\n",
        "severity": "High",
        "enabled": true,
        "query": "// For the query to work properly, make sure you have imported the afad_parser.kql parser into the workspace\n// Retrieve the parser here: https://raw.githubusercontent.com/tenable/Azure-Sentinel/Tenable.ad-connector/Solutions/TenableAD/Parsers/afad_parser.kql\n// Then, create the Kusto Function with alias afad_parser\nafad_parser\n  | where MessageType == 2 and Codename == \"OS Credential Dumping: LSASS Memory\"\n",
        "queryFrequency": "PT2H",
        "queryPeriod": "PT2H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1003.001"
        ],
        "alertRuleTemplateName": "6f7fa5f9-7d21-42c1-bc52-ac355b87c6cf",
        "customDetails": null,
        "entityMappings": null,
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TenableAD/Analytic Rules/TenableAdLSASSMemory.yaml"
      }
    }
  ]
}