Tenable.ad LSASS Memory

Back


Id	6f7fa5f9-7d21-42c1-bc52-ac355b87c6cf
Rulename	Tenable.ad LSASS Memory
Description	Searches for OS Credentials dumping attacks.
Severity	High
Tactics	CredentialAccess
Techniques	T1003.001
Required data connectors	Tenable.ad
Kind	Scheduled
Query frequency	2h
Query period	2h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TenableAD/Analytic Rules/TenableAdLSASSMemory.yaml
Version	1.0.0
Arm template	6f7fa5f9-7d21-42c1-bc52-ac355b87c6cf.json

KQL

// For the query to work properly, make sure you have imported the afad_parser.kql parser into the workspace
// Retrieve the parser here: https://raw.githubusercontent.com/tenable/Azure-Sentinel/Tenable.ad-connector/Solutions/TenableAD/Parsers/afad_parser.kql
// Then, create the Kusto Function with alias afad_parser
afad_parser
  | where MessageType == 2 and Codename == "OS Credential Dumping: LSASS Memory"

YAML

version: 1.0.0
name: Tenable.ad LSASS Memory
severity: High
queryFrequency: 2h
kind: Scheduled
queryPeriod: 2h
description: |
    'Searches for OS Credentials dumping attacks.'
query: |
  // For the query to work properly, make sure you have imported the afad_parser.kql parser into the workspace
  // Retrieve the parser here: https://raw.githubusercontent.com/tenable/Azure-Sentinel/Tenable.ad-connector/Solutions/TenableAD/Parsers/afad_parser.kql
  // Then, create the Kusto Function with alias afad_parser
  afad_parser
    | where MessageType == 2 and Codename == "OS Credential Dumping: LSASS Memory"  
tactics:
- CredentialAccess
triggerOperator: gt
entityMappings: 
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TenableAD/Analytic Rules/TenableAdLSASSMemory.yaml
requiredDataConnectors:
- connectorId: Tenable.ad
  dataTypes:
  - Tenable_ad_CL
relevantTechniques:
- T1003.001
id: 6f7fa5f9-7d21-42c1-bc52-ac355b87c6cf

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6f7fa5f9-7d21-42c1-bc52-ac355b87c6cf')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6f7fa5f9-7d21-42c1-bc52-ac355b87c6cf')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Tenable.ad LSASS Memory",
        "description": "'Searches for OS Credentials dumping attacks.'\n",
        "severity": "High",
        "enabled": true,
        "query": "// For the query to work properly, make sure you have imported the afad_parser.kql parser into the workspace\n// Retrieve the parser here: https://raw.githubusercontent.com/tenable/Azure-Sentinel/Tenable.ad-connector/Solutions/TenableAD/Parsers/afad_parser.kql\n// Then, create the Kusto Function with alias afad_parser\nafad_parser\n  | where MessageType == 2 and Codename == \"OS Credential Dumping: LSASS Memory\"\n",
        "queryFrequency": "PT2H",
        "queryPeriod": "PT2H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1003.001"
        ],
        "alertRuleTemplateName": "6f7fa5f9-7d21-42c1-bc52-ac355b87c6cf",
        "customDetails": null,
        "entityMappings": null,
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TenableAD/Analytic Rules/TenableAdLSASSMemory.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}